GCP
      Back to home
      1. Help Center
      2. Security & Access Management
      3. GCP

      Limited IAM Permissions for GCP Compute Engine Active Discount Management

      To monitor your global compute engine usage and actively manage an optimal portfolio of resource-based Committed Use Discounts and spend-based Flexible Committed Use Discounts, we require additional limited IAM permissions. The permissions listed below are in addition to the limited, read-only permissions required for our Savings Analysis.

      We're firm believers in the security principle of least privilege, so our permission set includes the minimum amount of access we need to run and nothing more.

      At no point in time do we have access to:

      • The GCP data plane (e.g., instances, clusters, containers)
      • Manipulate the GCP control plane (e.g., start or terminate a VM, cluster, or task)
      • Your data, whether local or in a managed storage/datastore service 

      These permissions will allow us to:

      • Monitor resource usage limits Google Cloud places on your account and proactively make adjustments to quotas as needed.
      • Purchase and actively manage resource-based Committed Use Discounts and spend-based Flexible Committed Use Discounts on your behalf.
      • Access near real-time and historical usage data operational metrics tied to Google Cloud resources.

      We specifically require the following additional permissions:

      • cloudquotas.quotas.get: Enables retrieval of quotas in your Google cloud projects, folders, and organizations
      • cloudquotas.quotas.update:  Allows us to programmatically adjust quotas and automate quota adjustments
      • compute.commitments.create: Allows us to actively manage and purchase resource-based committed use discounts on your behalf
      • compute.commitments.update: Allows us to update resource-based committed use discounts on your behalf
      • consumerprocurement.orders.place: Allows us to purchase spend-based flexible committed use discounts on your behalf
      • monitoring.timeSeries.list: Enables retrieval of time series data stored within your Google Cloud Monitoring environment
      • serviceusage.quotas.get: Enables retrieval of project-level quotas and what percentage of a quota is being used
      • serviceusage.quotas.update: Allows us to modify existing quota limits for various services within a project
      • serviceusage.services.list: Allows retrieval of all enabled and disabled services