Permissions and Resources
Review GCP Roles and Permissions
Security Principals
There are two security principals in the onboarding process:
- Installer: The primary security principal, either a User or a Service Account. This security principal will be used to perform the onboarding. Sysdig does not have access to this security principal.
- Sysdig: A Service Account (robot user) created during onboarding with specific, less permissive roles. Sysdig will be given access to this service account.
GCP Roles
GCP IAM has a single control plane that applies to either at the organization or project level:
- GCP Roles: Applied to the entire organization or project.
Base GCP Integration - Cloud Security Posture Management (CSPM)
Agentless Cloud Security Posture Management (CSPM) assesses and manages the security posture of your cloud resources without requiring agents.
Permissions Required to Install
The Installer must have at least the following roles assigned:
Single Project Install
If you are installing CSPM, the user/service account must have the following roles assigned on the Project you are onboarding:
roles/iam.serviceAccountAdminroles/iam.roleAdminroles/resourcemanager.projectIamAdminroles/iam.serviceAccountKeyAdminroles/serviceusage.serviceUsageAdminroles/iam.workloadIdentityPoolAdmin
Organizational Install
Note: Certain roles are required at the organization level. Other roles are required on a single project in which you will deploy shared resources. Ensure you have the correct roles assigned at the correct scope.
If you are installing CSPM, the user/service account must have the following roles assigned at the organizational level:
roles/iam.organizationRoleAdminroles/resourcemanager.organizationAdminroles/serviceusage.serviceUsageAdmin
If you are installing CSPM, the user/service account must have the following roles assigned at the project level:
roles/iam.serviceAccountAdminroles/iam.serviceAccountKeyAdminroles/iam.workloadIdentityPoolAdmin
Permissions Granted to Sysdig
The installation creates a Service Account that Sysdig can access. This Service Account is granted the following roles and permissions:
For CSPM:
roles/iam.browserroles/cloudasset.viewerroles/iam.workloadIdentityUserroles/logging.viewerroles/cloudfunctions.viewerroles/cloudbuild.builds.viewerroles/orgpolicy.policyViewer
Resources Created
The following resources will be created in your GCP Environment:
| Resource | Description |
|---|---|
google_service_account | Service account used by Sysdig for secure posture management |
google_iam_workload_identity_pool | Creates a Workload Identity Pool Federation for Authentication |
google_iam_workload_identity_pool_provider | Creates a Workload Identity Pool Provider ID for config posture management |
google_project_iam_member | Creates the custom role with permissions needed for config posture management |
google_service_account_iam_member | Attaches WIF as a member to the service account for auth |
google_organization_iam_member | Assigns the custom role to the Sysdig Service Account at the organization level |
Cloud Detection and Response (CDR)
Agentless Cloud Detection and Response (CDR) performs threat detection using Falco rules and policies on platform logs.
Permissions Required to Install
Single Project Install
If you are installing CDR and CIEM, you must have the following additional roles assigned on the Project you are onboarding:
roles/pubsub.adminroles/logging.configWriterroles/iam.serviceAccountUser
Organizational Install
Note: Certain roles are required at the organization level. Other roles are required on a single project in which you will deploy shared resources. Ensure you have the correct roles assigned at the correct scope.
If you are installing CDR & CIEM, you must have the following additional roles assigned:
roles/pubsub.admin(On the project where shared resources will be created)roles/logging.configWriter(At the Organization level)roles/iam.serviceAccountUser(On the project where shared resources will be created)
Permissions Granted to Sysdig
The installation creates a Service Account that Sysdig can access. This Service Account is granted the following roles and permissions:
For CDR & CIEM:
roles/iam.workloadIdentityUserpubsub.topics.getpubsub.topics.listpubsub.subscriptions.getpubsub.subscriptions.listlogging.sinks.getlogging.sinks.list
Resources Created
The following resources will be created in your GCP Environment:
| Resource | Description |
|---|---|
google_project_iam_audit_config | Audit Log Config enabled at the Project level |
google_pubsub_topic | Ingestion Pub Sub topic created for CDR |
google_logging_project_sink | Sysdig sink to direct the Audit Logs to the PubSub topic used for data gathering |
google_pubsub_topic_iam_member | Attaches roles & permissions needed for the pub sub topic |
google_service_account | Service account used by Sysdig for threat detection |
google_service_account_iam_member | Creates the custom role with permissions needed for threat detection |
google_pubsub_subscription | Creates the pub sub subscription with topic name and custom role |
google_iam_workload_identity_pool | Creates a Workload Identity Pool Federation for Auth |
google_iam_workload_identity_pool_provider | Creates a Workload Identity Pool Provider ID for threat detection |
google_project_iam_custom_role | Creates custom role with project-level permissions to access data ingestion resources |
google_project_iam_member | Adds custom role with project-level permissions to the service account for auth |
google_service_account_iam_member | Attaches WIF as a member to the service account for auth |
google_organization_iam_audit_config | Enables Audit Log Configuration at the Organizational level |
google_logging_organization_sink | Sysdig organizational sink to direct the AuditLogs to the PubSub topic used for data gathering |
google_organization_iam_custom_role | Creates a custom role with organization-level permissions to access data ingestion resources |
google_organization_iam_member | Adds a custom role with organization-level permissions to the service account for authentication |
Vulnerability Management Agentless Host Scanning
Vulnerability Management Agentless Host Scanning performs vulnerability scanning using disk snapshots for accurate risk assessment and management.
Permissions Required to Install
Single Project Install
If you are installing Vulnerability Host Scanning, you must have the following roles assigned:
roles/iam.serviceAccountAdminroles/iam.roleAdminroles/resourcemanager.projectIamAdminroles/iam.serviceAccountKeyAdminroles/serviceusage.serviceUsageAdmin
Organizational Install
Note: Certain roles are required at the organization level. Other roles are required on a single project in which you will deploy shared resources. Ensure you have the correct roles assigned at the correct scope.
If you are installing Vulnerability Host Scanning, you must have the following roles assigned:
roles/iam.serviceAccountAdmin(On the project where shared resources will be created)roles/iam.organizationRoleAdmin(At the Organization level)roles/resourcemanager.organizationAdmin(At the Organization level)roles/iam.serviceAccountKeyAdmin(On the project where shared resources will be created)roles/serviceusage.serviceUsageAdmin(At the Organization level)
Permissions Granted to Sysdig
The installation creates a Service Account that Sysdig can access. This Service Account is granted the following roles and permissions:
For Vulnerability Host Scanning:
roles/iam.workloadIdentityUsercompute.networks.listcompute.networks.getcompute.instances.listcompute.instances.getcompute.disks.listcompute.disks.getiam.serviceAccounts.getAccessTokencompute.zoneOperations.getcompute.disks.getcompute.disks.useReadOnly
Resources Created
The following resources will be created in your GCP Environment:
| Resource | Description |
|---|---|
google_service_account | Service account used by Sysdig for vulnerability management |
google_iam_workload_identity_pool | Creates a Workload Identity Pool Federation for Auth |
google_iam_workload_identity_pool_provider | Creates a Workload Identity Pool Provider ID for vulnerability management |
google_project_iam_member | Creates the custom role with permissions needed for vulnerability management |
google_service_account_iam_member | Attaches WIF as a member to the service account for auth |
google_organization_iam_member | Assigns the custom role to the Sysdig Service Account at the organization level |
Vulnerability Management Agentless Workload Scanning
VM Workload Scanning performs agentless vulnerability scanning on Google Cloud Run Containers and Functions and Google Kubernetes Engine.
Permissions Required to Install
Single Project Install
If you are installing Agentless Workload Scanning, the installer user/service account must have the following roles assigned on the Project you are onboarding:
roles/iam.serviceAccountAdminroles/iam.roleAdminroles/resourcemanager.projectIamAdminroles/iam.workloadIdentityPoolAdmin
Organizational Install
If you are installing VM Workload Scanning at the organizational level, the installer user/service account must have the following roles assigned:
roles/iam.organizationRoleAdmin(At the Organization level)roles/resourcemanager.organizationAdmin(At the Organization level)roles/iam.serviceAccountAdmin(On the project where shared resources will be created)roles/iam.workloadIdentityPoolAdmin(On the project where shared resources will be created)
Permissions Granted to Sysdig
The installation creates a Service Account that Sysdig can access. This Service Account is granted a custom role with the following permissions, allowing access to container images:
artifactregistry.repositories.downloadArtifactsartifactregistry.repositories.getartifactregistry.repositories.listartifactregistry.dockerimages.getartifactregistry.dockerimages.liststorage.objects.getstorage.buckets.liststorage.objects.listiam.serviceAccounts.getAccessToken
The Service Account is also granted the roles/iam.workloadIdentityUser role to allow it to be impersonated by the Sysdig backend.
Resources Created
The following resources will be created in your GCP Environment:
| Resource | Description |
|---|---|
google_service_account | Service account used by Sysdig for workload scanning. |
google_project_iam_custom_role / google_organization_iam_custom_role | Creates the custom role with permissions needed for workload scanning. |
google_project_iam_binding / google_organization_iam_member | Assigns the custom role to the Sysdig Service Account. |
google_iam_workload_identity_pool | Creates a Workload Identity Pool for authentication. |
google_iam_workload_identity_pool_provider | Creates a Workload Identity Pool Provider for workload scanning. |
google_service_account_iam_member | Attaches the Workload Identity Federation as a member to the service account for authentication. |
sysdig_secure_cloud_auth_account_component | Registers the Service Principal with the Sysdig backend. |
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.
