List of Google Cloud Platform (GCP) permissions for use during Cortex XDR onboarding to enable continuous monitoring in your cloud environment.
Notice
Requires a Cortex XDR license that has the Cloud Posture Security or Cloud Runtime Security add-on.
When onboarding Google Cloud Platform (GCP), Cortex XDR creates an authentication template that requests the permissions needed for monitoring your cloud environment. Permissions are organized by security capability, then by the role that contains them. Each role lists its assignment scope and the specific permissions it grants:
Each role is bound at the scope you configure during onboarding (organization, folder, or project), with the following exceptions:
The audit-log Pub/Sub publisher and subscriber roles (
roles/pubsub.publisher,roles/pubsub.subscriber) are bound only to the single Pub/Sub topic and subscription Cortex creates in the host project, not at the onboarding scope.The
roles/iam.serviceAccountTokenCreatorimpersonation grants are bound on individual Cortex service-account resources (one binding per SA, not at the onboarding scope).For folder (
ACCOUNT_GROUP) onboardings only, theroles/iam.organizationRoleViewerbuilt-in role is bound at the organization level so that Cortex can read organization-level custom-role definitions.Agentless Disk Scanning permissions are further restricted by an IAM Condition that limits their effect to Compute Engine snapshots and disks whose names start with
cortex-scan-. The condition applies regardless of whether the binding resource itself is at project, folder, or organization level.
These permissions grant read-only access across Google Cloud services, enabling Cortex XDR to build a comprehensive inventory of your GCP assets, configurations, and security posture. They are bundled into a single custom role, CortexPlatformCloudViewer, created during onboarding in your Google Cloud environment, together with some Google-managed built-in roles.
CortexPlatformCloudViewerEach permission in this role applies only to the Google Cloud resource type named in it.
Permission | Purpose |
|---|---|
accesscontextmanager.accessLevels.list | List Access Context Manager (GCP ACM) access levels. Cortex uses this permission to inventory access policies and perimeters to assess the security posture of the network boundary. |
accesscontextmanager.accessPolicies.list | List Access Context Manager (GCP ACM) policies. Cortex uses this permission to retrieve organization-level access policies for security compliance monitoring. |
accesscontextmanager.servicePerimeters.list | List Access Context Manager (GCP ACM) service perimeters. Cortex uses this permission to map service perimeters and identify potential data exfiltration risks. |
aiplatform.batchPredictionJobs.list | List AI Platform batch prediction jobs. Cortex uses this permission to inventory AI workloads and monitor for anomalous or unauthorized batch processing activities. |
aiplatform.nasJobs.list | List AI Platform Neural Architecture Search (NAS) jobs. Cortex uses this permission to discover and audit AI model search jobs within the environment. |
analyticshub.dataExchanges.list | List Analytics Hub data exchanges. Cortex uses this permission to identify data sharing configurations and assess risks associated with external data exchange. |
analyticshub.listings.getIamPolicy | Retrieve the IAM policy for Analytics Hub listings. Cortex uses this permission to analyze access controls on data listings and detect overly permissive configurations. |
analyticshub.listings.list | List Analytics Hub listings. Cortex uses this permission to inventory published data listings and verify their visibility settings. |
apigateway.apis.list | List API Gateway APIs for asset discovery. |
apigateway.locations.get | Get API Gateway location information for asset discovery. |
backupdr.backupPlanAssociations.list | List Backup DR plan associations for asset discovery. |
backupdr.backupPlans.list | List Backup DR plans for asset discovery. |
backupdr.backupVaults.list | List Backup DR vaults for asset discovery. |
baremetalsolution.instances.list | List Bare Metal Solution instances. Cortex uses this permission to discover bare metal compute resources and include them in the comprehensive asset inventory. |
baremetalsolution.luns.list | List Bare Metal Solution LUNs (Logical Unit Numbers). Cortex uses this permission to inventory storage resources associated with bare metal instances. |
baremetalsolution.networks.list | List Bare Metal Solution networks. Cortex uses this permission to map the network topology of bare metal environments for security assessment. |
baremetalsolution.nfsshares.list | List Bare Metal Solution NFS shares. Cortex uses this permission to inventory network file storage and check for insecure configurations. |
baremetalsolution.volumes.list | List Bare Metal Solution volumes. Cortex uses this permission to discover storage volumes attached to bare metal instances. |
bigquery.bireservations.get | Retrieve BigQuery BI Engine reservation configurations. Cortex uses this permission to understand capacity allocations for security posture management and data classification. |
bigquery.dataPolicies.list | List BigQuery data policies for security posture. |
bigquery.reservations.list | List BigQuery reservations for asset discovery. |
bigquery.tables.get | Retrieve metadata for BigQuery tables. Cortex uses this permission to inventory data warehouse assets and assess their schema and configuration settings for classification purposes. |
bigtable.appProfiles.list | List Bigtable app profiles for asset discovery. |
bigtable.backups.getIamPolicy | Get IAM policy on Bigtable backups for security posture. |
bigtable.backups.list | List Bigtable backups for asset discovery. |
bigtable.clusters.list | List Bigtable clusters for asset discovery. |
bigtable.instances.get | Get Bigtable instance metadata for asset discovery. |
bigtable.instances.getIamPolicy | Get IAM policy on Bigtable instances for security posture. |
bigtable.instances.list | List Bigtable instances for asset discovery. |
clientauthconfig.clients.listWithSecrets | List client authentication configurations with secrets. Cortex uses this permission to inventory OAuth clients and IAP settings, ensuring secure application access. |
cloudscheduler.jobs.list | List Cloud Scheduler jobs. Cortex uses this permission to discover scheduled tasks and monitor for unauthorized or suspicious automated jobs. |
cloudsecurityscanner.scans.list | List Cloud Security Scanner scans. Cortex uses this permission to retrieve results from existing security scans and correlate them with other security findings. |
cloudtasks.queues.list | List Cloud Tasks queues. Cortex uses this permission to inventory task queues and assess the security of asynchronous task execution flows. |
cloudtasks.tasks.list | List Cloud Tasks for asset discovery. |
composer.imageversions.list | List Cloud Composer image versions. Cortex uses this permission to check for outdated or vulnerable environment images in managed Airflow instances. |
compute.reservations.getIamPolicy | Retrieve the IAM policy for Compute Engine reservations. Cortex uses this permission to analyze access controls on reserved compute capacity. |
connectors.customConnectors.list | List custom connectors for asset discovery. |
connectors.endpointAttachments.list | List connector endpoint attachments for asset discovery. |
connectors.locations.list | List connector locations for asset discovery. |
connectors.managedZones.list | List connector managed zones for asset discovery. |
connectors.providers.list | List connector providers for asset discovery. |
datacatalog.catalogs.searchAll | Search all Data Catalog entries for asset discovery. |
dataflow.jobs.list | List Dataflow jobs for asset discovery. |
datamigration.connectionprofiles.getIamPolicy | Retrieve the IAM policy for data migration connection profiles. Cortex uses this permission to audit access permissions on database connection credentials. |
datamigration.connectionprofiles.list | List data migration connection profiles. Cortex uses this permission to inventory database connection settings used in migration workflows. |
datamigration.conversionworkspaces.getIamPolicy | Retrieve the IAM policy for data migration conversion workspaces. Cortex uses this permission to assess security controls on database schema conversion environments. |
datamigration.conversionworkspaces.list | List data migration conversion workspaces. Cortex uses this permission to discover active database conversion projects and their associated resources. |
datamigration.migrationjobs.getIamPolicy | Retrieve the IAM policy for data migration jobs. Cortex uses this permission to ensure that only authorized users can manage critical database migration tasks. |
datamigration.migrationjobs.list | List data migration jobs. Cortex uses this permission to monitor ongoing database migrations and identify potential security risks during data transfer. |
datamigration.privateconnections.getIamPolicy | Retrieve the access policy for Database Migration Service private connections. Cortex uses this permission to verify that private connectivity is securely configured. |
datamigration.privateconnections.list | List data migration private connections. Cortex uses this permission to inventory private network paths established for database migrations. |
datapipelines.pipelines.list | List Data Pipelines for asset discovery. |
dataproc.batches.list | List Dataproc batches for asset discovery. |
dataproc.sessions.list | List Dataproc sessions for asset discovery. |
dataproc.sessionTemplates.list | List Dataproc session templates for asset discovery. |
deploymentmanager.deployments.getIamPolicy | Retrieve the IAM policy for Deployment Manager deployments. Cortex uses this permission to analyze access controls on infrastructure-as-code deployments. |
firebaserules.rulesets.get | Retrieve Firebase security rulesets. Cortex uses this permission to inspect the rules governing access to Firebase data and storage. |
iam.workforcePools.list | List workforce identity pools. Cortex uses this permission to discover external identity configurations and assess federation security. |
iam.workloadIdentityPoolProviders.list | List workload identity pool providers. Cortex uses this permission to inventory external identity providers federated with Google Cloud resources. |
iam.workloadIdentityPools.list | List workload identity pools. Cortex uses this permission to identify and audit configurations for workload identity federation. |
iap.projects.getSettings | Get IAP project settings for security posture. |
logging.cmekSettings.get | Retrieve CMEK (Customer-Managed Encryption Key) settings for logging. Cortex uses this permission to verify that logs are encrypted according to compliance requirements. |
looker.instances.list | List Looker instances for asset discovery. |
networkservices.meshes.getIamPolicy | Retrieve the IAM policy for service meshes. Cortex uses this permission to audit access controls on application networking infrastructure. |
notebooks.locations.list | List locations available for Vertex AI Notebooks. Cortex uses this permission to map regional deployments of notebook instances. |
notebooks.schedules.list | List schedules for Vertex AI Notebooks. Cortex uses this permission to monitor automated execution of notebook environments. |
osconfig.patchDeployments.list | List OS Config patch deployments for posture assessment. |
osconfig.projectFeatureSettings.get | Get OS Config project feature settings for posture assessment. |
pubsub.subscriptions.getIamPolicy | Retrieve the IAM policy for Pub/Sub subscriptions. Cortex uses this permission to analyze access controls on message subscriptions and detect insecure configurations. |
pubsub.topics.getIamPolicy | Retrieve the IAM policy for Pub/Sub topics. Cortex uses this permission to audit who can publish or manage messaging topics. |
redis.clusters.list | List Redis clusters for asset discovery. |
resourcemanager.folders.get | Retrieve metadata for folders. Cortex uses this permission to map the resource hierarchy and understand the organizational structure. |
resourcemanager.folders.getIamPolicy | Retrieve the IAM policy for folders. Cortex uses this permission to analyze inherited permissions and access controls at the folder level. |
resourcemanager.organizations.get | Retrieve metadata for the organization. Cortex uses this permission to validate the root of the resource hierarchy and organizational settings. |
resourcemanager.organizations.getIamPolicy | Retrieve the IAM policy for the organization. Cortex uses this permission to audit organization-wide access controls and detect excessive privileges. |
resourcemanager.projects.get | Get project metadata for asset inventory. |
resourcemanager.projects.list | List projects within the organization. Cortex uses this permission to discover all projects in scope for security monitoring and asset inventory. |
resourcemanager.tagKeys.list | List tag keys. Cortex uses this permission to inventory available tags for resource categorization and policy enforcement. |
run.jobs.getIamPolicy | Retrieve the IAM policy for Cloud Run jobs. Cortex uses this permission to analyze access controls on serverless jobs and identify security gaps. |
run.jobs.list | List Cloud Run jobs. Cortex uses this permission to inventory serverless job definitions and monitor their configuration. |
run.services.list | List Cloud Run services. Cortex uses this permission to discover active serverless services and assess their exposure. |
servicemanagement.services.bind | Bind managed services for service inventory and posture assessment. |
servicemanagement.services.getIamPolicy | Get IAM policy on managed services for security posture. |
serviceusage.services.use | Use Google Cloud services as the API consumer in a project. This permission is required by Google's Service Usage API to make calls to enabled services when the calling identity (a service account) is hosted in a different project than the target project. It does not grant access to any resource data. Access to data is controlled by the individual service-specific permissions listed in this table. |
storage.buckets.get | Retrieves metadata of a Cloud Storage bucket. Cortex uses this permission to analyze bucket configurations, such as encryption and logging settings. |
storage.buckets.getIamPolicy | Retrieves the IAM policy of a Cloud Storage bucket. Cortex uses this permission to assess bucket access controls and detect public or overly permissive settings. |
storage.buckets.list | Lists Cloud Storage buckets. Cortex uses this permission to discover all storage containers in the project for inventory and security monitoring. |
storage.buckets.listEffectiveTags | List effective tags on Cloud Storage buckets. Cortex uses this permission to verify tag inheritance and policy enforcement on storage assets. |
storage.buckets.listTagBindings | List tag bindings on Cloud Storage buckets. Cortex uses this permission to audit direct tag assignments for asset management and security policy compliance. |
storage.objects.getIamPolicy | Retrieves the IAM policy of Cloud Storage objects. Cortex uses this permission to analyze fine-grained access controls on individual files and detect security risks. |
tpu.nodes.list | List TPU nodes for asset discovery. |
roles/viewer (Built-in role, managed by GCP)Grants Cortex broad read-only access across all Google Cloud services, used to build a comprehensive inventory of resources within the onboarded scope.
roles/cloudfunctions.viewer (Built-in role, managed by GCP)Grants Cortex read access to the configuration and metadata of Cloud Functions, used for inventory collection and security posture assessment of serverless functions.
roles/container.clusterViewer (Built-in role, managed by GCP)Grants Cortex read access to the configuration and status of Google Kubernetes Engine (GKE) clusters, used to assess the security posture of Kubernetes environments.
roles/firebaserules.viewer (Built-in role, managed by GCP)Grants Cortex read access to the configuration and contents of Firebase Security Rules, used to evaluate the security of Firebase database access controls.
roles/iam.organizationRoleViewer (Built-in role, managed by GCP)Grants Cortex read access to organization-level role definitions so it can analyze custom roles defined at the organization level for security risks. This role is supported only at the organization onboarding scope.
roles/iam.serviceAccountTokenCreator (Built-in role, managed by GCP)Binding scope: The single cortex_service_account (Cortex platform service account, named crtx-<resource_suffix> in the host project). The binding is created as a Terraform google_service_account_iam_member resource and is not propagated to the organization, folder, or project.
Grantee: The Cortex outpost service account.
Purpose: Allows the Cortex outpost service account to create short-lived OAuth tokens for the platform service account, so that the outpost can perform delegated Discovery Engine API calls without requiring a long-lived service-account key.
roles/resourcemanager.folderViewer (Built-in role, managed by GCP)Grants Cortex read access to folder metadata and hierarchy so it can map the folder structure and identify resources within folders. This role is supported only at the organization or folder onboarding scope.
roles/storage.objectViewer (Built-in role, managed by GCP)Grants Cortex read access to the data and metadata of objects in Cloud Storage buckets, allowing it to inventory stored files and assess their content without modification capabilities.
These permissions allow Cortex XDR to ingest Google Cloud audit logs for threat detection and investigation. The roles below are Google-managed built-in roles.
roles/iam.serviceAccountTokenCreator (Built-in role, managed by GCP)Binding scope: The single auditlogs_service_account (named crtx-al-<resource_suffix> in the host project). The binding is created as a Terraform google_service_account_iam_member resource and is not propagated to the organization, folder, or project.
Grantee: The Cortex SaaS audit-logs collector service account.
Purpose: Allows the Cortex SaaS audit-logs collector to create short-lived OAuth tokens for the audit-logs service account, so that the SaaS collector can pull from the Cortex-owned Pub/Sub subscription without requiring a long-lived service-account key.
roles/pubsub.publisher (Built-in role, managed by GCP)Grants permission to publish messages to the Cortex audit logs Pub/Sub topic. Cortex assigns this built-in role to the Cloud Logging sink writer identity so that audit log entries are forwarded to the dedicated Pub/Sub topic for ingestion. Access is scoped to the specific topic created during onboarding.
roles/pubsub.subscriber (Built-in role, managed by GCP)Grants Cortex the ability to consume messages from a Pub/Sub subscription, enabling the Cortex audit logs service account to ingest audit log messages from the specific subscription created during onboarding.
These permissions allow Cortex XDR to perform agentless vulnerability scanning of GCP Compute Engine disks without ever accessing the live instance or the data on it. During a scan, Cortex creates a temporary point-in-time snapshot, mounts it read-only on a Cortex scanner VM, and deletes it when the scan completes. The permissions are bundled into two custom roles created during onboarding in your Google Cloud environment: ADSConnectorRole, used by the Cortex service account to create, label, and delete the temporary resources, and ADSOutpostRole, used by the Cortex outpost scanner to attach snapshots in read-only mode.
Every permission under this capability is restricted by an IAM condition that limits its effect to Compute Engine disks and snapshots whose names start with the cortex-scan- prefix. Cortex cannot read, modify, or delete any disk or snapshot that does not carry this prefix, including your existing production resources. The exact condition expression applied to each binding is: (resource.name.extract("snapshots/{end}").startsWith("cortex-scan-") || resource.name.extract("disks/{end}").startsWith("cortex-scan-")) && resource.service == "compute.googleapis.com"
ADSConnectorRolePermission | Purpose |
|---|---|
compute.disks.create | Create Compute Engine disks. Cortex uses this permission to create temporary disks from snapshots during the agentless scanning process. These disks are prefixed with |
compute.disks.delete | Delete Compute Engine disks. Cortex uses this permission to clean up temporary disks created during the agentless scanning process, ensuring no residual resources remain in the environment. |
compute.disks.get | Retrieve metadata for Compute Engine disks. Cortex uses this permission to verify the properties and status of temporary disks (prefixed with |
compute.disks.setLabels | Set labels on Compute Engine disks. Cortex uses this permission to tag temporary scanning disks for cost visibility, identification, and lifecycle management. |
compute.images.get | Retrieve metadata for Compute Engine images. Cortex uses this permission to access image information required to create temporary disks during the scanning process. |
compute.snapshots.create | Create Compute Engine snapshots. Cortex uses this permission to generate point-in-time snapshots of VM disks for agentless security scanning. Snapshots are prefixed with |
compute.snapshots.delete | Delete Compute Engine snapshots. Cortex uses this permission to clean up temporary snapshots after scanning is complete, ensuring no residual data remains in the environment. |
compute.snapshots.get | Retrieve metadata for Compute Engine snapshots. Cortex uses this permission to monitor snapshot creation status and verify properties during the scanning workflow. |
compute.snapshots.setLabels | Set labels on Compute Engine snapshots. Cortex uses this permission to tag temporary scanning snapshots for cost visibility, tracking, and automated cleanup. |
ADSOutpostRolePermission | Purpose |
|---|---|
compute.snapshots.useReadOnly | Attach a snapshot to a scanner VM in read-only mode. This permission allows the Outpost service account to inspect snapshot contents for security analysis without modifying the original data. |
These permissions allow Cortex XDR to perform vulnerability and code scanning of GCP serverless workloads by reading Cloud Function metadata, downloading function source code, and retrieving the corresponding deployment objects from Cloud Storage. They are bundled into a custom role, OutpostServerlessScannerConnectorRole, created during onboarding in your Google Cloud environment.
OutpostServerlessScannerConnectorRoleEach permission for this role applies only to the Cloud Functions and Cloud Storage objects within that scope.
Permission | Purpose |
|---|---|
cloudfunctions.functions.get | Retrieve metadata and configuration for Cloud Functions. Cortex uses this permission to obtain function details such as runtime, memory, and timeout for serverless security scanning. |
cloudfunctions.functions.sourceCodeGet | Retrieve the source code of a Cloud Function. Cortex uses this permission to download and inspect function code for vulnerabilities and misconfigurations during serverless scanning. |
storage.objects.get | Retrieve data from Cloud Storage objects. Cortex uses this permission to download function deployment packages and source code stored in buckets for security analysis. |
roles/iam.serviceAccountTokenCreator (Built-in role, managed by GCP)Binding scope: The single outpost_scanner_service_account (named ctsc-<resource_suffix> in the host project). The binding is created as a Terraform google_service_account_iam_member resource and is not propagated to the organization, folder, or project.
Grantee: The Cortex serverless scanner service account.
Purpose: Allows the Cortex serverless scanner to create short-lived OAuth tokens for the outpost scanner service account, so that the scanner can perform Cloud Functions source-code reads via the OutpostServerlessScannerConnectorRole without requiring a long-lived service-account key.
These permissions allow Cortex XDR to perform vulnerability scanning of container images stored in Google Artifact Registry (GAR) by pulling images for analysis without modifying the registry or its contents. They are bundled into a custom role, OutpostRegistryScannerConnectorRole, created during onboarding in your Google Cloud environment.
OutpostRegistryScannerConnectorRoleThis role contains a single permission, which applies only to Artifact Registry repositories within that scope.
Permission | Purpose |
|---|---|
artifactregistry.repositories.downloadArtifacts | Download artifacts (container images, packages) from Artifact Registry repositories. Cortex uses this permission to pull container images for security scanning, enabling vulnerability detection and compliance assessment of container workloads stored in your registry. |
roles/iam.serviceAccountTokenCreator (Built-in role, managed by GCP)Binding scope: The single outpost_scanner_service_account (named ctsc-<resource_suffix> in the host project). The binding is created as a Terraform google_service_account_iam_member resource and is not propagated to the organization, folder, or project.
Grantee: The Cortex registry scanner service account.
Purpose: Allows the Cortex registry scanner to create short-lived OAuth tokens for the outpost scanner service account, so that the scanner can pull Artifact Registry container images via the OutpostRegistryScannerConnectorRole without requiring a long-lived service-account key.
These permissions allow Cortex XDR to discover and classify data stored in BigQuery, Bigtable, Cloud SQL, and Cloud Storage by reading table data, creating temporary backups, and downloading artifacts from Artifact Registry. They are bundled into three custom roles created during onboarding in your Google Cloud environment. DSPMConnectorRole is used by the Cortex service account to enumerate and prepare data resources, DSPMOutpostRole is used by the Cortex outpost scanner to read and classify data content, and OutpostDSPMScannerConnectorRole is used by the off-host scanner service account to perform isolated Bigtable read operations.
DSPMConnectorRolePermission | Purpose |
|---|---|
bigquery.tables.get | Retrieves BigQuery table metadata. Cortex uses this permission to access table schemas and configurations for data security assessment. |
bigquery.tables.list | List BigQuery tables. Cortex uses this permission to discover and inventory tables for comprehensive data classification and security assessment. |
bigtable.backups.create | Create Bigtable backups. Cortex uses this permission to generate temporary backups for secure data scanning without impacting production workloads. |
bigtable.backups.delete | Delete Bigtable backups. Cortex uses this permission to clean up temporary backups created during the data security scanning process. |
bigtable.backups.get | Retrieve Bigtable backup metadata. Cortex uses this permission to access backup details and properties for data security assessment. |
bigtable.backups.list | List Bigtable backups. Cortex uses this permission to discover and inventory backups for standard cloud, outpost, and scanner-based deployments. |
bigtable.clusters.get | Retrieve Bigtable cluster metadata. Cortex uses this permission to access cluster configurations and settings for data security assessment. |
bigtable.clusters.list | List Bigtable clusters. Cortex uses this permission to discover cluster deployments for infrastructure inventory and security assessment. |
bigtable.instances.get | Retrieve Bigtable instance metadata. Cortex uses this permission to access instance settings and configurations for data security assessment. |
bigtable.instances.list | List Bigtable instances. Cortex uses this permission to discover and inventory database instances for comprehensive security assessment. |
bigtable.tables.get | Retrieve Bigtable table metadata. Cortex uses this permission to access table schemas and configurations for data security assessment. |
bigtable.tables.list | List Bigtable tables. Cortex uses this permission to discover and inventory tables for comprehensive data asset classification. |
bigtable.tables.readRows | Read Bigtable table rows for data security posture management (DSPM) data classification. |
cloudsql.backupRuns.create | Create Cloud SQL backup runs. Cortex uses this permission to generate temporary backups for secure database scanning without impacting production workloads. |
cloudsql.backupRuns.delete | Delete Cloud SQL backup runs. Cortex uses this permission to clean up temporary backups created during the data security scanning process. |
cloudsql.backupRuns.get | Retrieve Cloud SQL backup run metadata. Cortex uses this permission to access backup status and details for data security assessment. |
cloudsql.backupRuns.list | List Cloud SQL backup runs. Cortex uses this permission to discover and inventory backups for classification purposes. |
DSPMOutpostRolePermission | Purpose |
|---|---|
bigquery.bireservations.get | Retrieve BigQuery BI Engine reservation configurations. Cortex uses this permission to understand capacity allocations for security posture management and data classification. |
bigquery.capacityCommitments.get | Retrieve BigQuery capacity commitment details. Cortex uses this permission to analyze slot reservations and infrastructure settings for data security assessment. |
bigquery.capacityCommitments.list | List BigQuery capacity commitments. Cortex uses this permission to discover capacity commitments for comprehensive infrastructure inventory and classification. |
bigquery.config.get | Retrieve BigQuery project-level configurations. Cortex uses this permission to analyze settings and configurations for security posture assessment. |
bigquery.datasets.get | Retrieve BigQuery dataset metadata. Cortex uses this permission to access dataset configurations, such as access controls and encryption settings, for data security assessment. |
bigquery.datasets.getIamPolicy | Retrieve IAM policies for BigQuery datasets. Cortex uses this permission to analyze access controls and permissions for data security posture management. |
bigquery.models.getData | Retrieve BigQuery ML model data. Cortex uses this permission to access and inspect ML model contents for security scanning and data classification. |
bigquery.models.getMetadata | Retrieve BigQuery ML model metadata. Cortex uses this permission to access model configurations and properties for security assessment. |
bigquery.models.list | List BigQuery ML models. Cortex uses this permission to discover and inventory ML models for comprehensive data security assessment. |
bigquery.routines.get | Retrieve BigQuery routine definitions. Cortex uses this permission to analyze stored procedures and functions for security assessment and classification. |
bigquery.routines.list | List BigQuery routines. Cortex uses this permission to discover stored procedures and functions for data asset inventory and classification. |
bigquery.tables.export | Export BigQuery table data. Cortex uses this permission to extract data samples for sensitive data classification and security scanning. |
bigquery.tables.get | Retrieves BigQuery table metadata. Cortex uses this permission to access table schemas and configurations for data security assessment. |
bigquery.tables.getData | Retrieve BigQuery table data. Cortex uses this permission to access and inspect table contents for sensitive data discovery and classification. |
bigquery.tables.getIamPolicy | Retrieve IAM policies for BigQuery tables. Cortex uses this permission to analyze fine-grained access controls and permissions for data security posture management. |
bigquery.tables.list | List BigQuery tables. Cortex uses this permission to discover and inventory tables for comprehensive data classification and security assessment. |
bigtable.backups.get | Retrieve Bigtable backup metadata. Cortex uses this permission on the outpost service account to verify backup status and properties before classification scans. |
bigtable.backups.list | List Bigtable backups. Cortex uses this permission on the outpost service account to discover available backups for data security posture management. |
bigtable.backups.restore | Restore Bigtable backups. Cortex uses this permission to restore backups to temporary tables for secure data scanning and classification. |
bigtable.tables.list | List Bigtable tables. Cortex uses this permission to discover and inventory tables for comprehensive data asset classification. |
cloudsql.backupRuns.get | Retrieve Cloud SQL backup run metadata. Cortex uses this permission to access backup status and details for data security assessment. |
OutpostDSPMScannerConnectorRolePermission | Purpose |
|---|---|
bigtable.instances.get | Retrieve Bigtable instance metadata from the Outpost scanner runner. Cortex grants this permission to the scanner service account (impersonated via the DSPM scanner service account) so that the off-host scanner can locate the target instance before reading rows for data classification, without granting the scanner direct access to the broader Cortex platform role. |
bigtable.tables.get | Retrieve Bigtable table metadata (schema, column families) from the Outpost scanner runner. Cortex uses this on the scanner-side service account so that table layout can be inspected immediately before row reads, keeping the role surface area of the platform service account smaller. |
bigtable.tables.readRows | Read row data from Bigtable tables for sensitive-data classification. Cortex grants this permission to the Outpost scanner-side service account only, so that the production-data read path is isolated from the connector / control-plane service account. |
roles/iam.serviceAccountTokenCreator (Built-in role, managed by GCP)Binding scope: The single outpost_scanner_service_account (named ctsc-<resource_suffix> in the host project). The binding is created as a Terraform google_service_account_iam_member resource and is not propagated to the organization, folder, or project.
Grantee: The Cortex DSPM scanner service account.
Purpose: Allows the Cortex DSPM scanner to create short-lived OAuth tokens for the outpost scanner service account, so that the DSPM scanner can perform Bigtable row reads and other data-classification operations via the OutpostDSPMScannerConnectorRole without requiring a long-lived service-account key.
roles/storage.objectViewer (Built-in role, managed by GCP)Grants Cortex read access to the data and metadata of objects in Cloud Storage buckets. Cortex grants this built-in role to the Outpost scanner service account so the scanner can read object contents for data security posture management and sensitive-data classification.
These permissions enable Cortex XDR to execute remediation and response actions across GCP services, including Compute Engine, Cloud Storage, GKE, Cloud Identity, and Cloud Asset Inventory. Each permission is mapped to the specific pack command that requires it. They are bundled into a custom role, AutomationRole, created during onboarding in your Google Cloud environment.
Note
Unified Cortex platform cloud content packs require a specific set of automation permissions to enable full integration with your cloud environment. Before configuring access for these packs, review the automation permission scope guidelines.
AutomationRolePermission | Purpose |
|---|---|
bigquery.datasets.get | Retrieve BigQuery dataset metadata. Cortex uses this permission to access dataset configurations, such as access controls and encryption settings, for data security assessment. |
bigquery.datasets.getIamPolicy | Retrieve IAM policies for BigQuery datasets. Cortex uses this permission to analyze access controls and permissions for data security posture management. |
bigquery.datasets.setIamPolicy | Set IAM policies on BigQuery datasets. Cortex uses this permission for remediation automation to modify dataset access controls and fix security policy violations. |
bigquery.datasets.update | Update BigQuery dataset configurations. Cortex uses this permission for remediation automation to modify dataset settings and fix security misconfigurations. |
cloudasset.assets.searchAllResources | Search and retrieves metadata for all Google Cloud resources (VMs, buckets, networks, and so on) within a specified scope. Cortex uses this permission to discover and inventory cloud assets across the GCP environment for automation workflows and security posture assessment. |
compute.firewalls.create | Create firewall rules in Compute Engine. Cortex uses this permission to implement automated remediation actions, such as blocking malicious traffic or isolating compromised resources during incident response. |
compute.firewalls.get | Retrieve firewall rule configurations. Cortex uses this permission to inspect existing firewall rules when evaluating security posture or preparing automated remediation actions. |
compute.firewalls.list | List all firewall rules in a project. Cortex uses this permission to enumerate firewall configurations for security analysis and to identify rules that may need modification during automation workflows. |
compute.firewalls.update | Modify existing firewall rules. Cortex uses this permission to update firewall configurations as part of automated remediation, such as tightening rules or blocking specific IP ranges. |
compute.images.get | Retrieves Compute Engine image metadata. Cortex uses this permission to analyze VM configurations and prepare automation actions involving instance management. |
compute.instanceGroups.get | Retrieve instance group configurations. Cortex uses this permission to understand instance group membership and settings when performing automation actions. |
compute.instances.get | Retrieve VM instance details. Cortex uses this permission to obtain instance configurations, status, and metadata for security analysis and to prepare targeted automation actions. |
compute.instances.list | List all VM instances in a project. Cortex uses this permission to enumerate compute resources for asset inventory, security posture assessment, and to identify instances requiring automated remediation. |
compute.instances.setLabels | Set labels on VM instances. Cortex uses this permission to tag instances during automation workflows, such as marking compromised instances or tracking remediation status. |
compute.instances.setMetadata | Modify instance metadata. Cortex uses this permission to update instance metadata as part of automation actions, such as configuring security-related settings or applying remediation configurations. |
compute.instances.setServiceAccount | Change the service account attached to an instance. Cortex uses this permission for automated remediation to reduce privileges or isolate a compromised workload. |
compute.instances.setTags | Set network tags on VM instances. Cortex uses this permission to modify instance network tags during automation, enabling or restricting firewall rule application as part of security remediation. |
compute.instances.start | Start stopped VM instances. Cortex uses this permission to restart instances as part of automated recovery workflows after remediation actions have been completed. |
compute.instances.stop | Stop running VM instances. Cortex uses this permission to halt compromised or vulnerable instances as an immediate containment action during automated incident response. |
compute.networks.create | Create VPC networks. Cortex uses this permission for automation scenarios that require network isolation, such as creating quarantine networks for compromised resources. |
compute.networks.get | Retrieve VPC network configurations. Cortex uses this permission to analyze network topology and settings when evaluating security posture or preparing network-related automation actions. |
compute.networks.list | List all VPC networks in a project. Cortex uses this permission to enumerate network resources for security analysis and to identify networks that may be affected by automation workflows. |
compute.networks.updatePolicy | Update network policies. Cortex uses this permission to modify network-level security policies as part of automated remediation, such as enabling or configuring network security features. |
compute.regions.get | Retrieve region information. Cortex uses this permission to obtain regional configuration details when performing automation actions that are region-specific. |
compute.snapshots.get | Retrieves snapshot metadata. Cortex uses this permission to inspect existing snapshots when analyzing backup configurations or preparing automation actions related to disk management. |
compute.snapshots.list | List all snapshots in a project. Cortex uses this permission to enumerate snapshots for security analysis and to identify snapshot resources during automation workflows. |
compute.subnetworks.get | Retrieve subnetwork configurations. Cortex uses this permission to analyze subnet settings and IP ranges when evaluating network security or preparing subnet-related automation actions. |
compute.subnetworks.list | List all subnetworks in a project. Cortex uses this permission to enumerate subnet resources for network topology analysis and security posture assessment. |
compute.subnetworks.setPrivateIpGoogleAccess | Enable or disables Private Google Access on subnets. Cortex uses this permission for automated remediation to control whether VMs without external IPs can access Google APIs and services. |
compute.subnetworks.update | Modify subnetwork configurations. Cortex uses this permission to update subnet settings as part of automated remediation, such as modifying IP ranges or enabling security features. |
compute.zones.get | Retrieve zone information. Cortex uses this permission to obtain zone-specific details when performing automation actions that require zone context. |
container.clusters.get | Retrieve GKE cluster configurations. Cortex uses this permission to analyze Kubernetes cluster settings for security posture assessment and to prepare cluster-related automation actions. |
container.clusters.list | List all GKE clusters in a project. Cortex uses this permission to enumerate Kubernetes clusters for asset inventory and to identify clusters that may require security remediation. |
container.clusters.update | Modify GKE cluster configurations. Cortex uses this permission for automated remediation of Kubernetes clusters, such as updating security settings or enabling security features. |
resourcemanager.projects.getIamPolicy | Retrieve project-level IAM policies. Cortex uses this permission to analyze IAM configurations for security assessment and to understand current access controls before performing IAM-related automation. |
resourcemanager.projects.setIamPolicy | Modify project-level IAM policies. Cortex uses this permission for automated IAM remediation, such as removing excessive permissions or revoking access for compromised accounts. |
storage.buckets.get | Retrieve Cloud Storage bucket metadata. Cortex uses this permission to analyze bucket configurations for security assessment, including checking encryption settings and access controls. |
storage.buckets.getIamPolicy | Retrieve bucket-level IAM policies. Cortex uses this permission to analyze bucket access controls for security posture assessment and to identify overly permissive configurations. |
storage.buckets.getIpFilter | Retrieve bucket IP filtering configurations. Cortex uses this permission to analyze network-level access restrictions on buckets for security assessment. |
storage.buckets.list | List all Cloud Storage buckets in a project. Cortex uses this permission to enumerate storage resources for asset inventory and security posture assessment. |
storage.buckets.setIamPolicy | Modify bucket-level IAM policies. Cortex uses this permission for automated remediation of bucket access controls, such as removing public access or restricting permissions. |
storage.buckets.update | Modify bucket configurations. Cortex uses this permission for automated remediation of bucket settings, such as enabling encryption or configuring retention policies. |
storage.objects.getIamPolicy | Retrieve object-level IAM policies. Cortex uses this permission to analyze fine-grained access controls on individual objects for security assessment. |
storage.objects.list | List objects within Cloud Storage buckets. Cortex uses this permission to enumerate bucket contents for security analysis and to identify objects that may require access control remediation. |
These permissions provide the Outpost Scanner with foundational, read-only access to your GCP environment. This enables the secure discovery and analysis of resources for Registry, DSPM, and Serverless scanning without the ability to modify your existing infrastructure.
roles/viewer (Built-in role, managed by GCP)Grant read-only access to all project resources. Cortex uses this built-in role on the outpost scanner service account to discover and inventory cloud resources across the onboarded environment for security posture assessment.