Views:
Review the permissions required to deploy resources and the permissions granted when connecting Google Cloud projects to Trend Vision One.

Google Cloud Required Permissions

Feature
Required permissions
Description
Core Features
  • compute.regions.list
  • iam.roles.create
  • iam.roles.delete
  • iam.roles.get
  • iam.serviceAccounts.actAs
  • iam.serviceAccounts.create
  • iam.serviceAccounts.delete
  • iam.serviceAccounts.get
  • iam.serviceAccounts.getIamPolicy
  • iam.serviceAccounts.setIamPolicy
  • iam.workloadIdentityPoolProviderKeys.delete
  • iam.workloadIdentityPoolProviders.create
  • iam.workloadIdentityPoolProviders.delete
  • iam.workloadIdentityPoolProviders.get
  • iam.workloadIdentityPools.create
  • iam.workloadIdentityPools.delete
  • iam.workloadIdentityPools.get
  • iam.workloadIdentityPools.update
  • iam.workloadIdentityPools.list
  • resourcemanager.projects.get
  • resourcemanager.projects.getIamPolicy
  • resourcemanager.projects.setIamPolicy
  • resourcemanager.tagKeys.create
  • resourcemanager.tagKeys.delete
  • resourcemanager.tagKeys.get
  • resourcemanager.tagKeys.list
  • resourcemanager.tagValues.create
  • resourcemanager.tagValues.delete
  • resourcemanager.tagValues.get
  • resourcemanager.tagValues.list
  • serviceusage.services.enable
  • serviceusage.services.list
  • serviceusage.services.use
  • storage.buckets.create
  • storage.buckets.delete
  • storage.buckets.get
  • storage.objects.update
  • storage.buckets.getIamPolicy
  • storage.buckets.setIamPolicy
  • storage.buckets.list
  • storage.buckets.update
  • storage.objects.create
  • storage.objects.delete
  • storage.objects.get
  • storage.objects.getIamPolicy
  • storage.objects.list
  • storage.objects.move
  • storage.objects.setIamPolicy
These permissions are required to connect Google Cloud projects to Trend Vision One.
Cloud Security Posture
actions:
  • accessapproval.settings.get
  • alloydb.clusters.list
  • alloydb.instances.list
  • apigateway.locations.get
  • apigateway.gateways.list
  • apigateway.gateways.getIamPolicy
  • apigateway.apis.list
  • apigateway.apis.get
  • apigateway.apis.getIamPolicy
  • apigateway.apiconfigs.list
  • apigateway.apiconfigs.getIamPolicy
  • apigee.apiproducts.list
  • apigee.deployments.list
  • apigee.envgroupattachments.list
  • apigee.envgroups.list
  • apigee.environments.getStats
  • apigee.instanceattachments.list
  • apigee.instances.list
  • apigee.proxies.list
  • apigee.proxyrevisions.get
  • apikeys.keys.list
  • artifactregistry.repositories.list
  • bigtable.instances.list
  • bigtable.clusters.list
  • bigtable.instances.getIamPolicy
  • bigquery.datasets.get
  • bigquery.tables.get
  • bigquery.tables.list
  • bigquery.tables.getIamPolicy
  • cloudkms.cryptoKeys.getIamPolicy
  • cloudkms.cryptoKeys.list
  • cloudkms.keyRings.list
  • cloudkms.locations.list
  • cloudsql.instances.list
  • cloudsql.instances.listServerCas
  • cloudsql.instances.listServerCas
  • compute.backendServices.getIamPolicy
  • compute.backendServices.list
  • compute.disks.getIamPolicy
  • compute.disks.list
  • compute.regionBackendServices.getIamPolicy
  • compute.regionBackendServices.list
  • compute.regionSslPolicies.list
  • compute.firewalls.list
  • compute.globalForwardingRules.list
  • compute.images.getIamPolicy
  • compute.images.list
  • compute.instances.list
  • compute.instances.getIamPolicy
  • compute.machineImages.getIamPolicy
  • compute.machineImages.list
  • compute.networks.list
  • compute.subnetworks.list
  • compute.subnetworks.getIamPolicy
  • compute.projects.get
  • compute.targetHttpsProxies.list
  • compute.targetSslProxies.list
  • compute.sslPolicies.list
  • compute.urlMaps.list
  • compute.targetVpnGateways.list
  • compute.vpnGateways.list
  • compute.instanceGroups.list
  • compute.zones.list
  • container.clusters.list
  • container.clusters.get
  • dataproc.clusters.list
  • dataproc.clusters.getIamPolicy
  • datastore.databases.list
  • dns.policies.list
  • dns.managedZones.list
  • file.instances.list
  • iam.serviceAccounts.get
  • iam.serviceAccounts.list
  • iam.serviceAccounts.getIamPolicy
  • iam.serviceAccountKeys.list
  • iam.roles.list
  • logging.logEntries.list
  • logging.logMetrics.list
  • logging.sinks.list
  • memcache.instances.list
  • monitoring.alertPolicies.list
  • orgpolicy.policy.get
  • pubsub.topics.get
  • pubsub.topics.getIamPolicy
  • pubsub.topics.list
  • pubsub.subscriptions.get
  • pubsublite.topics.list
  • pubsublite.topics.listSubscriptions
  • redis.clusters.list
  • redis.instances.list
  • resourcemanager.projects.get
  • resourcemanager.projects.getIamPolicy
  • servicemanagement.services.get
  • serviceusage.services.list
  • spanner.instances.getIamPolicy
  • spanner.instances.list
  • storage.buckets.getIamPolicy
  • storage.buckets.list
  • certificatemanager.certs.list
  • compute.routers.list
  • cloudfunctions.functions.list
  • cloudfunctions.functions.getIamPolicy
  • networkconnectivity.hubs.list
  • networkconnectivity.hubs.listSpokes
  • networkconnectivity.hubs.getIamPolicy
  • notebooks.instances.list
  • notebooks.instances.getIamPolicy
  • artifactregistry.dockerimages.list
  
Agentless Vulnerability & Threat Detection
Control Plane Service Account
Purpose: Manages control plane operations
Customer project permissions:
  • Artifact Registry Reader (roles/artifactregistry.reader)
  • Cloud Functions Viewer (roles/cloudfunctions.viewer)
  • Service Account User (roles/iam.serviceAccountUser)
  • Custom role with compute.disks.createSnapshot permission
Sidecar project permissions:
  • Artifact Registry Reader (roles/artifactregistry.reader)
  • Cloud Functions Viewer (roles/cloudfunctions.viewer)
  • Service Account User (roles/iam.serviceAccountUser)
  • Compute Viewer (roles/compute.viewer)
  • Workflows Viewer (roles/workflows.viewer)
  • Logging Writer (roles/logging.logWriter)
  • Custom role with snapshot and disk management permissions
  
Customer Role Service Account
Purpose: Handles customer-specific operations
Customer project permissions:
  • Artifact Registry Reader (roles/artifactregistry.reader)
  • Compute Viewer (roles/compute.viewer)
  • Service Account User (roles/iam.serviceAccountUser)
  • Service Account Token Creator (roles/iam.serviceAccountTokenCreator)
Sidecar project permissions:
  • Cloud Run Invoker (roles/run.invoker)
  
Data Plane Service Account
Purpose: Executes data plane operations
Sidecar project permissions:
  • Storage Object Viewer (roles/storage.objectViewer)
  • Artifact Registry Reader (roles/artifactregistry.reader)
  • Cloud Functions Viewer (roles/cloudfunctions.viewer)
  • Service Account User (roles/iam.serviceAccountUser)
  • Logging Writer (roles/logging.logWriter)
  • Workflows Invoker (roles/workflows.invoker) and Viewer
  • Eventarc Event Receiver (roles/eventarc.eventReceiver)
  • Service Account Token Creator (roles/iam.serviceAccountTokenCreator)
  • Custom role with VM and disk management permissions
Customer project permissions:
  • Compute Viewer (roles/compute.viewer)
  
Real-Time Posture Monitoring
N/A