Permissions and Resources

This document outlines the permissions required for installing and operating various Sysdig features on GCP, as well as the resources that will be created in your GCP environment.

Review GCP Roles and Permissions

Security Principals

There are two security principals in the onboarding process:

  • Installer: The primary security principal, either a User or a Service Account. This security principal will be used to perform the onboarding. Sysdig does not have access to this security principal.
  • Sysdig: A Service Account (robot user) created during onboarding with specific, less permissive roles. Sysdig will be given access to this service account.

GCP Roles

GCP IAM has a single control plane that applies to either at the organization or project level:

  • GCP Roles: Applied to the entire organization or project.

Base GCP Integration - Cloud Security Posture Management (CSPM)

Agentless Cloud Security Posture Management (CSPM) assesses and manages the security posture of your cloud resources without requiring agents.

Permissions Required to Install

The Installer must have at least the following roles assigned:

Single Project Install

If you are installing CSPM, the user/service account must have the following roles assigned on the Project you are onboarding:

  • roles/iam.serviceAccountAdmin
  • roles/iam.roleAdmin
  • roles/resourcemanager.projectIamAdmin
  • roles/iam.serviceAccountKeyAdmin
  • roles/serviceusage.serviceUsageAdmin
  • roles/iam.workloadIdentityPoolAdmin

Organizational Install

Note: Certain roles are required at the organization level. Other roles are required on a single project in which you will deploy shared resources. Ensure you have the correct roles assigned at the correct scope.

If you are installing CSPM, the user/service account must have the following roles assigned at the organizational level:

  • roles/iam.organizationRoleAdmin
  • roles/resourcemanager.organizationAdmin
  • roles/serviceusage.serviceUsageAdmin

If you are installing CSPM, the user/service account must have the following roles assigned at the project level:

  • roles/iam.serviceAccountAdmin
  • roles/iam.serviceAccountKeyAdmin
  • roles/iam.workloadIdentityPoolAdmin

Permissions Granted to Sysdig

The installation creates a Service Account that Sysdig can access. This Service Account is granted the following roles and permissions:

For CSPM:

  • roles/iam.browser
  • roles/cloudasset.viewer
  • roles/iam.workloadIdentityUser
  • roles/logging.viewer
  • roles/cloudfunctions.viewer
  • roles/cloudbuild.builds.viewer
  • roles/orgpolicy.policyViewer

Resources Created

The following resources will be created in your GCP Environment:

ResourceDescription
google_service_accountService account used by Sysdig for secure posture management
google_iam_workload_identity_poolCreates a Workload Identity Pool Federation for Authentication
google_iam_workload_identity_pool_providerCreates a Workload Identity Pool Provider ID for config posture management
google_project_iam_memberCreates the custom role with permissions needed for config posture management
google_service_account_iam_memberAttaches WIF as a member to the service account for auth
google_organization_iam_memberAssigns the custom role to the Sysdig Service Account at the organization level

Cloud Detection and Response (CDR)

Agentless Cloud Detection and Response (CDR) performs threat detection using Falco rules and policies on platform logs.

Permissions Required to Install

Single Project Install

If you are installing CDR and CIEM, you must have the following additional roles assigned on the Project you are onboarding:

  • roles/pubsub.admin
  • roles/logging.configWriter
  • roles/iam.serviceAccountUser

Organizational Install

Note: Certain roles are required at the organization level. Other roles are required on a single project in which you will deploy shared resources. Ensure you have the correct roles assigned at the correct scope.

If you are installing CDR & CIEM, you must have the following additional roles assigned:

  • roles/pubsub.admin (On the project where shared resources will be created)
  • roles/logging.configWriter (At the Organization level)
  • roles/iam.serviceAccountUser (On the project where shared resources will be created)

Permissions Granted to Sysdig

The installation creates a Service Account that Sysdig can access. This Service Account is granted the following roles and permissions:

For CDR & CIEM:

  • roles/iam.workloadIdentityUser
  • pubsub.topics.get
  • pubsub.topics.list
  • pubsub.subscriptions.get
  • pubsub.subscriptions.list
  • logging.sinks.get
  • logging.sinks.list

Resources Created

The following resources will be created in your GCP Environment:

ResourceDescription
google_project_iam_audit_configAudit Log Config enabled at the Project level
google_pubsub_topicIngestion Pub Sub topic created for CDR
google_logging_project_sinkSysdig sink to direct the Audit Logs to the PubSub topic used for data gathering
google_pubsub_topic_iam_memberAttaches roles & permissions needed for the pub sub topic
google_service_accountService account used by Sysdig for threat detection
google_service_account_iam_memberCreates the custom role with permissions needed for threat detection
google_pubsub_subscriptionCreates the pub sub subscription with topic name and custom role
google_iam_workload_identity_poolCreates a Workload Identity Pool Federation for Auth
google_iam_workload_identity_pool_providerCreates a Workload Identity Pool Provider ID for threat detection
google_project_iam_custom_roleCreates custom role with project-level permissions to access data ingestion resources
google_project_iam_memberAdds custom role with project-level permissions to the service account for auth
google_service_account_iam_memberAttaches WIF as a member to the service account for auth
google_organization_iam_audit_configEnables Audit Log Configuration at the Organizational level
google_logging_organization_sinkSysdig organizational sink to direct the AuditLogs to the PubSub topic used for data gathering
google_organization_iam_custom_roleCreates a custom role with organization-level permissions to access data ingestion resources
google_organization_iam_memberAdds a custom role with organization-level permissions to the service account for authentication

Vulnerability Management Agentless Host Scanning

Vulnerability Management Agentless Host Scanning performs vulnerability scanning using disk snapshots for accurate risk assessment and management.

Permissions Required to Install

Single Project Install

If you are installing Vulnerability Host Scanning, you must have the following roles assigned:

  • roles/iam.serviceAccountAdmin
  • roles/iam.roleAdmin
  • roles/resourcemanager.projectIamAdmin
  • roles/iam.serviceAccountKeyAdmin
  • roles/serviceusage.serviceUsageAdmin

Organizational Install

Note: Certain roles are required at the organization level. Other roles are required on a single project in which you will deploy shared resources. Ensure you have the correct roles assigned at the correct scope.

If you are installing Vulnerability Host Scanning, you must have the following roles assigned:

  • roles/iam.serviceAccountAdmin (On the project where shared resources will be created)
  • roles/iam.organizationRoleAdmin (At the Organization level)
  • roles/resourcemanager.organizationAdmin (At the Organization level)
  • roles/iam.serviceAccountKeyAdmin (On the project where shared resources will be created)
  • roles/serviceusage.serviceUsageAdmin (At the Organization level)

Permissions Granted to Sysdig

The installation creates a Service Account that Sysdig can access. This Service Account is granted the following roles and permissions:

For Vulnerability Host Scanning:

  • roles/iam.workloadIdentityUser
  • compute.networks.list
  • compute.networks.get
  • compute.instances.list
  • compute.instances.get
  • compute.disks.list
  • compute.disks.get
  • iam.serviceAccounts.getAccessToken
  • compute.zoneOperations.get
  • compute.disks.get
  • compute.disks.useReadOnly

Resources Created

The following resources will be created in your GCP Environment:

ResourceDescription
google_service_accountService account used by Sysdig for vulnerability management
google_iam_workload_identity_poolCreates a Workload Identity Pool Federation for Auth
google_iam_workload_identity_pool_providerCreates a Workload Identity Pool Provider ID for vulnerability management
google_project_iam_memberCreates the custom role with permissions needed for vulnerability management
google_service_account_iam_memberAttaches WIF as a member to the service account for auth
google_organization_iam_memberAssigns the custom role to the Sysdig Service Account at the organization level

Vulnerability Management Agentless Workload Scanning

VM Workload Scanning performs agentless vulnerability scanning on Google Cloud Run Containers and Functions and Google Kubernetes Engine.

Permissions Required to Install

Single Project Install

If you are installing Agentless Workload Scanning, the installer user/service account must have the following roles assigned on the Project you are onboarding:

  • roles/iam.serviceAccountAdmin
  • roles/iam.roleAdmin
  • roles/resourcemanager.projectIamAdmin
  • roles/iam.workloadIdentityPoolAdmin

Organizational Install

If you are installing VM Workload Scanning at the organizational level, the installer user/service account must have the following roles assigned:

  • roles/iam.organizationRoleAdmin (At the Organization level)
  • roles/resourcemanager.organizationAdmin (At the Organization level)
  • roles/iam.serviceAccountAdmin (On the project where shared resources will be created)
  • roles/iam.workloadIdentityPoolAdmin (On the project where shared resources will be created)

Permissions Granted to Sysdig

The installation creates a Service Account that Sysdig can access. This Service Account is granted a custom role with the following permissions, allowing access to container images:

  • artifactregistry.repositories.downloadArtifacts
  • artifactregistry.repositories.get
  • artifactregistry.repositories.list
  • artifactregistry.dockerimages.get
  • artifactregistry.dockerimages.list
  • storage.objects.get
  • storage.buckets.list
  • storage.objects.list
  • iam.serviceAccounts.getAccessToken

The Service Account is also granted the roles/iam.workloadIdentityUser role to allow it to be impersonated by the Sysdig backend.

Resources Created

The following resources will be created in your GCP Environment:

ResourceDescription
google_service_accountService account used by Sysdig for workload scanning.
google_project_iam_custom_role / google_organization_iam_custom_roleCreates the custom role with permissions needed for workload scanning.
google_project_iam_binding / google_organization_iam_memberAssigns the custom role to the Sysdig Service Account.
google_iam_workload_identity_poolCreates a Workload Identity Pool for authentication.
google_iam_workload_identity_pool_providerCreates a Workload Identity Pool Provider for workload scanning.
google_service_account_iam_memberAttaches the Workload Identity Federation as a member to the service account for authentication.
sysdig_secure_cloud_auth_account_componentRegisters the Service Principal with the Sysdig backend.