Custom role permissions for GCP CSA
When setting up GCP for CSA, Netskope requires certain permissions. To set these permissions, Netskope provides you the following two options.
Select the following inbuild roles,
Project > Browser
IAM > Security Reviewer
BigQuery > BigQuery Metadata Viewer
Organization Policy > Organization Policy Viewer
Or,
Select the two inbuilt roles, Project > Browser and Organization Policy > Organization Policy Viewer. Then create a custom role with the permissions, compute.projects.get and compute.regions.list. Depending on the GCP service, you can provide additional permissions to the custom role.
The following table provides a mapping of GCP service to custom role permissions.
GCP service
Permission required
Purpose
Compute Image
compute.images.list
Retrieves the list
of custom images available to the specified project.
DNS Managed zone
dns.managedZoneOperations.list
Enumerates Operations for a given ManagedZone.
dns.managedZones.list
View the list of all your managed zones
dns.resourceRecordSets.list
Enumerates ResourceRecordSets that you have created but not yet deleted.
Kubernetes Cluster
container.clusterRoleBindings.list
List the role bindings of a kubernetes cluster.
container.clusterRoles.list
List the roles of a kubernetes cluster
container.clusters.list
List existing clusters for running containers
Service Account
iam.serviceAccounts.get
Get a service account
iam.serviceAccounts.getIamPolicy
Get the IAM policy for a service account
iam.serviceAccountKeys.list
Lists every ServiceAccountKey for a service account.
iam.serviceAccounts.list
List every service account
VPC
compute.networks.list
List Google Compute Engine networks
Compute Instance
compute.zones.list
List Google Compute Engine zones
compute.instances.list
List Google Compute Engine instances
Firewall
compute.firewalls.list
Retrieves the list of firewall rules available to the specified project
IAM Policy
NA
NA
Log Metric
logging.logMetrics.list
Lists logs-based metrics.
monitoring.alertPolicies.list
Lists the existing alerting policies for the workspace.
Roles
iam.roles.list
List the roles defined at a parent organization or a project
SQL Instance
cloudsql.instances.list
Lists Cloud SQL instances in a given project
cloudsql.users.list
Lists Cloud SQL users in a given instance
Access Policy
accesscontextmanager.accessLevels.list (custom role at org level)
List all access levels
accesscontextmanager.accessPolicies.list (custom role at org level)
List all AccessPolicies under a container.
accesscontextmanager.servicePerimeters.list (custom role at org level)
List all Service Perimeters for an access policy.
Storage
storage.buckets.getIamPolicy
Returns an Identity and Access Management (IAM) policy for the specified bucket.
storage.buckets.list
Retrieves a list of buckets for a given project
ForwardingRules
compute.regions.get
Returns the specified Region resource
compute.globalAddresses.get
Returns the specified address resource
compute.addresses.get
Returns the specified address resource
compute.forwardingRules.list
List Google Compute Engine forwarding rules
IAM Policy User
NA
NA
Logging Sinks
logging.sinks.list
Lists the defined sinks
Route
compute.routes.list
List non-dynamic Google Compute Engine routes
Subnetwork
compute.subnetworks.list
Retrieves a list of subnetworks available to the specified project.
Alert Policy
monitoring.alertPolicies.list
Lists the existing alerting policies for the workspace.
Disks
compute.disks.list
List Google Compute Engine disks
compute.zones.list
Retrieves the list of Zone resources available to the specified project.
DataprocCluster
dataproc.clusters.list
View a list of clusters in a project
CloudFunction
cloudfunctions.functions.list
List the CloudFunctions of a specified project
cloudfunctions.locations.list
List the location of a specified CloudFunction
KMS
cloudkms.cryptoKeyVersions.list
Lists CryptoKeyVersions.
cloudkms.cryptoKeys.list
Lists CryptoKeys.
cloudkms.keyRings.list
Lists KeyRings.
Organization
NA
NA
API Services
serviceusage.services.list
List all services available to the specified project, and the current state of those services with respect to the project
Bigquery Datasets
bigquery.datasets.get
Returns the dataset specified by datasetID.