Views:

Review the permissions required to deploy resources and the permissions granted during the terraform process.

Trend Micro recommends accessing the project using a sign in that has the Owner role. If you are adding a Google Cloud organization, the sign in must also have the Organization Administrator role. Ensure your account and role meet the following requirements to be able to successfully deploy Trend Vision One cloud security resources to your project.
  • The associated Google account must be a valid billing account.
  • The user role must have access to the following Google Cloud services and features:
    • Cloud Shell
    • Cloud Storage
    • Service Account
    • Workload Identity Pool
    • Workload Identity Pool Provider
    • IAM
    • Tag Key
    • Tag Value
    • Enable GCP API
The terraform process assigns certain permissions to itself to establish the connection with Cloud Accounts and Trend Vision One cloud security services. These permissions include enabling the Cloud Accounts app and security services to obtain temporary credentials and complete tasks within your Google Cloud environment. The required permissions and APIs are listed in the following tables:

Required APIs and Permissions

Feature
Service
Required APIs
Required Permissions
Core Features (Conformity)
AlloyDB
  • AlloyDB API
  • alloydb.clusters.list
  • alloydb.instances.list
ApiGateway
  • API Gateway
  • Service Management API
  • apigateway.gateways.list
  • apigateway.gateways.getIamPolicy
  • apigateway.locations.get
  • apigateway.apis.list
  • apigateway.apis.getIamPolicy
  • apigateway.apis.get
  • apigateway.apiconfigs.list
  • apigateway.apiconfigs.getIamPolicy
  • servicemanagement.services.get
Apigee
  • Apigee API
  • apigee.apiproducts.list
  • apigee.deployments.list
  • apigee.envgroupattachments.list
  • apigee.envgroups.list
  • apigee.environments.getStats
  • apigee.instanceattachments.list
  • apigee.instances.list
  • apigee.proxies.list
  • apigee.proxyrevisions.get
ArtifactRegistry
  • Artifact Registry API
  • artifactregistry.dockerimages.list
  • artifactregistry.repositories.getIamPolicy
  • artifactregistry.repositories.list
BigQuery
  • BigQuery API
  • bigquery.datasets.get
  • bigquery.tables.get
  • bigquery.tables.list
  • bigquery.tables.getIamPolicy
Bigtable
-
  • bigtable.instances.list
  • bigtable.clusters.list
  • bigtable.instances.getIamPolicy
CertificateManager
  • Certificate Manager API
  • certificatemanager.certs.list
CloudAPI
  • API Keys API
  • apikeys.keys.list
  • serviceusage.services.list
CloudDNS
  • Cloud DNS API
  • dns.managedZones.list
  • dns.policies.list
CloudFunctions
  • Cloud Functions API
  • cloudfunctions.functions.getIamPolicy
  • cloudfunctions.functions.list
CloudIAM
  • Access Approval API
  • Cloud Resource Manager API
  • Identity and Access Management (IAM) API
  • accessapproval.settings.get
  • iam.roles.list
  • iam.serviceAccountKeys.list
  • iam.serviceAccounts.get
  • iam.serviceAccounts.getIamPolicy
  • iam.serviceAccounts.list
  • resourcemanager.projects.get
  • resourcemanager.projects.getIamPolicy
CloudKMS
  • Cloud Key Management Service (KMS) API
  • cloudkms.cryptoKeys.getIamPolicy
  • cloudkms.cryptoKeys.list
  • cloudkms.keyRings.list
  • cloudkms.locations.list
CloudLoadBalancing
  • Compute Engine API
  • compute.backendServices.getIamPolicy
  • compute.backendServices.list
  • compute.globalForwardingRules.list
  • compute.regionBackendServices.getIamPolicy
  • compute.regionBackendServices.list
  • compute.sslPolicies.list
  • compute.targetHttpsProxies.list
  • compute.targetSslProxies.list
  • compute.urlMaps.list
CloudLogging
  • Cloud Logging API
  • logging.logEntries.list
  • logging.logMetrics.list
  • logging.sinks.list
  • monitoring.alertPolicies.list
CloudSQL
  • Cloud SQL Admin API
  • cloudSql.instances.list
  • cloudsql.instances.listServerCas
CloudStorage
  • Cloud Storage API
  • storage.buckets.getIamPolicy
  • storage.buckets.list
CloudVPC
  • Compute Engine API
  • compute.firewalls.list
  • compute.networks.list
  • compute.subnetworks.getIamPolicy
  • compute.subnetworks.list
ComputeEngine
  • Compute Engine API
  • compute.disks.getIamPolicy
  • compute.disks.list
  • compute.instanceGroups.list
  • compute.instances.getIamPolicy
  • compute.instances.list
  • compute.images.getIamPolicy
  • compute.images.list
  • compute.machineImages.getIamPolicy
  • compute.machineImages.list
  • compute.projects.get
  • compute.zones.list
Dataproc
  • Cloud Dataproc API
  • dataproc.clusters.getIamPolicy
  • dataproc.clusters.list
Filestore
  • Cloud Filestore API
  • file.instances.list
Firestore
  • Cloud Firestore API
  • datastore.databases.list
GKE
  • Kubernetes Engine API
  • container.clusters.list
Memorystore
  • Cloud Memorystore for Memcached API
  • Google Cloud Memorystore for Redis API
  • memcache.instances.list
  • redis.clusters.list
  • redis.instances.list
NetworkConnectivity
  • Compute Engine API
  • Network Connectivity API
  • compute.routers.list
  • compute.targetVpnGateways.list
  • compute.vpnGateways.list
  • networkconnectivity.hubs.list
  • networkconnectivity.hubs.listSpokes
PubSub
  • Cloud Pub/Sub API
  • pubsub.topics.get
  • pubsub.topics.getIamPolicy
  • pubsub.topics.list
  • pubsublite.topics.list
  • pubsublite.topics.listSubscriptions
ResourceManager
  • Cloud Resource Manager API
  • orgpolicy.policy.get
  • resourcemanager.projects.get
Spanner
  • Cloud Spanner API
  • spanner.instances.getIamPolicy
  • spanner.instances.list
VertexAI
  • Notebooks API
  • notebooks.instances.getIamPolicy
  • notebooks.instances.list
Agentless Vulnerability & Threat Detection
Cloud Billing
  • Cloud Billinng API
  • billing.accounts.get
  • billing.accounts.getIamPolicy
  • billing.accounts.list
  • billing.accounts.redeemPromotion
  • billing.credits.list
  • billing.resourceAssociations.create
CloudIAM
-
  • iam.roles.create
  • iam.roles.delete
  • iam.roles.get
  • iam.serviceAccounts.create
  • iam.serviceAccounts.delete
  • iam.serviceAccounts.get
CloudLogging
-
  • logging.sinks.create
  • logging.sinks.delete
Cloud Run
  • Cloud Run Admin API
  • run.jobs.create
  • run.jobs.delete
  • run.jobs.get
  • run.jobs.list
  • run.jobs.setIamPolicy
  • run.operations.delete
  • run.operations.list
  • run.services.create
  • run.services.delete
  • run.services.get
  • run.services.getIamPolicy
  • run.services.setIamPolicy
Cloud Scheduler
-
  • cloudscheduler.jobs.create
  • cloudscheduler.jobs.delete
  • cloudscheduler.jobs.enable
CloudStorage
-
  • storage.buckets.create
  • storage.buckets.delete
Compute Engine
-
  • compute.firewalls.create
  • compute.firewalls.delete
  • compute.firewalls.get
  • compute.networks.create
  • compute.networks.delete
  • compute.networks.get
  • compute.subnetworks.create
  • compute.subnetworks.delete
Eventarc
  • Eventarc API
  • eventarc.operations.delete
  • eventarc.operations.get
  • eventarc.operations.list
  • eventarc.triggers.create
  • eventarc.triggers.delete
  • eventarc.triggers.get
PubSub
-
  • pubsub.subscriptions.create
  • pubsub.subscriptions.delete
  • pubsub.subscriptions.get
  • pubsub.subscriptions.getIamPolicy
  • pubsub.subscriptions.setIamPolicy
  • pubsub.subscriptions.update
  • pubsub.topics.create
  • pubsub.topics.delete
  • pubsub.topics.get
  • pubsub.topics.getIamPolicy
  • pubsub.topics.setIamPolicy
ResourceManager
-
  • resourcemanager.projects.delete
  • resourcemanager.projects.get
  • resourcemanager.projects.getIamPolicy
  • resourcemanager.projects.setIamPolicy
Secret Manager
-
  • secretmanager.secrets.create
  • secretmanager.secrets.delete
  • secretmanager.secrets.get
  • secretmanager.secrets.getIamPolicy
  • secretmanager.secrets.setIamPolicy
Workflows
  • Workflow Executions API
  • workflows.workflows.create
  • workflows.workflows.delete
  • workflows.workflows.get
  • workflows.workflows.list