Minimum Permissions for GCP Connector
This page describes how to configure minimum permissions required by GCP connector to access GCP resources. The goal is to avoid All Admin rights and give only minimum permissions required for Compliance check and Remediation action.
This page explains how to create required roles in GCP using YAML files.
Creating roles in GCP:
The following steps elaborate on how to create roles using YAML file (containing details of minimum permission required by GCP connector for GCP resources) and how to assign the created role to the service account user.
The example considered below will show you how to create a custom role with minimum permission required for Compliance check. To create a custom role with minimum permission required for both Compliance check and Remediation action, follow the same steps and alter the YAML file accordingly.
After creating the required YAML file, run below command to create role.
Log on to the GCP console.
Click on the navigation menu located at the top left corner of the screen.
select custom option
|5.||From the cascading menu that appears, select IAM & Admin > IAM.|
|6.||Select required user from the options listed.|
Click on the edit button corresponding to the chosen user.
|8.||In the screen that pops up, select the box under Role.|
|9.||From the options, choose the type of role to be assigned (in this case, Custom Role).|
|11.||You will be notified about the update made.|
Wait for a few minutes after assigning custom role to service account user as it takes some time for the permissions to take effect.
Compliance YAML file:
For compliance, please open below YAML file.
Compliance and Remediation YAML file:
For compliance and Remediation, please open below YAML file.
UseCases and Permissions
Below are the minimum permissions required for BMC Helix Cloud Security Compliance and Remediation use-cases to work.
GCP Services involved
Permissions needed for Compliance
Permissions needed for Remediation
To perform remediation on rule 3.7 of “CIS Google Cloud Platform Foundation Benchmark – VM” policy, add “Editor” role to service account user.