Which Service Account Permissions are required when onboarding GCP Organizations and Projects into Prisma Cloud?

• Prisma Cloud Enterprise Edition (SaaS)
• GCP
• Service Account Permissions

When onboarding a GCP Organization or Project into Prisma Cloud, is necessary to add certain permissions to our Service Account, in order for Prisma Cloud can ingest data and allow the capabilities such as Security Capabilities and Permissions and Additional Capabilities.

The permissions that the Prisma Cloud service account needs to monitor your GCP resources depend on your cloud protection needs:

• If you are onboarding a GCP organization , you must assign the roles to the IAM policy for the organization.

• If you are onboarding a GCP project , you must assign the roles to the IAM policy for each project.

• If you are using a master service account (MSA), you have two options:

  • (Recommended) Add permissions to the IAM policy for the organization.

  • Assign the roles to the IAM policy for each project individually

The roles for read or read-write access permission that the service account requires are:
 

• Viewer—Primitive role on GCP.

• Prisma Cloud Viewer—Custom role. Prisma Cloud needs this custom role to grant cloud storage bucket permission to read storage bucket metadata and update bucket IAM policies. This role requires storage.buckets.get to retrieve your list of storage buckets, and storage.buckets.getIampolicy to retrieve the IAM policy for the specified bucket.
  • For the case you can not executed the terraform script that will create the custom role with the necesarry permissions. Alternatively you can create a YAML file and add the granular permissions for the custom role.
  • Use this YAML format as an example. You must add the permissions for onboarding your GCP organization or project, from the link above, to this file:

title: prisma-custom-role 
description: prisma-custom-role 
stage: beta 
includedPermissions: 
- compute.networks.list 
- compute.backendServices.list
.
.
.

• Compute Security Admin—Predefined role on GCP. An optional privilege that is required only if you want to enable auto-remediation.

• Organization Role Viewer—Predefined role on GCP. This role is required for onboarding a GCP Organization.

• Dataflow Admin—Predefined role on GCP. An optional privilege that is required for dataflow logs compression using the Dataflow service. See Flow Logs Compression on GCP for details.

• Folder Viewer—Predefined role on GCP. An optional privilege that is required only if you want to onboard GCP Folder metadata, select specific folders (include or exclude folders), and to automatically create account groups based on the folder hierarchy.

• Documentation: Prerequisites to Onboard GCP Organizations and Projects