Warning: At minimum, your service account role must be assigned each of the IAM policies required for your sensor operations. Review the Required IAM Policies table to see which functions depend on which IAM policies.
Project-Level Permissions
Project-Level Permissions
This allows you to select which specific projects should be monitored by the sensor. This approach is not valid for any logging at the organization level, or any functionality dependent on organization level permissions will not be enabled.To grant the service account permission to monitor a project
Important: This process must be followed for every project the GCP Sensor will be monitoring.
- In the Google Cloud Console, go to your project.
- Go to the IAM & admin tab in the navigation pane and click IAM.
- Click Add.
- Enter the name of the service account whose permissions you are editing.
Note: The name of the service account takes the form of an email address and will look like <name-of-sensor-service-account>@<name-of-project>.iam.gserviceaccount.com.
- In the Role field, select the appropriate role for this service account.
- Click Save.
Note: To grant the service account permission to monitor the entire organization, use these same steps but begin by opening the organization instead of the project.
Required IAM Policies
Required IAM Policies
At the organization level, the GCP Sensor needs the specific IAM policies in the following table.Required IAM Policies at the Organization Level
At the project level, the GCP Sensor needs the specific IAM policies in the following table.Required IAM Policies at the Project Level
| IAM Policy | Description | Dependency |
|---|---|---|
| logging.logEntries.list | Allows the sensor to fetch log entries from Stackdriver | Google Cloud Audit Logs for Organizations |
resourcemanager.organizations.get | Allows the sensor to get the details for a specific organization | Application Status Cloud Audit Logs for organizations |
| IAM Policy | Description | Dependency |
|---|---|---|
| logging.logEntries.list | Allows the sensor to fetch log entries from Stackdriver | Cloud Audit Logs for Projects Firewall Logs for Projects VPC Flow Logs for Projects Stackdriver Agent Logs |
resourcemanager.projects.list | Allows the sensor to access a list of the available projects | Application Status Asset Inventory Configuration Issues Cloud Audit Logs for Projects Firewall Logs for Projects VPC Flow Logs for Projects Stackdriver Agent Logs |
| resourcemanager.projects.get | Allows the sensor to fetch the details for a specific project | |
| deploymentmanager.deployments.create | Allows the sensor to be created and deployed | Deployment of a sensor |
| compute.firewalls.list | Allows the sensor to list the existing firewall rules | Configuration Issues |
| compute.firewalls.get | Allows the sensor to get the details for a specific firewall rule | Configuration Issues |
| compute.instances.list | Allows the sensor to list the existing virtual machines | Asset Inventory Configuration Issues |
| compute.instances.get | Allows the sensor to get the details for a specific virtual machine | Asset Inventory Configuration Issues |
| compute.zones.list | Allows the sensor to list the available zones | Asset Inventory Configuration Issues |