Permissions and Resources

This document outlines the permissions required for installing and operating various Sysdig features on GCP, as well as the resources that will be created in your GCP environment.

Review GCP Roles and Permissions

Security Principals

There are two security principals in the onboarding process:

  • Installer: The primary security principal, either a User or a Service Account. This security principal will be used to perform the onboarding. Sysdig does not have access to this security principal.
  • Sysdig: A Service Account (robot user) created during onboarding with specific, less permissive roles. Sysdig will be given access to this service account.

GCP Roles

GCP IAM has a single control plane that applies to either at the organization or project level:

  • GCP Roles: Applied to the entire organization or project.

Base GCP Integration - Cloud Security Posture Management (CSPM)

Agentless Cloud Security Posture Management (CSPM) assesses and manages the security posture of your cloud resources without requiring agents.

Permissions Required to Install

The Installer must have at least the following roles assigned:

Single Project Install

If you are installing CSPM, the user/service account must have the following roles assigned on the Project you are onboarding:

  • roles/iam.serviceAccountAdmin
  • roles/iam.roleAdmin
  • roles/resourcemanager.projectIamAdmin
  • roles/iam.serviceAccountKeyAdmin
  • roles/serviceusage.serviceUsageAdmin
  • roles/iam.workloadIdentityPoolAdmin

Organizational Install

Note: Certain roles are required at the organization level. Other roles are required on a single project in which you will deploy shared resources. Ensure you have the correct roles assigned at the correct scope.

If you are installing CSPM, the user/service account must have the following roles assigned at the organizational level:

  • roles/iam.organizationRoleAdmin
  • roles/resourcemanager.organizationAdmin
  • roles/serviceusage.serviceUsageAdmin

If you are installing CSPM, the user/service account must have the following roles assigned at the project level:

  • roles/iam.serviceAccountAdmin
  • roles/iam.serviceAccountKeyAdmin
  • roles/iam.workloadIdentityPoolAdmin

Permissions Granted to Sysdig

The installation creates a Service Account that Sysdig can access. This Service Account is granted the following roles and permissions:

For CSPM:

  • roles/iam.browser
  • roles/cloudasset.viewer
  • roles/iam.workloadIdentityUser
  • roles/logging.viewer
  • roles/cloudfunctions.viewer
  • roles/cloudbuild.builds.viewer
  • roles/orgpolicy.policyViewer

Resources Created

The following resources will be created in your GCP Environment:

ResourceDeployed NameDescription
google_service_accountsysdig-onboarding-${local.suffix}Service account for initial Sysdig authentication.
google_service_accountsysdig-posture-${local.suffix}Service account for ongoing posture management.
google_iam_workload_identity_poolsysdig-secure-onboarding-${local.suffix}Workload Identity Pool for initial authentication.
google_iam_workload_identity_poolsysdig-secure-posture-${local.suffix}Workload Identity Pool for posture management authentication.
google_iam_workload_identity_pool_providersysdig-onboarding-${local.suffix}Workload Identity Pool Provider for onboarding.
google_iam_workload_identity_pool_providersysdig-posture-${local.suffix}Workload Identity Pool Provider for posture management.
google_project_iam_member / google_organization_iam_member(IAM Binding)Assigns necessary roles to the Sysdig Service Accounts.
google_service_account_iam_member(IAM Binding)Attaches the Workload Identity Federation to the service accounts.
sysdig_secure_cloud_auth_account_componentsecure-onboardingRegisters the onboarding Service Principal with the Sysdig backend.
sysdig_secure_cloud_auth_account_componentsecure-postureRegisters the posture Service Principal with the Sysdig backend.

Cloud Detection and Response (CDR)

Agentless Cloud Detection and Response (CDR) performs threat detection using Falco rules and policies on platform logs.

Permissions Required to Install

Single Project Install

If you are installing CDR and CIEM, you must have the following additional roles assigned on the Project you are onboarding:

  • roles/pubsub.admin
  • roles/logging.configWriter
  • roles/iam.serviceAccountUser

Organizational Install

Note: Certain roles are required at the organization level. Other roles are required on a single project in which you will deploy shared resources. Ensure you have the correct roles assigned at the correct scope.

If you are installing CDR & CIEM, you must have the following additional roles assigned:

  • roles/pubsub.admin (On the project where shared resources will be created)
  • roles/logging.configWriter (At the Organization level)
  • roles/iam.serviceAccountUser (On the project where shared resources will be created)

Permissions Granted to Sysdig

The installation creates a Service Account that Sysdig can access. This Service Account is granted the following roles and permissions:

For CDR & CIEM:

  • roles/iam.workloadIdentityUser
  • pubsub.topics.get
  • pubsub.topics.list
  • pubsub.subscriptions.get
  • pubsub.subscriptions.list
  • logging.sinks.get
  • logging.sinks.list

Resources Created

The following resources will be created in your GCP Environment:

ResourceDeployed NameDescription
google_project_iam_audit_config / google_organization_iam_audit_config(IAM Policy)Enables Audit Log Configuration at the Project or Organizational level.
google_pubsub_topicingestion_topic_${local.suffix}Ingestion Pub/Sub topic created for CDR.
google_pubsub_topicdl_ingestion_topic_${local.suffix}Dead-letter topic to store undeliverable messages for CDR.
google_logging_project_sink / google_logging_organization_sinkingestion_topic_${local.suffix}_sinkSysdig sink to direct Audit Logs to the Pub/Sub topic for data gathering.
google_pubsub_topic_iam_member(IAM Binding)Attaches roles & permissions needed for the Pub/Sub topic.
google_service_accountsysdig-ingestion-${local.suffix}Service account used by Sysdig for threat detection.
google_pubsub_subscriptioningestion_topic_${local.suffix}_push_subscriptionCreates the Pub/Sub subscription with topic name and custom role.
google_iam_workload_identity_poolsysdig-ingestion-${local.suffix}Creates a Workload Identity Pool Federation for authentication.
google_iam_workload_identity_pool_providersysdig-ingestion-${local.suffix}Creates a Workload Identity Pool Provider ID for threat detection.
google_project_iam_custom_role / google_organization_iam_custom_roleSysdigIngestionAuthRole...Creates a custom role to access data ingestion resources.
google_project_iam_member / google_organization_iam_member(IAM Binding)Binds the custom role to the service account.
google_service_account_iam_member(IAM Binding)Attaches the Workload Identity Federation as a member to the service account for authentication.
sysdig_secure_cloud_auth_account_componentsecure-runtimeRegisters the Webhook Datasource with the Sysdig backend.

Vulnerability Management Agentless Host Scanning

Vulnerability Management Agentless Host Scanning performs vulnerability scanning using disk snapshots for accurate risk assessment and management.

Permissions Required to Install

Single Project Install

If you are installing Vulnerability Host Scanning, you must have the following roles assigned:

  • roles/iam.serviceAccountAdmin
  • roles/iam.roleAdmin
  • roles/resourcemanager.projectIamAdmin
  • roles/iam.serviceAccountKeyAdmin
  • roles/serviceusage.serviceUsageAdmin

Organizational Install

Note: Certain roles are required at the organization level. Other roles are required on a single project in which you will deploy shared resources. Ensure you have the correct roles assigned at the correct scope.

If you are installing Vulnerability Host Scanning, you must have the following roles assigned:

  • roles/iam.serviceAccountAdmin (On the project where shared resources will be created)
  • roles/iam.organizationRoleAdmin (At the Organization level)
  • roles/resourcemanager.organizationAdmin (At the Organization level)
  • roles/iam.serviceAccountKeyAdmin (On the project where shared resources will be created)
  • roles/serviceusage.serviceUsageAdmin (At the Organization level)

Permissions Granted to Sysdig

The installation creates a Service Account that Sysdig can access. This Service Account is granted the following roles and permissions:

For Vulnerability Host Scanning:

  • roles/iam.workloadIdentityUser
  • compute.networks.list
  • compute.networks.get
  • compute.instances.list
  • compute.instances.get
  • compute.disks.list
  • compute.disks.get
  • iam.serviceAccounts.getAccessToken
  • compute.zoneOperations.get
  • compute.disks.get
  • compute.disks.useReadOnly

Resources Created

The following resources will be created in your GCP Environment:

ResourceDeployed NameDescription
google_service_accountsysdig-ahs-${local.suffix}Service account used by Sysdig for vulnerability management.
google_iam_workload_identity_poolsysdig-ahs-${local.suffix}Creates a Workload Identity Pool Federation for authentication.
google_iam_workload_identity_pool_providersysdig-ahs-${local.suffix} or ...-gcpCreates a Workload Identity Pool Provider ID for vulnerability management.
google_project_iam_custom_role / google_organization_iam_custom_roleSysdigCloudVMDiscovery...Custom role for host discovery operations.
google_project_iam_custom_role / google_organization_iam_custom_roleSysdigCloudVMScan...Custom role for host scanning operations.
google_project_iam_binding / google_organization_iam_binding(IAM Binding)Assigns the custom roles to the Sysdig Service Account.
google_service_account_iam_member(IAM Binding)Attaches the Workload Identity Federation as a member to the service account for authentication.
sysdig_secure_cloud_auth_account_componentsecure-scanningRegisters the Service Principal with the Sysdig backend.

Vulnerability Management Agentless Workload Scanning

VM Workload Scanning performs agentless vulnerability scanning on Google Cloud Run Containers and Functions and Google Kubernetes Engine.

Permissions Required to Install

Single Project Install

If you are installing Agentless Workload Scanning, the installer user/service account must have the following roles assigned on the Project you are onboarding:

  • roles/iam.serviceAccountAdmin
  • roles/iam.roleAdmin
  • roles/resourcemanager.projectIamAdmin
  • roles/iam.workloadIdentityPoolAdmin

Organizational Install

If you are installing VM Workload Scanning at the organizational level, the installer user/service account must have the following roles assigned:

  • roles/iam.organizationRoleAdmin (At the Organization level)
  • roles/resourcemanager.organizationAdmin (At the Organization level)
  • roles/iam.serviceAccountAdmin (On the project where shared resources will be created)
  • roles/iam.workloadIdentityPoolAdmin (On the project where shared resources will be created)

Permissions Granted to Sysdig

The installation creates a Service Account that Sysdig can access. This Service Account is granted a custom role with the following permissions, allowing access to container images:

  • artifactregistry.repositories.downloadArtifacts
  • artifactregistry.repositories.get
  • artifactregistry.repositories.list
  • artifactregistry.dockerimages.get
  • artifactregistry.dockerimages.list
  • storage.objects.get
  • storage.buckets.list
  • storage.objects.list
  • iam.serviceAccounts.getAccessToken

The Service Account is also granted the roles/iam.workloadIdentityUser role to allow it to be impersonated by the Sysdig backend.

Resources Created

The following resources will be created in your GCP Environment:

ResourceDeployed NameDescription
google_service_accountsysdig-ws-${local.suffix}Service account used by Sysdig for workload scanning.
google_project_iam_custom_role / google_organization_iam_custom_role...WorkloadController${title(local.suffix)} or ...vmWorkloadScanningRole${title(local.suffix)}Creates the custom role with permissions needed for workload scanning.
google_project_iam_binding / google_organization_iam_member(IAM Binding)Assigns the custom role to the Sysdig Service Account.
google_iam_workload_identity_poolsysdig-wl-${local.suffix}Creates a Workload Identity Pool for authentication.
google_iam_workload_identity_pool_providersysdig-wl-${local.suffix}Creates a Workload Identity Pool Provider for workload scanning.
google_service_account_iam_member(IAM Binding)Attaches the Workload Identity Federation as a member to the service account for authentication.
sysdig_secure_cloud_auth_account_componentsecure-vm-workload-scanningRegisters the Service Principal with the Sysdig backend.