List of Google Cloud Platform (GCP) permissions for use during Cortex Cloud onboarding outposts to enable continuous monitoring in your cloud environment.
When onboarding Google Cloud Platform (GCP), Cortex Cloud creates an authentication template that requests the permissions needed for monitoring your cloud outpost environment. Depending on which security capabilities you select in the onboarding wizard, different permissions are requested. The following tables are organized by security module and list the CSP permissions being requested as well as the purpose (and where relevant, the scope):
The following IAM roles are required for the Required base permissions module.
The following GCP permissions are granted by the dspmCustomerDataStorage role.
Permission | Description |
|---|---|
storage.objects.delete | Delete objects. This is used to remove temporary files, logs, or scan results from the artifact bucket once they have been processed or are no longer needed. |
The following GCP permissions are granted by the dspmDeleteCustomerDataStorage role.
Permission | Description |
|---|---|
storage.objects.delete | Delete objects. This is used to remove temporary files, logs, or scan results from the artifact bucket once they have been processed or are no longer needed. |
The following GCP permissions are granted by the roles/compute.admin role.
Permission | Description |
|---|---|
roles/compute.admin | Grant full administrative control over Compute Engine resources. This allows the outpost to dynamically provision, manage, and delete Virtual Machines, disks, and networks required for scanning operations, ensuring resources are only running when needed. |
The following GCP permissions are granted by the roles/iam.serviceAccountTokenCreator role.
Permission | Description |
|---|---|
roles/iam.serviceAccountTokenCreator | Create OAuth2 access tokens or OpenID Connect ID tokens. This allows the CTS service account to impersonate the Cortex Engine service account, facilitating the secure trust chain between the Cortex Platform and the Outpost. |
The following GCP permissions are granted by the roles/iam.serviceAccountUser role.
Permission | Description |
|---|---|
roles/iam.serviceAccountUser | Act as a service account. This permission enables Cortex to launch Compute instances with specific service account identities, such as the scan runner or proxy, ensuring they have the precise permissions needed for their tasks. |
The following GCP permissions are granted by the roles/pubsub.subscriber role.
Permission | Description |
|---|---|
roles/pubsub.subscriber | Consume messages from Pub/Sub subscriptions. This facilitates event-driven communication, allowing the Cortex Engine to receive notifications about bucket events or scanning triggers for the bucket-communication process. |
The following GCP permissions are granted by the scanRunnerBucketRole role.
Permission | Description |
|---|---|
storage.objects.create | Create or upload objects. This allows the scanner to write scan results, logs, or other artifacts to the designated communication or customer-data buckets. |
storage.objects.delete | Delete objects. This is used to remove temporary files, logs, or scan results from the artifact bucket once they have been processed or are no longer needed. |
storage.objects.list | List objects. This allows the DSPM service to list objects written by GCP managed services to the customer-data bucket, facilitating data discovery. |
The following IAM roles are required for the DSPM module.
The following GCP permissions are granted by the dspmBigQuery role.
Permission | Description |
|---|---|
bigquery.jobs.create | Create an export job. This allows the outpost to transfer data from BigQuery to Google Cloud Storage (GCS). This is necessary to facilitate efficient data scanning and classification by moving data to a temporary staging area for analysis without impacting the live dataset. |
The following GCP permissions are granted by the dspmCloudKMS role.
Permission | Description |
|---|---|
cloudkms.cryptoKeys.create | Create a new cryptographic key. This key is used specifically for Bigtable encryption operations. It ensures that data extracted or processed during Bigtable scanning remains encrypted and secure. |
cloudkms.cryptoKeys.getIamPolicy | Retrieve the IAM policy for a cryptographic key. This allows the system to verify access permissions for the keys used in Bigtable encryption, ensuring that only authorized entities can use them. |
cloudkms.cryptoKeys.setIamPolicy | Set the IAM policy for a cryptographic key. This is required to grant the necessary permissions to the scanner service account so it can use the key for Bigtable encryption operations. |
cloudkms.cryptoKeys.update | Modify the properties of a cryptographic key. This is used to manage the configuration of keys used for Bigtable encryption, such as updating labels or rotation schedules. |
cloudkms.cryptoKeyVersions.create | Create a new version for a cryptographic key. This is used to rotate keys or generate new key material specifically for Bigtable encryption operations. |
cloudkms.cryptoKeyVersions.destroy | Permanently destroy a cryptographic key version. This allows for the secure cleanup of key material that is no longer needed after Bigtable scanning is complete, preventing clutter and reducing the risk of key reuse. |
cloudkms.cryptoKeyVersions.get | Retrieve the details and metadata of a cryptographic key version. This provides necessary context about the key being used for Bigtable encryption, such as its state and algorithm, to ensure the correct key is applied. |
cloudkms.cryptoKeyVersions.list | List all versions of a cryptographic key. This allows the system to identify available key versions for Bigtable encryption and manage their lifecycle effectively during the scanning process. |
cloudkms.cryptoKeyVersions.update | Modify the settings and state of a cryptographic key version. This is used to enable or disable key versions used for Bigtable encryption as needed, ensuring control over key usage. |
cloudkms.cryptoKeyVersions.useToDecrypt | Use a cryptographic key version to decrypt data. This permission is essential for the scanner to read and analyze encrypted Bigtable data during the scanning process, enabling the classification of sensitive information. |
cloudkms.cryptoKeyVersions.useToEncrypt | Use a cryptographic key version to encrypt data. This ensures that any data written or processed during the Bigtable scan is securely encrypted, maintaining data confidentiality throughout the operation. |
cloudkms.keyRings.create | Create a new key ring. This is used to organize and hold the cryptographic keys required for Bigtable encryption in a logical group within the project. |
The following GCP permissions are granted by the dspmCloudSql role.
Permission | Description |
|---|---|
cloudsql.databases.create | Create databases. This is performed as part of an instance restore operation. It allows the creation of a temporary database copy for safe scanning without impacting the live production database. |
cloudsql.databases.delete | Delete databases. This is used to clean up temporary databases created for scanning once the analysis is complete, ensuring no residual data remains in the environment. |
cloudsql.databases.get | Retrieve database details. This allows the system to verify the configuration and status of the database during the restore and scan operation to ensure it is ready for access. |
cloudsql.databases.list | List databases. This provides visibility into the databases present on an instance, which is necessary for identifying targets for restore and scanning. |
cloudsql.databases.update | Modify database properties. This is used during the instance restore operation to configure the temporary database correctly for access and scanning. |
cloudsql.instances.create | Create a Cloud SQL instance. This is used to create a temporary instance for restoring backups. This enables analysis of the data in an isolated environment without affecting the production instance. |
cloudsql.instances.delete | Delete Cloud SQL instances. This is a critical cleanup permission. It allows the removal of the temporary instance created for scanning once the task is finished. |
cloudsql.instances.get | Retrieve instance details. This provides necessary metadata about the Cloud SQL instance to ensure it is ready for scanning or restore operations. |
cloudsql.instances.list | List Cloud SQL instances. This allows the system to discover instances and verify the presence of the temporary instance created for scanning. |
cloudsql.instances.restoreBackup | Restore a Cloud SQL instance from a backup. This is the core action for safe scanning. It allows Cortex to restore data to a new, temporary instance for analysis, leaving the source untouched. |
cloudsql.instances.update | Modify Cloud SQL instance properties. This is used to configure the temporary instance, such as adjusting network settings to allow the scanner to connect. |
cloudsql.users.list | List all users on a Cloud SQL instance. This is used to manage users on the temporary instance during the restore and scan process. |
cloudsql.users.update | Modify user settings. This allows the system to update the password or permissions of the temporary user on the Cloud SQL instance to ensure access. |
The following GCP permissions are granted by the dspmSecretManager role.
Permission | Description |
|---|---|
secretmanager.secrets.create | Create a new secret. This is used to securely store credentials or configuration data required by the scanner, such as temporary database passwords, to connect to scan targets. |
secretmanager.secrets.delete | Delete a secret. This allows the system to clean up and remove secrets once they are no longer needed, preventing sensitive data from persisting in the environment. |
secretmanager.secrets.get | View secret metadata. This allows the system to verify the configuration and existence of secrets used by the scanner without revealing the payload. |
secretmanager.secrets.list | List secrets. This provides visibility into the secrets managed within the project, allowing the system to identify those related to scanning operations. |
secretmanager.versions.add | Add a new secret version. This allows the system to update the stored secret value, for example, when rotating temporary credentials for a new scan. |
The following GCP permissions are granted by the Monitored project (customer-granted) role.
Permission | Description |
|---|---|
cloudsql.instances.connect | Connect to a Cloud SQL instance. This permission allows the scanner to establish a connection to the database instance to perform data scanning and classification. This runtime permission is needed at the monitored project level, not at the outpost project. |
cloudsql.instances.createTagBinding | Apply tags to a Cloud SQL instance. This is used to tag temporary instances created for scanning, facilitating resource tracking, cost allocation, and automated cleanup. This runtime permission is needed at the monitored project level, not at the outpost project. |
cloudsql.instances.deleteTagBinding | Remove tags from a Cloud SQL instance. This is used during the lifecycle management of the temporary scanning instance to update or clean up metadata. This runtime permission is needed at the monitored project level, not at the outpost project. |
cloudsql.instances.listTagBindings | List tags on a Cloud SQL instance. This is used to verify that the correct tags are applied to the temporary scanning instance for tracking purposes. This runtime permission is needed at the monitored project level, not at the outpost project. |
cloudsql.instances.login | Log into a Cloud SQL instance. This permission is required for the scanner to authenticate to the database and access the data for classification. This runtime permission is needed at the monitored project level, not at the outpost project. |
cloudsql.instances.restart | Restart a Cloud SQL instance. This is used during the instance restore workflow to apply configurations or recover the temporary instance if needed. This runtime permission is needed at the monitored project level, not at the outpost project. |
cloudsql.users.create | Create a new user. This is used to create a temporary service user on the restored Cloud SQL instance, granting the scanner access to the data. This runtime permission is needed at the monitored project level, not at the outpost project. |
cloudsql.users.delete | Delete a user. This allows for the removal of the temporary service user from the Cloud SQL instance after the scan is complete. This runtime permission is needed at the monitored project level, not at the outpost project. |
cloudsql.users.get | Retrieve user details. This allows the system to verify that the temporary user has been correctly created on the instance and has the appropriate attributes. This runtime permission is needed at the monitored project level, not at the outpost project. |
roles/bigtable.admin | Grant full administrative control over Bigtable instances and clusters. This is required to manage the lifecycle of Bigtable resources used during data classification and analysis, including the creation and deletion of temporary backups. This runtime permission is needed at the monitored project level, not at the outpost project. |
secretmanager.secrets.update | Update secret metadata. This is used to modify labels or settings on secrets, such as marking them for replication or tracking ownership. This runtime permission is needed at the monitored project level, not at the outpost project. |
secretmanager.versions.access | Access secret payloads. This permission allows the scanner to retrieve the actual sensitive value (e.g., a password) stored in a secret version to authenticate against a target. This runtime permission is needed at the monitored project level, not at the outpost project. |
secretmanager.versions.destroy | Destroy a secret version. This permanently removes a specific version of a secret payload, ensuring that old credentials cannot be recovered. This runtime permission is needed at the monitored project level, not at the outpost project. |
secretmanager.versions.disable | Disable a secret version. This makes a specific version of a secret inaccessible, which can be used to revoke access to old credentials immediately. This runtime permission is needed at the monitored project level, not at the outpost project. |
secretmanager.versions.enable | Enable a secret version. This allows a previously disabled secret version to be accessed again if necessary for a specific operation. This runtime permission is needed at the monitored project level, not at the outpost project. |
secretmanager.versions.get | View secret version metadata. This allows the system to check the state (enabled/disabled) of a secret version before attempting to access it. This runtime permission is needed at the monitored project level, not at the outpost project. |
secretmanager.versions.list | List secret versions. This provides a history of the values stored in a secret, allowing for management of version lifecycle and cleanup. This runtime permission is needed at the monitored project level, not at the outpost project. |
The following GCP permissions are granted by the roles/bigtable.reader role.
Permission | Description |
|---|---|
roles/bigtable.reader | Read all data and metadata from Bigtable tables. This permission enables Data Security Posture Management (DSPM) scanners to access and classify data residing in Bigtable instances within the customer environment. |
The following GCP permissions are granted by the roles/cloudkms.cryptoKeyEncrypterDecrypter role.
Permission | Description |
|---|---|
roles/cloudkms.cryptoKeyEncrypterDecrypter | Encrypt and decrypt data using Cloud KMS keys. This is essential for the DSPM scanner VM to handle encrypted data securely during scanning operations and to ensure communication artifacts remain protected. |
The following GCP permissions are granted by the roles/cloudkms.viewer role.
Permission | Description |
|---|---|
roles/cloudkms.viewer | Read metadata of cryptographic keys and key rings. This allows the scanner VM to identify and validate the keys required for encryption operations, ensuring the correct keys are used for data protection. |
The following GCP permissions are granted by the roles/cloudsql.client role.
Permission | Description |
|---|---|
roles/cloudsql.client | Connect to and execute data operations on Cloud SQL databases. This allows the scanner to authenticate and interact with Cloud SQL instances to perform security assessments and data classification. |
The following GCP permissions are granted by the roles/secretmanager.secretAccessor role.
Permission | Description |
|---|---|
roles/secretmanager.secretAccessor | Read secret values from Secret Manager. This permission allows the DSPM scanner or container registry scanner to retrieve credentials needed to access Cloud SQL databases, customer container registries, or other protected resources. |
The following GCP permissions are granted by the roles/servicenetworking.serviceAgent role.
Permission | Description |
|---|---|
roles/servicenetworking.serviceAgent | Manage private service networking connections. This is required to establish Private Service Access, enabling DSPM to connect securely to Cloud SQL instances. |
The following IAM roles are required for the Registry module.
The following GCP permissions are granted by the dspmSecretManager role.
Permission | Description |
|---|---|
secretmanager.secrets.create | Create a new secret. This is used to securely store credentials or configuration data required by the scanner, such as temporary database passwords, to connect to scan targets. |
secretmanager.secrets.delete | Delete a secret. This allows the system to clean up and remove secrets once they are no longer needed, preventing sensitive data from persisting in the environment. |
secretmanager.secrets.get | View secret metadata. This allows the system to verify the configuration and existence of secrets used by the scanner without revealing the payload. |
secretmanager.secrets.list | List secrets. This provides visibility into the secrets managed within the project, allowing the system to identify those related to scanning operations. |
secretmanager.versions.add | Add a new secret version. This allows the system to update the stored secret value, for example, when rotating temporary credentials for a new scan. |
The following GCP permissions are granted by the Monitored project (customer-granted) role.
Permission | Description |
|---|---|
secretmanager.secrets.update | Update secret metadata. This is used to modify labels or settings on secrets, such as marking them for replication or tracking ownership. This runtime permission is needed at the monitored project level, not at the outpost project. |
secretmanager.versions.access | Access secret payloads. This permission allows the scanner to retrieve the actual sensitive value (e.g., a password) stored in a secret version to authenticate against a target. This runtime permission is needed at the monitored project level, not at the outpost project. |
secretmanager.versions.destroy | Destroy a secret version. This permanently removes a specific version of a secret payload, ensuring that old credentials cannot be recovered. This runtime permission is needed at the monitored project level, not at the outpost project. |
secretmanager.versions.disable | Disable a secret version. This makes a specific version of a secret inaccessible, which can be used to revoke access to old credentials immediately. This runtime permission is needed at the monitored project level, not at the outpost project. |
secretmanager.versions.enable | Enable a secret version. This allows a previously disabled secret version to be accessed again if necessary for a specific operation. This runtime permission is needed at the monitored project level, not at the outpost project. |
secretmanager.versions.get | View secret version metadata. This allows the system to check the state (enabled/disabled) of a secret version before attempting to access it. This runtime permission is needed at the monitored project level, not at the outpost project. |
secretmanager.versions.list | List secret versions. This provides a history of the values stored in a secret, allowing for management of version lifecycle and cleanup. This runtime permission is needed at the monitored project level, not at the outpost project. |
The following GCP permissions are granted by the roles/secretmanager.secretAccessor role.
Permission | Description |
|---|---|
roles/secretmanager.secretAccessor | Read secret values from Secret Manager. This permission allows the DSPM scanner or container registry scanner to retrieve credentials needed to access Cloud SQL databases, customer container registries, or other protected resources. |