Required Roles for GCP Integration
Overview
When integrating Lacework into your Google Cloud Platform, you must create and configure the necessary roles and resources. To do this, the account used to create the integration must have certain privileges within the Project and Organization being integrated.
This article defines those privileges and why they are required.
GCP Account Roles
Organization Level Integration Roles
Role Name | Role ID | Integration Type | Usage |
---|---|---|---|
Organization Administrator | roles/resourcemanager.organizationAdmin | Audit Log Compliance |
|
Organization Role Administrator | roles/iam.organizationRoleAdmin | Compliance | |
Logs Configuration Writer | roles/logging.configWriter | Audit Log | |
Billing Account User | roles/billing.user | Audit Log Compliance |
Additionally, the user performing the integration requires the Project Level Integration Roles on the Project that will contain the Lacework Integration resources.
Project Level Integration Roles
When configuring access for the Project that the Lacework Integration resources will reside within, you can define the appropriate roles required to create the integration using either Project Owner access, or Least Privilege access.
Project Owner Access
Role Name | Role ID | Integration Type | Usage |
---|---|---|---|
Project Owner | roles/owner | Audit Log Compliance |
|
Least Privilege Access
Role Name | Role ID | Integration Type | Usage |
---|---|---|---|
Logs Configuration Writer | roles/logging.configWriter | Audit Log | |
Project IAM Admin | roles/resourcemanager.projectIamAdmin | Compliance |
|
Pub/Sub Admin | roles/pubsub.admin | Audit Log |
|
Role Administrator | roles/iam.roleAdmin | Compliance | |
Service Account Admin | roles/iam.serviceAccountAdmin | Audit Log Compliance | |
Service Account Key Admin | roles/iam.serviceAccountKeyAdmin | Audit Log Compliance | |
Service Usage Admin | roles/serviceusage.serviceUsageAdmin | Audit Log Compliance | |
Storage Admin | roles/storage.admin | Audit Log |
|