Google Cloud
      Back to home
      1. Help Center
      2. Security & Access Management
      3. Google Cloud

      Limited IAM Permissions for Google Cloud Compute Engine Autonomous Discount Management

      To monitor your global compute engine usage and actively manage an optimal portfolio of resource-based Committed Use Discounts and spend-based Flexible Committed Use Discounts, we require additional limited IAM permissions. The permissions listed below are in addition to the limited, read-only permissions required for our Savings Analysis.

      We're firm believers in the security principle of least privilege, so our permission set includes the minimum amount of access we need to run and nothing more.

      At no point in time do we have access to:

      • The Google Cloud data plane (e.g., instances, clusters, containers)
      • Manipulate the Google Cloud control plane (e.g., start or terminate a VM, cluster, or task)
      • Your data, whether local or in a managed storage/datastore service 

      These permissions will allow us to:

      • Monitor resource usage limits Google Cloud places on your account and proactively make adjustments to quotas as needed.
      • Purchase and actively manage resource-based Committed Use Discounts and spend-based Flexible Committed Use Discounts on your behalf.
      • Access near real-time and historical usage data operational metrics tied to Google Cloud resources.

      We specifically require the following additional permissions:

      • Consumer Procurement Order Administrator Role: This role is allows managing purchases, consents at both the billing account and project level. This is required to purchase spend-based flexible committed use discounts on your behalf.
      • Update the ProsperOps Custom Role: This custom role grants the remaining least-privilege permissions we require. It is assigned on your organization.
        • cloudquotas.quotas.get: Enables retrieval of quotas in your Google cloud projects, folders, and organizations
        • cloudquotas.quotas.update:  Allows us to programmatically adjust quotas and automate quota adjustments
        • compute.commitments.create: Allows us to actively manage and purchase resource-based committed use discounts on your behalf
        • compute.commitments.update: Allows us to update resource-based committed use discounts on your behalf
        • compute.regionOperations.get: Enables retrieval of information about regional operations, allowing monitoring and tracking of long-running tasks.
        • monitoring.timeSeries.list: Enables retrieval of time series data stored within your Google Cloud Monitoring environment
        • serviceusage.quotas.get: Enables retrieval of project-level quotas and what percentage of a quota is being used
        • serviceusage.quotas.update: Allows us to modify existing quota limits for various services within a project
        • serviceusage.services.get: Enables retrieval of details for all enabled and disabled services
        • serviceusage.services.list: Allows listing all enabled and disabled services for a project