GCP
      Back to home
      1. Help Center
      2. Security & Access Management
      3. GCP

      Limited IAM Permissions for a GCP Savings Analysis

      To perform our Savings Analysis, we require limited read-only GCP IAM permissions. We're firm believers in the security principle of least privilege, so our permission set includes the minimum amount of access we need to run our analysis and nothing more.

      At no point in time do we have access to:

      • The GCP data plane (e.g., instances, clusters, containers)
      • Manipulate the GCP control plane (e.g., start or terminate a VM, cluster, or task)
      • Your data, whether local or in a managed storage/datastore service 

      These permissions will allow us to:

      • Access your BigQuery detailed usage cost and pricing information, which we use to analyze historical cost and usage data, including hourly volatility patterns
      • Understand your CUD and Flex CUD inventory, including relevant coverage and utilization data
      • Understand your Billing Account, Organization, Folder, and Project relationships and hierarchical structure

      We specifically require the following roles and permissions:

      • BigQuery Data Viewer Role: This role is only assigned on the two BigQuery tables that contain your Detailed Usage Cost data and Pricing information. This is necessary to understand your specific usage patterns and pricing data.
      • Billing Account Viewer Role: This role is only assigned on the billing account to be analyzed. This is required to access a variety of necessary billing data.
      • Consumer Procurement Viewer Role: This role is only assigned on the billing account to be analyzed. This is required to access your Flex CUD information as well as other relevant pricing and entitlement data.
      • ProsperOps Custom Role: This custom role grants the few remaining least-privilege permissions we require. It is assigned on your organization and billing account.
        • billing.accounts.get: Allows us to retrieve basic information about your billing account (note: this permission is already granted via the Billing Account Viewer role but exists here so the ProsperOps role can be assigned on the billing account)
        • compute.commitments.get: Enables retrieval of Compute Engine Committed Use Discounts
        • compute.commitments.list: Provides access to view Compute Engine Committed Use Discounts
        • resourcemanager.folders.get: Enables retrieval of folder-level information to understand the organizational hierarchy
        • resourcemanager.folders.list: Provides access to view folder-level information to understand the organizational hierarchy
        • resourcemanager.organization.get: Enables retrieval of organization-level information to understand the organizational hierarchy
        • resourcemanager.projects.get: Enables retrieval of project-level information to understand the organizational hierarchy
        • resourcemanager.projects.list: Provides access to project-level information to understand the organizational hierarchy