Skip to content

GCP Permissions Reference

This section lists all the required IAM roles, API scopes, and optional permissions for SailPoint Entro's GCP integration, along with clarifications for each feature.


Required APIs

Role Purpose
Logging API Audit logs access for NHI usage tracking [MANDATORY]
Secret Manager API Vaulted secrets management [OPTIONAL]
Cloud Resource Manager API [MANDATORY]
IAM API NHI, Permissions [MANDATORY]
Recommender API NHI Last usage timestamp, Excessive permissions analysis [MANDATORY]
Cloud Functions API Secrets scanning Cloud Functions [OPTIONAL]
Cloud Asset API NHIs and vaulted key owner detection [MANDATORY]
Cloud Identity API [MANDATORY]
Admin SDK API Optional to auto-scan all drives[OPTIONAL]
Discovery Engine API Google AI Agents discovery [OPTIONAL]
Google Drive API Google Workspace Directory, Google Drive secrets scanning [OPTIONAL]
PubSub API Ingestion via PubSub instead of Logging API [OPTIONAL]

Required Roles

Role Purpose
Logs Viewer View log entries
Secret Manager Viewer Access stored secrets
IAM Recommender Viewer Review IAM suggestions
Organization Viewer Access org-wide metadata
Cloud Asset Viewer List assets for audit
API Keys Viewer Access API key metadata
Security Reviewer Review IAM permissions
Folder Viewer Access nested folders
Cloud Functions Viewer Inspect functions
Private Logs Viewer Access restricted logs
Viewer Optional for future compatibility

Permissions and Organizational Structure

SailPoint Entro assesses permissions linked to Non-Human Identities (NHIs), analyzes stored secrets, and identifies potential NHI owners. This process involves listing permissions for all Google Cloud Platform (GCP) assets and accessing the organizational structure.

"iam.roles.list",
"iam.roles.get",
"resourcemanager.organizations.getIamPolicy",
"resourcemanager.projects.getIamPolicy",
"resourcemanager.folders.getIamPolicy",
"resourcemanager.folders.get"
"resourcemanager.organizations.get",
"resourcemanager.projects.get",
"resourcemanager.projects.list",
"cloudasset.assets.listResource",
"cloudasset.assets.listIamPolicy",
"cloudasset.assets.listOrgPolicy",
"cloudasset.assets.listAccessPolicy",
"cloudasset.assets.listOSInventories",
"iam.serviceAccounts.getIamPolicy",
"secretmanager.secrets.getIamPolicy",

Excessive Permissions Analysis

SailPoint Entro leverages GCP's existing iam policy recommendation to diff between used and unused permissions.

"recommender.iamPolicyInsights.get",
"recommender.iamPolicyInsights.list",
"recommender.iamPolicyLateralMovementInsights.get",
"recommender.iamPolicyLateralMovementInsights.list",
"recommender.iamPolicyRecommendations.get",
"recommender.iamPolicyRecommendations.list",
"recommender.iamPolicyRecommenderConfig.get",
"recommender.iamServiceAccountInsights.get",
"recommender.iamServiceAccountInsights.list",
"recommender.locations.get",
"recommender.locations.list",
"recommender.cloudAssetInsights.get",
"recommender.cloudAssetInsights.list",

Last Usage Timestamp of NHIs

Determine the last usage timestamp of Service accounts, and their keys.

"policyanalyzer.serviceAccountKeyLastAuthenticationActivities.query",
"policyanalyzer.serviceAccountLastAuthenticationActivities.query",

Secrets Manager

Management of NHIs and secrets stored within the "Secret Manager." It monitors and mitigates potential threats, misuse attempts, and unauthorized access.

"secretmanager.versions.access", //optional
"secretmanager.secrets.list",
"secretmanager.versions.list",
"secretmanager.locations.list",

GCP Functions Scanning

Find cleartext secrets within GCP Functions env-vars.

"cloudfunctions.functions.get",
"cloudfunctions.functions.list",
"cloudbuild.builds.get",
"cloudbuild.builds.list",
"cloudbuild.operations.get",
"cloudbuild.operations.list",

Service Accounts Management (NHI)

"iam.serviceAccounts.list",
"iam.serviceAccounts.get",
"iam.serviceAccountKeys.get",
"iam.serviceAccountKeys.list",

Audit Logs and Metrics Access

SailPoint Entro collects audit logs from relevant services, focusing on both human and non-human identities as actors or targets. It is also used to identify potential 'owners' of SailPoint Entro assets.

"logging.buckets.get",
"logging.buckets.list",
"logging.exclusions.get",
"logging.exclusions.list",
"logging.links.get",
"logging.links.list",
"logging.locations.get",
"logging.locations.list",
"logging.logEntries.download",
"logging.logEntries.list",
"logging.logMetrics.get",
"logging.logMetrics.list",
"logging.logServiceIndexes.list",
"logging.logServices.list",
"logging.logs.list",
"logging.operations.get",
"logging.operations.list",
"logging.privateLogEntries.list",
"logging.queries.create",
"logging.queries.delete",
"logging.queries.get",
"logging.queries.list",
"logging.queries.listShared",
"logging.queries.update",
"logging.sinks.get",
"logging.sinks.list",
"logging.usage.get",
"logging.views.access",
"logging.views.get",
"logging.views.list",
"logging.views.listLogs",
"logging.views.listResourceKeys",
"logging.views.listResourceValues",
"serviceusage.quotas.get",
"serviceusage.services.get",
"serviceusage.services.list",

Google AI Agents

Support for Agentic AI Discovery in the Google ecosystem. Linking between AI Clients and data sources they're connected to.

"discoveryengine.dataStores.list",
"discoveryengine.dataStores.get",
"discoveryengine.engines.list",
"discoveryengine.engines.get"

Optional Roles

  • Support User (general read-only) for extended visibility.

Compliance & Security

  • TLS 1.2+ encryption
  • AES-256 token protection
  • SOC 2 Type II, ISO 27001, GDPR