Prisma Cloud: Newly created GCP projects fail to auto-provision into DSPM module

Why are newly created GCP projects in the organization being discovered by Prisma Cloud but not automatically provisioned or appearing in the DSPM inventory?

• Prisma Cloud Enterprise Edition
  •  Data Security Posture Management (DSPM / Dig Security)
    • Google Cloud Platform (GCP)
      • Dynamic Organization-level onboarding using Terraform/Auto-provisioning.

• The issue is caused by missing IAM permissions at the Organization level for the Prisma Cloud Read-Only Service Account. Specifically, the service account requires the ability to list resource folders to discover projects nested within the organizational hierarchy.
• Resolution Steps:

  • Assign the Folder Viewer role (roles/resourcemanager.folderViewer) to the Prisma Cloud Read-Only Service Account at the Organization level.

  • Ensure the permission resourcemanager.folders.list is active.

  • Note: While the "Viewer" role is sometimes used, the Browser or Folder Viewer role is preferred to ensure the orchestrator can successfully traverse the folder structure to find new projects.

• Prisma Cloud DSPM relies on the Orchestrator Project to scan for new assets. If the service account lacks folder-list permissions, the discovery mechanism for the DSPM-specific setup will fail, even if the general CSPM discovery (which uses different hooks) is working
• Referenced docs:
  • Auto provisioning
  • GCP permissions