GCP Permissions Reference
This section lists all the required IAM roles, API scopes, and optional permissions for SailPoint Entro's GCP integration, along with clarifications for each feature.
Required APIs
| Role | Purpose |
|---|---|
| Logging API | Audit logs access for NHI usage tracking [MANDATORY] |
| Secret Manager API | Vaulted secrets management [OPTIONAL] |
| Cloud Resource Manager API | [MANDATORY] |
| IAM API | NHI, Permissions [MANDATORY] |
| Recommender API | NHI Last usage timestamp, Excessive permissions analysis [MANDATORY] |
| Cloud Functions API | Secrets scanning Cloud Functions [OPTIONAL] |
| Cloud Asset API | NHIs and vaulted key owner detection [MANDATORY] |
| Cloud Identity API | [MANDATORY] |
| Admin SDK API | Optional to auto-scan all drives[OPTIONAL] |
| Discovery Engine API | Google AI Agents discovery [OPTIONAL] |
| Google Drive API | Google Workspace Directory, Google Drive secrets scanning [OPTIONAL] |
| PubSub API | Ingestion via PubSub instead of Logging API [OPTIONAL] |
Required Roles
| Role | Purpose |
|---|---|
| Logs Viewer | View log entries |
| Secret Manager Viewer | Access stored secrets |
| IAM Recommender Viewer | Review IAM suggestions |
| Organization Viewer | Access org-wide metadata |
| Cloud Asset Viewer | List assets for audit |
| API Keys Viewer | Access API key metadata |
| Security Reviewer | Review IAM permissions |
| Folder Viewer | Access nested folders |
| Cloud Functions Viewer | Inspect functions |
| Private Logs Viewer | Access restricted logs |
| Viewer | Optional for future compatibility |
Permissions and Organizational Structure
SailPoint Entro assesses permissions linked to Non-Human Identities (NHIs), analyzes stored secrets, and identifies potential NHI owners. This process involves listing permissions for all Google Cloud Platform (GCP) assets and accessing the organizational structure.
"iam.roles.list",
"iam.roles.get",
"resourcemanager.organizations.getIamPolicy",
"resourcemanager.projects.getIamPolicy",
"resourcemanager.folders.getIamPolicy",
"resourcemanager.folders.get"
"resourcemanager.organizations.get",
"resourcemanager.projects.get",
"resourcemanager.projects.list",
"cloudasset.assets.listResource",
"cloudasset.assets.listIamPolicy",
"cloudasset.assets.listOrgPolicy",
"cloudasset.assets.listAccessPolicy",
"cloudasset.assets.listOSInventories",
"iam.serviceAccounts.getIamPolicy",
"secretmanager.secrets.getIamPolicy",
Excessive Permissions Analysis
SailPoint Entro leverages GCP's existing iam policy recommendation to diff between used and unused permissions.
"recommender.iamPolicyInsights.get",
"recommender.iamPolicyInsights.list",
"recommender.iamPolicyLateralMovementInsights.get",
"recommender.iamPolicyLateralMovementInsights.list",
"recommender.iamPolicyRecommendations.get",
"recommender.iamPolicyRecommendations.list",
"recommender.iamPolicyRecommenderConfig.get",
"recommender.iamServiceAccountInsights.get",
"recommender.iamServiceAccountInsights.list",
"recommender.locations.get",
"recommender.locations.list",
"recommender.cloudAssetInsights.get",
"recommender.cloudAssetInsights.list",
Last Usage Timestamp of NHIs
Determine the last usage timestamp of Service accounts, and their keys.
"policyanalyzer.serviceAccountKeyLastAuthenticationActivities.query",
"policyanalyzer.serviceAccountLastAuthenticationActivities.query",
Secrets Manager
Management of NHIs and secrets stored within the "Secret Manager." It monitors and mitigates potential threats, misuse attempts, and unauthorized access.
"secretmanager.versions.access", //optional
"secretmanager.secrets.list",
"secretmanager.versions.list",
"secretmanager.locations.list",
GCP Functions Scanning
Find cleartext secrets within GCP Functions env-vars.
"cloudfunctions.functions.get",
"cloudfunctions.functions.list",
"cloudbuild.builds.get",
"cloudbuild.builds.list",
"cloudbuild.operations.get",
"cloudbuild.operations.list",
Service Accounts Management (NHI)
"iam.serviceAccounts.list",
"iam.serviceAccounts.get",
"iam.serviceAccountKeys.get",
"iam.serviceAccountKeys.list",
Audit Logs and Metrics Access
SailPoint Entro collects audit logs from relevant services, focusing on both human and non-human identities as actors or targets. It is also used to identify potential 'owners' of SailPoint Entro assets.
"logging.buckets.get",
"logging.buckets.list",
"logging.exclusions.get",
"logging.exclusions.list",
"logging.links.get",
"logging.links.list",
"logging.locations.get",
"logging.locations.list",
"logging.logEntries.download",
"logging.logEntries.list",
"logging.logMetrics.get",
"logging.logMetrics.list",
"logging.logServiceIndexes.list",
"logging.logServices.list",
"logging.logs.list",
"logging.operations.get",
"logging.operations.list",
"logging.privateLogEntries.list",
"logging.queries.create",
"logging.queries.delete",
"logging.queries.get",
"logging.queries.list",
"logging.queries.listShared",
"logging.queries.update",
"logging.sinks.get",
"logging.sinks.list",
"logging.usage.get",
"logging.views.access",
"logging.views.get",
"logging.views.list",
"logging.views.listLogs",
"logging.views.listResourceKeys",
"logging.views.listResourceValues",
"serviceusage.quotas.get",
"serviceusage.services.get",
"serviceusage.services.list",
Google AI Agents
Support for Agentic AI Discovery in the Google ecosystem. Linking between AI Clients and data sources they're connected to.
"discoveryengine.dataStores.list",
"discoveryengine.dataStores.get",
"discoveryengine.engines.list",
"discoveryengine.engines.get"
Optional Roles
- Support User (general read-only) for extended visibility.
Compliance & Security
- TLS 1.2+ encryption
- AES-256 token protection
- SOC 2 Type II, ISO 27001, GDPR