Google Cloud
      Back to home
      1. Help Center
      2. Security & Access Management
      3. Google Cloud

      Limited IAM Permissions for a Google Cloud Savings Analysis

      To perform our Savings Analysis, we require limited read-only Google Cloud IAM permissions. We're firm believers in the security principle of least privilege, so our permission set includes the minimum amount of access we need to run our analysis and nothing more.

      At no point in time do we have access to:

      • The Google Cloud data plane (e.g., instances, clusters, containers)
      • Manipulate the Google Cloud control plane (e.g., start or terminate a VM, cluster, or task)
      • Your data, whether local or in a managed storage/datastore service 

      These permissions will allow us to:

      • Access your BigQuery detailed usage cost and pricing information, which we use to analyze historical cost and usage data, including hourly volatility patterns
      • Understand your CUD and Flex CUD inventory, including relevant coverage and utilization data
      • Understand your Billing Account, Organization, Folder, and Project relationships and hierarchical structure

      We specifically require the following roles and permissions:

      • BigQuery Data Viewer Role: This role is only assigned on the two BigQuery tables that contain your Detailed Usage Cost data and Pricing information. This is necessary to understand your specific usage patterns and pricing data.
      • Billing Account Viewer Role: This role is only assigned on the billing account to be analyzed. This is required to access a variety of necessary billing data.
      • ProsperOps Custom Role: This custom role provides the minimal additional permissions needed. It is assigned to your organization and allows us to view your resource-based CUDs, which must be purchased at the project level, not the billing account level.
        • compute.commitments.get: Enables retrieval of Compute Engine Committed Use Discounts
        • compute.commitments.list: Provides access to view Compute Engine Committed Use Discounts
        • resourcemanager.folders.get: Enables retrieval of folder-level information to understand the organizational hierarchy
        • resourcemanager.folders.list: Provides access to view folder-level information to understand the organizational hierarchy
        • resourcemanager.organization.get: Enables retrieval of organization-level information to understand the organizational hierarchy
        • resourcemanager.projects.get: Enables retrieval of project-level information to understand the organizational hierarchy
        • resourcemanager.projects.list: Provides access to project-level information to understand the organizational hierarchy