Contents x
    GCP Required Permissions
    • 04 Jun 2024
    • 8 Minutes to read
    • Print
    • PDF
    Contents

    GCP Required Permissions

    • Updated on 04 Jun 2024
    • 8 Minutes to read
    • Print
    • PDF
    Article summary

    Below is a list of the roles Prisma Cloud DSPM uses to access your GCP environment and the permissions they have. Permissions are used to access different types of data, or perform actions such as creating/deleting virtual machines (VMs), exporting snapshots, etc.

    IMPORTANT

    If your GCP environment has any firewall or network restrictions in place, it is imperative to grant access to the following Prisma Cloud DSPM IP addresses.

    EU Stack: 52.48.123.3, 99.80.210.235, 34.247.249.123

    US Stack: 54.225.205.121, 18.214.146.232, 3.93.120.3


    Dig-ReadOnly Service Account

    Used as a read-only access to your project, this service account enables Prisma Cloud DSPM to access your assets' metadata such as size, name, and region. These permissions are assigned to every project monitored by Prisma Cloud DSPM using the service account, allowing us to detect and protect your assets. Prisma Cloud DSPM's own environment performs the read-only API calls.

    Permissions

    Permission

    Scope

    Purpose

    endpoints.getlamPolicy

    All Vertex AI endpoints

    Read-Only access used for getting policies for VertexAI endpoints in order to analyze access to sensitive information

    Viewer Role

    Monitored project

    Read-Only access, used for getting the metadata of all managed data assets in the project

    compute.disks.get

    Monitored project

    Read-Only access to resource-based IAM bindings

    compute.instances.get

    Monitored project

    Read-Only access to resource-based IAM bindings

    resourcemanager.projects.get

    Monitored project

    Read-Only access to resource-based IAM bindings

    iam.serviceAccounts.getIamPolicy

    Monitored project

    Read-Only access to resource-based IAM bindings

    bigquery.connections.getIamPolicy

    Monitored project

    Read-Only access to resource-based IAM bindings

    bigquery.dataPolicies.getIamPolicy

    Monitored project

    Read-Only access to resource-based IAM bindings

    bigquery.datasets.getIamPolicy

    Monitored project

    Read-Only access to resource-based IAM bindings

    bigquery.rowAccessPolicies.getIamPolicy

    Monitored project

    Read-Only access to resource-based IAM bindings

    bigquery.tables.getIamPolicy

    Monitored project

    Read-Only access to resource-based IAM bindings

    bigtable.backups.getIamPolicy

    Monitored project

    Read-Only access to resource-based IAM bindings

    bigtable.instances.getIamPolicy

    Monitored project

    Read-Only access to resource-based IAM bindings

    bigtable.tables.getIamPolicy

    Monitored project

    Read-Only access to resource-based IAM bindings

    cloudkms.cryptoKeys.getIamPolicy

    Monitored project

    Read-Only access to resource-based IAM bindings

    cloudkms.ekmConnections.getIamPolicy

    Monitored project

    Read-Only access to resource-based IAM bindings

    cloudkms.importJobs.getIamPolicy

    Monitored project

    Read-Only access to resource-based IAM bindings

    cloudkms.keyRings.getIamPolicy

    Monitored project

    Read-Only access to resource-based IAM bindings

    compute.backendBuckets.getIamPolicy

    Monitored project

    Read-Only access to resource-based IAM bindings

    compute.backendServices.getIamPolicy

    Monitored project

    Read-Only access to resource-based IAM bindings

    compute.disks.getIamPolicy

    Monitored project

    Read-Only access to resource-based IAM bindings

    compute.firewallPolicies.getIamPolicy

    Monitored project

    Read-Only access to resource-based IAM bindings

    compute.globalOperations.getIamPolicy

    Monitored project

    Read-Only access to resource-based IAM bindings

    compute.images.getIamPolicy

    Monitored project

    Read-Only access to resource-based IAM bindings

    compute.instances.getIamPolicy

    Monitored project

    Read-Only access to resource-based IAM bindings

    compute.securityPolicies.getIamPolicy

    Monitored project

    Read-Only access to resource-based IAM bindings

    compute.serviceAttachments.getIamPolicy

    Monitored project

    Read-Only access to resource-based IAM bindings

    compute.snapshots.getIamPolicy

    Monitored project

    Read-Only access to resource-based IAM bindings

    compute.subnetworks.getIamPolicy

    Monitored project

    Read-Only access to resource-based IAM bindings

    compute.zoneOperations.getIamPolicy

    Monitored project

    Read-Only access to resource-based IAM bindings

    connectors.connections.getIamPolicy

    Monitored project

    Read-Only access to resource-based IAM bindings

    iam.serviceAccounts.getIamPolicy

    Monitored project

    Read-Only access to resource-based IAM bindings

    pubsub.subscriptions.getIamPolicy

    Monitored project

    Read-Only access to resource-based IAM bindings

    pubsub.topics.getIamPolicy

    Monitored project

    Read-Only access to resource-based IAM bindings

    resourcemanager.projects.getIamPolicy

    Monitored project

    Read-Only access to resource-based IAM bindings

    run.jobs.getIamPolicy

    Monitored project

    Read-Only access to resource-based IAM bindings

    run.services.getIamPolicy

    Monitored project

    Read-Only access to resource-based IAM bindings

    secretmanager.secrets.getIamPolicy

    Monitored project

    Read-Only access to resource-based IAM bindings

    spanner.backups.getIamPolicy

    Monitored project

    Read-Only access to resource-based IAM bindings

    spanner.databases.getIamPolicy

    Monitored project

    Read-Only access to resource-based IAM bindings

    spanner.instances.getIamPolicy

    Monitored project

    Read-Only access to resource-based IAM bindings

    storage.buckets.getIamPolicy

    Monitored project

    Read-Only access to resource-based IAM bindings

    storage.objects.getIamPolicy

    Monitored project

    Read-Only access to resource-based IAM bindings

    firebaserules.releases.get

    Monitored project

    Read-Only access to Firebase access rules

    firebaserules.releases.getExecutable

    Monitored project

    Read-Only access to Firebase access rules

    firebaserules.releases.list

    Monitored project

    Read-Only access to Firebase access rules

    firebaserules.rulesets.get

    Monitored project

    Read-Only access to Firebase access rules

    firebaserules.rulesets.list

    Monitored project

    Read-Only access to Firebase access rules

    Dig-Scanner Service Account

    These permissions are installed in all monitored projects and can be used only by the Dig-Orchestrator Service Account (see below) installed in your Orchestrator project. Scanner permission  enables Prisma Cloud DSPM to detect and scan data for analysis and classification. All sensitive data that is detected, scanned and classified by Prisma Cloud DSPM's resources never leaves the client's environment.

    Permissions

    Permission

    Scope

    Purpose

    Viewer Role

    Monitored project

    Allowing read-only access to view resources and metrics

    cloudsql.backupRuns.create

    Monitored project

    Creating backups of Cloud SQL instances for data scanning

    cloudsql.backupRuns.delete

    Prisma Cloud DSPM's backup(s) only

    Deleting stale backups of Cloud SQL instances created by Prisma Cloud DSPM

    compute.disks.createSnapshot

    Monitored project

    Creating disk snapshots for analysis of unmanaged data assets 

    logging.configWriter Role

    Prisma Cloud DSPM's log sink only

    Managing Prisma Cloud DSPM's log sink routing the audit logs

    storage.buckets.create

    Prisma Cloud DSPM's audit bucket only

    Creating Prisma Cloud DSPM's audit buckets

    storage.buckets.delete

    Prisma Cloud DSPM's audit bucket only

    Deleting Prisma Cloud DSPM's storage buckets

    storage.buckets.setIamPolicy

    Prisma Cloud DSPM's audit bucket only

    Setting IAM policy for Prisma Cloud DSPM's audit bucket to a restricted access policy

    storage.buckets.update

    Prisma Cloud DSPM's audit bucket only

    Updating storage buckets for Prisma Cloud DSPM's data

    storage.multipartUploads.abort

    Prisma Cloud DSPM's audit bucket only

    Aborting multipart uploads in Prisma Cloud DSPM's audit bucket

    storage.multipartUploads.create

    Prisma Cloud DSPM's audit bucket only

    Adding objects to Prisma Cloud DSPM's audit bucket

    storage.objects.create

    Prisma Cloud DSPM's audit bucket only

    Adding objects to Prisma Cloud DSPM's audit bucket

    storage.objects.delete

    Prisma Cloud DSPM's audit bucket only

    Deleting Prisma Cloud DSPM's storage audit objects

    storage.objects.get

    Monitored project

    Scanning cloud storage data objects

    storage.objects.list

    Monitored project

    Listing objects in storage

    storage.objects.update

    Prisma Cloud DSPM's audit bucket only

    Updating status objects in Prisma Cloud DSPM's audit bucket

    Dig-Orchestrator Service Account

    The Orchestrator service account and its permissions are installed in project(s) in your environment. They are used to deploy Prisma Cloud DSPM's compute resources (e.g., VMs) for scanning and analyzing the scanned accounts. This service account is also used in Prisma Cloud DSPM's compute instances to impersonate the Dig-Scanner Service Account.

    Permissions

    Permission

    Scope

    Purpose

    Viewer Role

    Orchestrator project

    Allowing read-only access to view resources and metrics

    cloudsql.backupRuns.create

    Orchestrator project

    Creating CloudSQL backups in the Orchestrator project

    cloudsql.backupRuns.delete

    Prisma Cloud DSPM's resources only

    Deleting Prisma Cloud DSPM's backups for Cloud SQL

    cloudsql.databases.create

    Prisma Cloud DSPM's resources only

    Creating databases in the Orchestrator project

    cloudsql.databases.delete

    Prisma Cloud DSPM's resources only

    Deleting Prisma Cloud DSPM's Cloud SQL databases

    cloudsql.databases.update

    Prisma Cloud DSPM's resources only

    Updating Prisma Cloud DSPM's databases in Cloud SQL 

    cloudsql.instances.connect

    Prisma Cloud DSPM's resources only

    Allowing Prisma Cloud DSPM to connect to the copied Cloud SQL instances

    cloudsql.instances.create

    Prisma Cloud DSPM's resources only

    Creating Cloud SQL instances in the Orchestrator project

    cloudsql.instances.delete

    Prisma Cloud DSPM's resources only

    Deleting Prisma Cloud DSPM's instances of Cloud SQL

    cloudsql.instances.login

    Prisma Cloud DSPM's resources only

    Allowing Prisma Cloud DSPM to login to the copied Cloud SQL instances

    cloudsql.instances.restart

    Prisma Cloud DSPM's resources only

    Restarting Prisma Cloud DSPM's Cloud SQL instances

    cloudsql.backupRuns.get

    Monitored projects & Orchestrator projec

    Restoring Cloud SQL instances in the Orchestrator project

    cloudsql.instances.update

    Prisma Cloud DSPM's resources only

    Updating Prisma Cloud DSPM's Cloud SQL instances

    cloudsql.users.create

    Prisma Cloud DSPM's resources only

    Creating users in Prisma Cloud DSPM's Cloud SQL instances

    cloudsql.users.delete

    Prisma Cloud DSPM's resources only

    Deleting users in Prisma Cloud DSPM's Cloud SQL instances

    cloudsql.users.update

    Prisma Cloud DSPM's resources only

    Updating users in Prisma Cloud DSPM's Cloud SQL instances

    compute.addresses.create

    Prisma Cloud DSPM's resources only

    Creating IP addresses in the Orchestrator project

    compute.addresses.delete

    Prisma Cloud DSPM's resources only

    Deleting addresses created by Prisma Cloud DSPM

    compute.addresses.setLabels

    Prisma Cloud DSPM's resources only

    Setting labels for addresses created by Prisma Cloud DSPM

    compute.addresses.use

    Prisma Cloud DSPM's resources only

    Using addresses created by Prisma Cloud DSPM

    compute.disks.create

    Orchestrator project

    Creating disks in the Orchestrator project

    compute.disks.delete

    Prisma Cloud DSPM's resources only

    Deleting disks created by Prisma Cloud DSPM

    compute.disks.resize

    Prisma Cloud DSPM's resources only

    Resizing disks created by Prisma Cloud DSPM

    compute.disks.setLabels

    Prisma Cloud DSPM's resources only

    Setting labels for disks created by Prisma Cloud DSPM

    compute.disks.use

    Prisma Cloud DSPM's resources only

    Using the disks created by Prisma Cloud DSPM

    compute.disks.useReadOnly

    Prisma Cloud DSPM's resources only

    Using read-only access type for disks created by Prisma Cloud DSPM

    compute.firewallPolicies.addAssociation

    Prisma Cloud DSPM's resources only

    Adding association for firewall policies created by by Prisma Cloud DSPM

    compute.firewallPolicies.create

    Prisma Cloud DSPM's resources only

    Creating firewall policies in the Orchestrator project

    compute.firewallPolicies.delete

    Prisma Cloud DSPM's resources only

    Deleting firewall policies created by Prisma Cloud DSPM

    compute.firewallPolicies.removeAssociation 

    Prisma Cloud DSPM's resources only

    Removing association for firewall policies created by Prisma Cloud DSPM

    compute.firewallPolicies.update

    Prisma Cloud DSPM's resources only

    Updating firewall policies for Prisma Cloud DSPM's resources

    compute.firewallPolicies.use

    Prisma Cloud DSPM's resources only

    Using firewall policies created by Prisma Cloud DSPM

    compute.firewalls.create

    Orchestrator project

    Creating firewalls 

    compute.firewalls.delete

    Prisma Cloud DSPM's resources only

    Deleting stale firewall policies created by Prisma Cloud DSPM

    compute.firewalls.update

    Prisma Cloud DSPM's resources only

    Updating firewall policies created by Prisma Cloud DSPM

    compute.globalAddresses.create

    Prisma Cloud DSPM's resources only

    Creating global IP addresses 

    compute.globalAddresses.setLabels

    Prisma Cloud DSPM's resources only

    Setting labels for global addresses

    compute.globalAddresses.use

    Prisma Cloud DSPM's resources only

    Using global addresses create by Prisma Cloud DSPM

    compute.images.delete

    Prisma Cloud DSPM's resources only

    Deleting images created by Prisma Cloud DSPM

    compute.images.setIamPolicy

    Prisma Cloud DSPM's resources only

    Setting IAM policies for images created by Prisma Cloud DSPM

    compute.images.setLabels

    Prisma Cloud DSPM's resources only

    Setting labels for images created by Prisma Cloud DSPM

    compute.images.update

    Prisma Cloud DSPM's resources only

    Updating images created by Prisma Cloud DSPM

    compute.images.use

    Prisma Cloud DSPM's resources only

    Using images to create instances

    compute.images.useReadOnly

    Prisma Cloud DSPM's resources only

    Using images created by Prisma Cloud DSPM in a read-only mode

    compute.instances.addResourcePolicies

    Prisma Cloud DSPM's resources only

    Adding resource policies to instances created by Prisma Cloud DSPM

    compute.instances.attachDisk

    Prisma Cloud DSPM's resources only

    Attaching disks to instances created by Prisma Cloud DSPM

    compute.instances.create

    Prisma Cloud DSPM's resources only

    Creating instances

    compute.instances.delete

    Prisma Cloud DSPM's resources only

    Deleting instances created by Prisma Cloud DSPM

    compute.instances.detachDisk

    Prisma Cloud DSPM's resources only

    Detaching disks from instances created by Prisma Cloud DSPM

    compute.instances.reset

    Prisma Cloud DSPM's resources only

    Resetting instances created by Prisma Cloud DSPM

    compute.instances.resume

    Prisma Cloud DSPM's resources only

    Resuming instances created by Prisma Cloud DSPM

    compute.instances.setDeletionProtection

    Prisma Cloud DSPM's resources only

    Setting deletion protection for instances created by Prisma Cloud DSPM

    compute.instances.setDiskAutoDelete

    Prisma Cloud DSPM's resources only

    Setting automatic disk deletion for instances created by Prisma Cloud DSPM

    compute.instances.setIamPolicy

    Prisma Cloud DSPM's resources only

    Setting IAM policies for instances created by Prisma Cloud DSPM

    compute.instances.setLabels

    Prisma Cloud DSPM's resources only

    Setting labels for instances created by Prisma Cloud DSPM

    compute.instances.setLabels

    Prisma Cloud DSPM's resources only

    Setting labels for instances created by Prisma Cloud DSPM

    compute.instances.setMachineResources

    Prisma Cloud DSPM's resources only

    Setting machine resources for instances created by Prisma Cloud DSPM

    compute.instances.setMachineType

    Prisma Cloud DSPM's resources only

    Setting machine type for instances created by Prisma Cloud DSPM

    compute.instances.setMetadata

    Prisma Cloud DSPM's resources only

    Setting metadata and configuration for instances created by Prisma Cloud DSPM

    compute.instances.setMetadata

    Prisma Cloud DSPM's resources only

    Setting metadata for instances created by Prisma Cloud DSPM

    compute.instances.setMinCpuPlatform

    Prisma Cloud DSPM's resources only

    Setting Minimum CPU Platform on instances 

    compute.instances.setName

    Prisma Cloud DSPM's resources only

    Setting name on instances

    compute.instances.setServiceAccount

    Prisma Cloud DSPM's resources only

    Setting the service account for the instances

    compute.instances.setServiceAccount

    Prisma Cloud DSPM's resources only

    Setting service account on instances

    compute.instances.setTags

    Prisma Cloud DSPM's resources only

    Setting tags for instances in Prisma Cloud DSPM's resources

    compute.instances.start

    Prisma Cloud DSPM's resources only

    Starting Prisma Cloud DSPM's VM instances

    compute.instances.stop

    Prisma Cloud DSPM's resources only

    Stopping Prisma Cloud DSPM's VM instances

    compute.instances.suspend

    Prisma Cloud DSPM's resources only

    Suspending Prisma Cloud DSPM's VM instances

    compute.instances.update

    Prisma Cloud DSPM's resources only

    Updating Prisma Cloud DSPM's VM instances

    compute.instances.updateAccessConfig

    Prisma Cloud DSPM's resources only

    Updating access configuration of instances created by Prisma Cloud DSPM

    compute.instances.updateNetworkInterface

    Prisma Cloud DSPM's resources only

    Updating network interface of instances created by Prisma Cloud DSPM

    compute.instances.use

    Prisma Cloud DSPM's resources only

    Using instances

    compute.networkAttachments.create

    Orchestrator project

    Attaching Prisma Cloud DSPM's network resources to services

    compute.networkAttachments.delete

    Prisma Cloud DSPM's resources only

    Deleting network attachments from resources created by Prisma Cloud DSPM

    compute.networks.access

    Prisma Cloud DSPM's resources only

    Accessing networks created by Prisma Cloud DSPM

    compute.networks.create

    Orchestrator project

    Creating networks 

    compute.networks.delete

    Prisma Cloud DSPM's resources only

    Deleting networks created by Prisma Cloud DSPM

    compute.networks.setFirewallPolicy

    Prisma Cloud DSPM's resources only

    Setting firewall policies for networks created by Prisma Cloud DSPM

    compute.networks.updatePolicy

    Prisma Cloud DSPM's resources only

    Updating network policies for resources created by Prisma Cloud DSPM

    compute.networks.use

    Prisma Cloud DSPM's resources only

    Using and accessing networks created by Prisma Cloud DSPM

    compute.routers.create

    Orchestrator project

    Creating routers 

    compute.routes.create

    Orchestrator project

    Creating routers 

    compute.routes.delete

    Prisma Cloud DSPM's resources only

    Deleting routes created by Prisma Cloud DSPM

    compute.snapshots.useReadOnly

    Prisma Cloud DSPM's resources only

    Using read-only access for snapshots created by Prisma Cloud DSPM

    compute.subnetworks.create

    Orchestrator project

    Creating subnetworks

    compute.subnetworks.use

    Prisma Cloud DSPM's resources only

    Attaching subnetworks to resources created by Prisma Cloud DSPM

    compute.subnetworks.useExternalIp

    Prisma Cloud DSPM's resources only

    Allows Prisma Cloud DSPM to use external IPs for subnetworks

    iam.serviceAccounts.actAs

    Orchestrator project

    Allows Prisma Cloud DSPM to act as a service account 

    networkservices.gateways.create

    Orchestrator project

    Creating network gateways 

    secretmanager.secrets.create

    Prisma Cloud DSPM's Secrets only

    Creating new secrets in the Secret Manager 

    secretmanager.secrets.delete

    Prisma Cloud DSPM's Secrets only

    Deleting secrets created by Prisma Cloud DSPM from the Secret Manager

    secretmanager.secrets.setIamPolicy

    Prisma Cloud DSPM's Secrets only

    Setting IAM policy on secrets created by Prisma Cloud DSPM only

    secretmanager.secrets.update

    Prisma Cloud DSPM's Secrets only

    Updating versions of secrets created by Prisma Cloud DSPM only 

    secretmanager.secrets.access

    Prisma Cloud DSPM's Secrets only

    Accessing versions of secrets created by Prisma Cloud DSPM only

    secretmanager.versions.add

    Prisma Cloud DSPM's Secrets only

    Adding versions of secrets created by Prisma Cloud DSPM only

    secretmanager.versions.destroy

    Prisma Cloud DSPM's Secrets only

    Disabling versions of secrets created by Prisma Cloud DSPM only

    secretmanager.versions.disable

    Prisma Cloud DSPM's Secrets only

    Disabling versions of secrets created by Prisma Cloud DSPM only 

    secretmanager.versions.enable

    Prisma Cloud DSPM's Secrets only

    Enabling versions of secrets created by Prisma Cloud DSPM only

    secretmanager.versions.get

    Prisma Cloud DSPM's Secrets only

    Retrieving versions of secrets created by Prisma Cloud DSPM only

    secretmanager.versions.list

    Prisma Cloud DSPM's Secrets only

    Listing versions of secrets created by Prisma Cloud DSPM only

    Was this article helpful?
    What's Next

    Can’t find what you’re looking for?

    Let us know what you need at support@dig.security and we'll help you as soon as possible