Automate GCP Cloud Account Onboarding
Onboarding a GCP account, such as GCP project or GCP Organization, on Prisma Cloud connects all the respective GCP resources to Prisma Cloud.
You can onboard a single GCP project or multiple GCP projects to Prisma Cloud. If you want to onboard multiple projects, you must either onboard each project separately or allow Prisma Cloud to automatically onboard all GCP projects attached to the service account linked to the onboarded project. Prisma Cloud refers to this service account as a Master Service Account.
All the sections in this topic contain sample requests and responses for onboarding resources under a GCP Project, a GCP organization, and a Master Service Account.
Prerequisite:
- Obtain a Prisma Cloud API authorization token
, which will be used in all the APIs.
info
- The token is valid for only 10 minutes. If your session extends beyond that limit, refresh the session .
- Replace the generic
api.prismacloud.iobase URL used in the example APIs with your URL.
To onboard GCP Accounts, such as GCP Project, GCP Organization, or Master Service Account:
1. Fetch the supported features based on the cloud type and account type.
2. Generate the Terraform template.
3. Execute the Terraform template in Google cloud shell to create service accounts and its roles.
4. Add your GCP Account to Prisma Cloud.
1. Fetch the Supported Features
Get the list of supported features based on the cloud type, account type, and deployment type by using the Fetch Supported Features API . The supportedFeatures parameter in the response body contains the list of supported features.
NOTE: By default, the supported features list contains Cloud Visibility Compliance and Governance. Do not include it as a feature in the supported feature request body parameter of any cloud APIs, such as Add GCP Cloud Account, Update GCP Cloud Account, GCP Template Generation and so on.
Sample Request and Response for GCP Project
Sample Request
curl --request POST 'https://api.prismacloud.io/cas/v1/features/cloud/gcp' \
--header 'accept: application/json' \
--header 'content-type: application/json' \
--header 'x-redlock-auth: <YOUR_TOKEN>' \
--data-raw '{
"accountType": "account"
}'
Sample Response
{
"cloudType": "gcp",
"deploymentType": "global",
"accountType": "account",
"licenseType": "ENTERPRISE",
"supportedFeatures": [
"Agentless Scanning",
"Auto Protect",
"Cloud Visibility Compliance and Governance",
"Remediation",
"Serverless Function Scanning"
]
}
Sample Request and Response for GCP Organization
Sample Request
curl --request POST 'https://api.prismacloud.io/cas/v1/features/cloud/gcp' \
--header 'accept: application/json' \
--header 'content-type: application/json' \
--header 'x-redlock-auth: <YOUR_TOKEN>' \
--data-raw '{
"accountType": "organization"
}'
Sample Response
{
"cloudType": "gcp",
"deploymentType": "global",
"accountType": "organization",
"licenseType": "ENTERPRISE",
"supportedFeatures": [
"Agentless Scanning",
"Auto Protect",
"Cloud Visibility Compliance and Governance",
"Remediation",
"Serverless Function Scanning"
]
}
Sample Request and Response for Master Service Account
Sample Request
curl --request POST 'https://api.prismacloud.io/cas/v1/features/cloud/gcp' \
--header 'accept: application/json' \
--header 'content-type: application/json' \
--header 'x-redlock-auth: <YOUR_TOKEN>' \
--data-raw '{
"accountType": "masterServiceAccount"
}'
Sample Response
{
"cloudType": "gcp",
"deploymentType": "global",
"accountType": "masterServiceAccount",
"licenseType": "ENTERPRISE",
"supportedFeatures": [
"Agentless Scanning",
"Auto Protect",
"Cloud Visibility Compliance and Governance",
"Remediation",
"Serverless Function Scanning"
]
}
2. Generate the Terraform Template
Generate the GCP Terraform Template by using the Generate and Download the GCP Terraform template API . The terraform template will include the necessary roles and custom role actions based on the selected features.
Save the generated json response and name the file as terraform.tf.json. You can create a directory for each Terraform template that you have download. This allows you to manage multiple templates if you add a different GCP Project on Prisma Cloud.
Sample Request and Response GCP Project
Sample Request
curl --request POST 'https://api.prismacloud.io/cas/v1/gcp_template' \
--header 'accept: application/json' \
--header 'content-type: application/json' \
--header 'x-redlock-auth: <YOUR_TOKEN>' \
--data-raw '{
"accountType": "account",
"name": "<account-name-to-be-onboarded>",
"authenticationType": "service_account",
"features": [
"Agentless Scanning",
"Serverless Function Scanning",
"Auto Protect",
"Remediation"
],
"flowLogBucket": "<flowlog-bucket-name>",
"projectId": "<project-id>"
}'
Sample Response
{
"output": {
"user_instruction": {
"value": "Successfully Configured !!\n\n What to do next ?\n\t1. Please download the file ${local_file.key.filename}\n\nUse the downloaded JSON file and Proceed at Prisma Cloud UI"
}
},
"provider": {
"random": {},
"google": {}
},
"resource": {
"google_project_iam_member": {
"bind_managed_roles_to_project_iam_policy": {
"role": "${var.project_iam_policy_managed_roles[count.index]}",
"count": "${length(var.project_iam_policy_managed_roles)}",
"member": "serviceAccount:${google_service_account.prisma_cloud_service_account.email}",
"project": "${var.project_id}"
},
"bind_custom_role_to_project_iam_policy": {
"role": "projects/${var.project_id}/roles/${google_project_iam_custom_role.prisma_cloud_project_custom_role.role_id}",
"member": "serviceAccount:${google_service_account.prisma_cloud_service_account.email}",
"project": "${var.project_id}"
}
},
"random_string": {
"unique_id": {
"special": false,
"length": 5,
"min_lower": 5
}
},
"google_storage_bucket_iam_member": {
"prisma_cloud_service_account_binding_to_flowlogs_bucket": {
"bucket": "${var.flowlog_bucket_name}",
"role": "projects/${var.project_id}/roles/${google_project_iam_custom_role.prisma_cloud_custom_role_flowlog.role_id}",
"member": "serviceAccount:${google_service_account.prisma_cloud_service_account.email}"
}
},
"google_service_account": {
"prisma_cloud_service_account": {
"account_id": "prisma-cloud-serv-${random_string.unique_id.result}",
"project": "${var.project_id}",
"display_name": "Prisma Cloud Service Account"
}
},
"google_project_iam_custom_role": {
"prisma_cloud_custom_role_flowlog": {
"role_id": "prismaCloudFlowLogViewer${random_string.unique_id.result}",
"permissions": [
"storage.objects.get",
"storage.objects.list"
],
"project": "${var.project_id}",
"description": "This is a custom role created for Prisma Cloud. Contains granular permission which is needed for flow logs",
"title": "Prisma Cloud Flow Logs Viewer ${random_string.unique_id.result}"
},
"prisma_cloud_project_custom_role": {
"role_id": "prismaCloudViewer${random_string.unique_id.result}",
"permissions": "${var.project_iam_policy_custom_role_permissions}",
"project": "${var.project_id}",
"description": "This is a custom role created for Prisma Cloud. Contains granular additional permission which is not covered by built-in roles",
"title": "Prisma Cloud Viewer ${random_string.unique_id.result}"
}
},
"google_service_account_key": {
"prisma_cloud_service_account_key": {
"service_account_id": "${google_service_account.prisma_cloud_service_account.name}"
}
},
"google_project_service": {
"project_apis": {
"service": "${var.project_services[count.index]}",
"disable_on_destroy": false,
"count": "${length(var.project_services)}",
"project": "${var.project_id}"
}
},
"local_file": {
"key": {
"filename": "${var.project_id}-${random_string.unique_id.result}.json",
"content": "${base64decode(google_service_account_key.prisma_cloud_service_account_key.private_key)}"
}
}
},
"variable": {
"project_iam_policy_custom_role_permissions": {
"default": [
"autoscaling.sites.getIamPolicy",
"autoscaling.sites.readRecommendations",
"compute.acceleratorTypes.get",
"compute.acceleratorTypes.list",
"compute.addresses.get",
"compute.addresses.list",
"compute.autoscalers.get",
"compute.autoscalers.list",
"compute.backendBuckets.get",
"compute.backendBuckets.getIamPolicy",
"compute.backendBuckets.list",
"compute.backendServices.get",
"compute.backendServices.getIamPolicy",
"compute.backendServices.list",
"compute.commitments.get",
"compute.commitments.list",
"compute.diskTypes.get",
"compute.diskTypes.list",
"compute.disks.createSnapshot",
"compute.disks.get",
"compute.disks.getIamPolicy",
"compute.disks.list",
"compute.disks.listEffectiveTags",
"compute.disks.listTagBindings",
"compute.disks.useReadOnly",
"compute.externalVpnGateways.get",
"compute.externalVpnGateways.list",
"compute.firewallPolicies.get",
"compute.firewallPolicies.getIamPolicy",
"compute.firewallPolicies.list",
"compute.firewalls.get",
"compute.firewalls.list",
"compute.forwardingRules.get",
"compute.forwardingRules.list",
"compute.globalAddresses.get",
"compute.globalAddresses.list",
"compute.globalForwardingRules.get",
"compute.globalForwardingRules.list",
"compute.globalForwardingRules.pscGet",
"compute.globalNetworkEndpointGroups.get",
"compute.globalNetworkEndpointGroups.list",
"compute.globalOperations.get",
"compute.globalOperations.getIamPolicy",
"compute.globalOperations.list",
"compute.globalPublicDelegatedPrefixes.get",
"compute.globalPublicDelegatedPrefixes.list",
"compute.healthChecks.get",
"compute.healthChecks.list",
"compute.healthChecks.useReadOnly",
"compute.httpHealthChecks.get",
"compute.httpHealthChecks.list",
"compute.httpHealthChecks.useReadOnly",
"compute.httpsHealthChecks.get",
"compute.httpsHealthChecks.list",
"compute.httpsHealthChecks.useReadOnly",
"compute.images.get",
"compute.images.getFromFamily",
"compute.images.getIamPolicy",
"compute.images.list",
"compute.images.listEffectiveTags",
"compute.images.listTagBindings",
"compute.images.useReadOnly",
"compute.instanceGroupManagers.get",
"compute.instanceGroupManagers.list",
"compute.instanceGroups.get",
"compute.instanceGroups.list",
"compute.instanceTemplates.get",
"compute.instanceTemplates.getIamPolicy",
"compute.instanceTemplates.list",
"compute.instanceTemplates.useReadOnly",
"compute.instances.get",
"compute.instances.getEffectiveFirewalls",
"compute.instances.getGuestAttributes",
"compute.instances.getIamPolicy",
"compute.instances.getScreenshot",
"compute.instances.getSerialPortOutput",
"compute.instances.getShieldedInstanceIdentity",
"compute.instances.getShieldedVmIdentity",
"compute.instances.list",
"compute.instances.listEffectiveTags",
"compute.instances.listReferrers",
"compute.instances.listTagBindings",
"compute.instances.useReadOnly",
"compute.interconnectAttachments.get",
"compute.interconnectAttachments.list",
"compute.interconnectLocations.get",
"compute.interconnectLocations.list",
"compute.interconnects.get",
"compute.interconnects.list",
"compute.licenseCodes.get",
"compute.licenseCodes.getIamPolicy",
"compute.licenseCodes.list",
"compute.licenses.get",
"compute.licenses.getIamPolicy",
"compute.licenses.list",
"compute.machineImages.get",
"compute.machineImages.getIamPolicy",
"compute.machineImages.list",
"compute.machineImages.useReadOnly",
"compute.machineTypes.get",
"compute.machineTypes.list",
"compute.maintenancePolicies.get",
"compute.maintenancePolicies.getIamPolicy",
"compute.maintenancePolicies.list",
"compute.networkAttachments.get",
"compute.networkAttachments.list",
"compute.networkEdgeSecurityServices.get",
"compute.networkEdgeSecurityServices.list",
"compute.networkEndpointGroups.get",
"compute.networkEndpointGroups.getIamPolicy",
"compute.networkEndpointGroups.list",
"compute.networks.get",
"compute.networks.getEffectiveFirewalls",
"compute.networks.getRegionEffectiveFirewalls",
"compute.networks.list",
"compute.networks.listPeeringRoutes",
"compute.nodeGroups.get",
"compute.nodeGroups.getIamPolicy",
"compute.nodeGroups.list",
"compute.nodeTemplates.get",
"compute.nodeTemplates.getIamPolicy",
"compute.nodeTemplates.list",
"compute.nodeTypes.get",
"compute.nodeTypes.list",
"compute.packetMirrorings.get",
"compute.packetMirrorings.list",
"compute.projects.get",
"compute.publicAdvertisedPrefixes.get",
"compute.publicAdvertisedPrefixes.list",
"compute.publicDelegatedPrefixes.get",
"compute.publicDelegatedPrefixes.list",
"compute.regionBackendServices.get",
"compute.regionBackendServices.getIamPolicy",
"compute.regionBackendServices.list",
"compute.regionFirewallPolicies.get",
"compute.regionFirewallPolicies.getIamPolicy",
"compute.regionFirewallPolicies.list",
"compute.regionHealthCheckServices.get",
"compute.regionHealthCheckServices.list",
"compute.regionHealthChecks.get",
"compute.regionHealthChecks.list",
"compute.regionHealthChecks.useReadOnly",
"compute.regionNetworkEndpointGroups.get",
"compute.regionNetworkEndpointGroups.list",
"compute.regionNotificationEndpoints.get",
"compute.regionNotificationEndpoints.list",
"compute.regionOperations.get",
"compute.regionOperations.getIamPolicy",
"compute.regionOperations.list",
"compute.regionSecurityPolicies.get",
"compute.regionSecurityPolicies.list",
"compute.regionSslCertificates.get",
"compute.regionSslCertificates.list",
"compute.regionSslPolicies.get",
"compute.regionSslPolicies.list",
"compute.regionSslPolicies.listAvailableFeatures",
"compute.regionTargetHttpProxies.get",
"compute.regionTargetHttpProxies.list",
"compute.regionTargetHttpsProxies.get",
"compute.regionTargetHttpsProxies.list",
"compute.regionTargetTcpProxies.get",
"compute.regionTargetTcpProxies.list",
"compute.regionUrlMaps.get",
"compute.regionUrlMaps.list",
"compute.regions.get",
"compute.regions.list",
"compute.reservations.get",
"compute.reservations.list",
"compute.resourcePolicies.get",
"compute.resourcePolicies.getIamPolicy",
"compute.resourcePolicies.list",
"compute.routers.get",
"compute.routers.list",
"compute.routes.get",
"compute.routes.list",
"compute.securityPolicies.get",
"compute.securityPolicies.getIamPolicy",
"compute.securityPolicies.list",
"compute.serviceAttachments.get",
"compute.serviceAttachments.getIamPolicy",
"compute.serviceAttachments.list",
"compute.snapshots.get",
"compute.snapshots.getIamPolicy",
"compute.snapshots.list",
"compute.snapshots.listEffectiveTags",
"compute.snapshots.listTagBindings",
"compute.sslCertificates.get",
"compute.sslCertificates.list",
"compute.sslPolicies.get",
"compute.sslPolicies.list",
"compute.sslPolicies.listAvailableFeatures",
"compute.subnetworks.get",
"compute.subnetworks.getIamPolicy",
"compute.subnetworks.list",
"compute.targetGrpcProxies.get",
"compute.targetGrpcProxies.list",
"compute.targetHttpProxies.get",
"compute.targetHttpProxies.list",
"compute.targetHttpsProxies.get",
"compute.targetHttpsProxies.list",
"compute.targetInstances.get",
"compute.targetInstances.list",
"compute.targetPools.get",
"compute.targetPools.list",
"compute.targetSslProxies.get",
"compute.targetSslProxies.list",
"compute.targetTcpProxies.get",
"compute.targetTcpProxies.list",
"compute.targetVpnGateways.get",
"compute.targetVpnGateways.list",
"compute.urlMaps.get",
"compute.urlMaps.list",
"compute.vpnGateways.get",
"compute.vpnGateways.list",
"compute.vpnTunnels.get",
"compute.vpnTunnels.list",
"compute.zoneOperations.get",
"compute.zoneOperations.getIamPolicy",
"compute.zoneOperations.list",
"compute.zones.get",
"compute.zones.list",
"bigquery.bireservations.get",
"bigquery.capacityCommitments.get",
"bigquery.capacityCommitments.list",
"bigquery.config.get",
"bigquery.connections.get",
"bigquery.connections.getIamPolicy",
"bigquery.connections.list",
"bigquery.dataPolicies.get",
"bigquery.dataPolicies.getIamPolicy",
"bigquery.dataPolicies.list",
"bigquery.datasets.get",
"bigquery.datasets.getIamPolicy",
"bigquery.datasets.listTagBindings",
"bigquery.jobs.get",
"bigquery.jobs.list",
"bigquery.jobs.listExecutionMetadata",
"bigquery.models.getData",
"bigquery.models.getMetadata",
"bigquery.models.list",
"bigquery.readsessions.getData",
"bigquery.reservationAssignments.list",
"bigquery.reservations.get",
"bigquery.reservations.list",
"bigquery.routines.get",
"bigquery.routines.list",
"bigquery.rowAccessPolicies.getIamPolicy",
"bigquery.rowAccessPolicies.list",
"bigquery.savedqueries.get",
"bigquery.savedqueries.list",
"bigquery.tables.getIamPolicy",
"bigquery.transfers.get",
"cloudfunctions.functions.get",
"cloudfunctions.functions.getIamPolicy",
"cloudfunctions.functions.list",
"cloudfunctions.locations.get",
"cloudfunctions.locations.list",
"cloudfunctions.operations.get",
"cloudfunctions.operations.list",
"cloudfunctions.runtimes.list",
"dns.changes.get",
"dns.changes.list",
"dns.dnsKeys.get",
"dns.dnsKeys.list",
"dns.managedZoneOperations.get",
"dns.managedZoneOperations.list",
"dns.managedZones.get",
"dns.managedZones.getIamPolicy",
"dns.managedZones.list",
"dns.policies.get",
"dns.policies.getIamPolicy",
"dns.policies.list",
"dns.projects.get",
"dns.resourceRecordSets.get",
"dns.resourceRecordSets.list",
"dns.responsePolicies.get",
"dns.responsePolicies.list",
"dns.responsePolicyRules.get",
"dns.responsePolicyRules.list",
"cloudsql.backupRuns.get",
"cloudsql.backupRuns.list",
"cloudsql.databases.get",
"cloudsql.databases.list",
"cloudsql.instances.get",
"cloudsql.instances.list",
"cloudsql.instances.listEffectiveTags",
"cloudsql.instances.listServerCas",
"cloudsql.instances.listTagBindings",
"cloudsql.sslCerts.get",
"cloudsql.sslCerts.list",
"cloudsql.users.get",
"cloudsql.users.list",
"dataproc.agents.get",
"dataproc.agents.list",
"dataproc.autoscalingPolicies.get",
"dataproc.autoscalingPolicies.getIamPolicy",
"dataproc.autoscalingPolicies.list",
"dataproc.batches.get",
"dataproc.batches.list",
"dataproc.clusters.get",
"dataproc.clusters.getIamPolicy",
"dataproc.clusters.list",
"dataproc.jobs.get",
"dataproc.jobs.getIamPolicy",
"dataproc.jobs.list",
"dataproc.operations.get",
"dataproc.operations.getIamPolicy",
"dataproc.operations.list",
"dataproc.tasks.listInvalidatedLeases",
"dataproc.workflowTemplates.get",
"dataproc.workflowTemplates.getIamPolicy",
"dataproc.workflowTemplates.list",
"dataprocessing.datasources.get",
"dataprocessing.datasources.list",
"dataprocessing.featurecontrols.list",
"dataprocessing.groupcontrols.get",
"dataprocessing.groupcontrols.list",
"resourcemanager.hierarchyNodes.listEffectiveTags",
"resourcemanager.hierarchyNodes.listTagBindings",
"resourcemanager.projects.get",
"resourcemanager.projects.getIamPolicy",
"resourcemanager.tagHolds.list",
"resourcemanager.tagKeys.get",
"resourcemanager.tagKeys.getIamPolicy",
"resourcemanager.tagKeys.list",
"resourcemanager.tagValues.get",
"resourcemanager.tagValues.getIamPolicy",
"resourcemanager.tagValues.list",
"container.apiServices.get",
"container.apiServices.getStatus",
"container.apiServices.list",
"container.auditSinks.get",
"container.auditSinks.list",
"container.backendConfigs.get",
"container.backendConfigs.list",
"container.bindings.get",
"container.bindings.list",
"container.certificateSigningRequests.get",
"container.certificateSigningRequests.getStatus",
"container.certificateSigningRequests.list",
"container.clusterRoleBindings.get",
"container.clusterRoleBindings.list",
"container.clusterRoles.get",
"container.clusterRoles.list",
"container.clusters.get",
"container.clusters.list",
"container.clusters.listEffectiveTags",
"container.clusters.listTagBindings",
"container.componentStatuses.get",
"container.componentStatuses.list",
"container.configMaps.get",
"container.configMaps.list",
"container.controllerRevisions.get",
"container.controllerRevisions.list",
"container.cronJobs.get",
"container.cronJobs.getStatus",
"container.cronJobs.list",
"container.csiDrivers.get",
"container.csiDrivers.list",
"container.csiNodeInfos.get",
"container.csiNodeInfos.list",
"container.csiNodes.get",
"container.csiNodes.list",
"container.customResourceDefinitions.get",
"container.customResourceDefinitions.getStatus",
"container.customResourceDefinitions.list",
"container.daemonSets.get",
"container.daemonSets.getStatus",
"container.daemonSets.list",
"container.deployments.get",
"container.deployments.getStatus",
"container.deployments.list",
"container.endpointSlices.get",
"container.endpointSlices.list",
"container.endpoints.get",
"container.endpoints.list",
"container.events.get",
"container.events.list",
"container.frontendConfigs.get",
"container.frontendConfigs.list",
"container.horizontalPodAutoscalers.get",
"container.horizontalPodAutoscalers.getStatus",
"container.horizontalPodAutoscalers.list",
"container.ingresses.get",
"container.ingresses.getStatus",
"container.ingresses.list",
"container.initializerConfigurations.get",
"container.initializerConfigurations.list",
"container.jobs.get",
"container.jobs.getStatus",
"container.jobs.list",
"container.leases.get",
"container.leases.list",
"container.limitRanges.get",
"container.limitRanges.list",
"container.localSubjectAccessReviews.list",
"container.managedCertificates.get",
"container.managedCertificates.list",
"container.mutatingWebhookConfigurations.get",
"container.mutatingWebhookConfigurations.list",
"container.namespaces.get",
"container.namespaces.getStatus",
"container.namespaces.list",
"container.networkPolicies.get",
"container.networkPolicies.list",
"container.nodes.get",
"container.nodes.getStatus",
"container.nodes.list",
"container.operations.get",
"container.operations.list",
"container.persistentVolumeClaims.get",
"container.persistentVolumeClaims.getStatus",
"container.persistentVolumeClaims.list",
"container.persistentVolumes.get",
"container.persistentVolumes.getStatus",
"container.persistentVolumes.list",
"container.petSets.get",
"container.petSets.list",
"container.podDisruptionBudgets.get",
"container.podDisruptionBudgets.getStatus",
"container.podDisruptionBudgets.list",
"container.podPresets.get",
"container.podPresets.list",
"container.podSecurityPolicies.get",
"container.podSecurityPolicies.list",
"container.podTemplates.get",
"container.podTemplates.list",
"container.pods.get",
"container.pods.getLogs",
"container.pods.getStatus",
"container.pods.list",
"container.priorityClasses.get",
"container.priorityClasses.list",
"container.replicaSets.get",
"container.replicaSets.getScale",
"container.replicaSets.getStatus",
"container.replicaSets.list",
"container.replicationControllers.get",
"container.replicationControllers.getScale",
"container.replicationControllers.getStatus",
"container.replicationControllers.list",
"container.resourceQuotas.get",
"container.resourceQuotas.getStatus",
"container.resourceQuotas.list",
"container.roleBindings.get",
"container.roleBindings.list",
"container.roles.get",
"container.roles.list",
"container.runtimeClasses.get",
"container.runtimeClasses.list",
"container.scheduledJobs.get",
"container.scheduledJobs.list",
"container.selfSubjectAccessReviews.list",
"container.serviceAccounts.get",
"container.serviceAccounts.list",
"container.services.get",
"container.services.getStatus",
"container.services.list",
"container.statefulSets.get",
"container.statefulSets.getScale",
"container.statefulSets.getStatus",
"container.statefulSets.list",
"container.storageClasses.get",
"container.storageClasses.list",
"container.storageStates.get",
"container.storageStates.getStatus",
"container.storageStates.list",
"container.storageVersionMigrations.get",
"container.storageVersionMigrations.getStatus",
"container.storageVersionMigrations.list",
"container.subjectAccessReviews.list",
"container.thirdPartyObjects.get",
"container.thirdPartyObjects.list",
"container.thirdPartyResources.get",
"container.thirdPartyResources.list",
"container.updateInfos.get",
"container.updateInfos.list",
"container.validatingWebhookConfigurations.get",
"container.validatingWebhookConfigurations.list",
"container.volumeAttachments.get",
"container.volumeAttachments.getStatus",
"container.volumeAttachments.list",
"container.volumeSnapshotClasses.get",
"container.volumeSnapshotClasses.list",
"container.volumeSnapshotContents.get",
"container.volumeSnapshotContents.getStatus",
"container.volumeSnapshotContents.list",
"container.volumeSnapshots.get",
"container.volumeSnapshots.getStatus",
"container.volumeSnapshots.list",
"redis.instances.get",
"redis.instances.list",
"redis.locations.get",
"redis.locations.list",
"redis.operations.get",
"redis.operations.list",
"storage.buckets.list",
"storage.buckets.listEffectiveTags",
"storage.buckets.listTagBindings",
"storage.hmacKeys.get",
"storage.hmacKeys.list",
"logging.buckets.get",
"logging.buckets.list",
"logging.cmekSettings.get",
"logging.exclusions.get",
"logging.exclusions.list",
"logging.links.get",
"logging.links.list",
"logging.locations.get",
"logging.locations.list",
"logging.logEntries.list",
"logging.logMetrics.get",
"logging.logMetrics.list",
"logging.logServiceIndexes.list",
"logging.logServices.list",
"logging.logs.list",
"logging.notificationRules.get",
"logging.notificationRules.list",
"logging.operations.get",
"logging.operations.list",
"logging.queries.get",
"logging.queries.list",
"logging.queries.listShared",
"logging.sinks.get",
"logging.sinks.list",
"logging.usage.get",
"logging.views.get",
"logging.views.list",
"logging.views.listLogs",
"logging.views.listResourceKeys",
"logging.views.listResourceValues",
"cloudscheduler.jobs.get",
"cloudscheduler.jobs.list",
"cloudscheduler.locations.get",
"cloudscheduler.locations.list",
"pubsub.schemas.get",
"pubsub.schemas.getIamPolicy",
"pubsub.schemas.list",
"pubsub.snapshots.get",
"pubsub.snapshots.list",
"pubsub.snapshots.seek",
"pubsub.subscriptions.get",
"pubsub.subscriptions.list",
"pubsub.topics.get",
"pubsub.topics.list",
"cloudkms.cryptoKeyVersions.get",
"cloudkms.cryptoKeyVersions.list",
"cloudkms.cryptoKeys.get",
"cloudkms.cryptoKeys.getIamPolicy",
"cloudkms.cryptoKeys.list",
"cloudkms.ekmConnections.get",
"cloudkms.ekmConnections.getIamPolicy",
"cloudkms.ekmConnections.list",
"cloudkms.importJobs.get",
"cloudkms.importJobs.getIamPolicy",
"cloudkms.importJobs.list",
"cloudkms.keyRings.get",
"cloudkms.keyRings.getIamPolicy",
"cloudkms.keyRings.list",
"cloudkms.keyRings.listEffectiveTags",
"cloudkms.keyRings.listTagBindings",
"cloudkms.locations.generateRandomBytes",
"cloudkms.locations.get",
"cloudkms.locations.list",
"iam.denypolicies.get",
"iam.denypolicies.list",
"iam.googleapis.com/workloadIdentityPoolProviders.get",
"iam.googleapis.com/workloadIdentityPoolProviders.list",
"iam.googleapis.com/workloadIdentityPools.get",
"iam.googleapis.com/workloadIdentityPools.list",
"iam.roles.get",
"iam.roles.list",
"iam.serviceAccountKeys.get",
"iam.serviceAccountKeys.list",
"iam.serviceAccounts.get",
"iam.serviceAccounts.getIamPolicy",
"iam.serviceAccounts.list",
"monitoring.alertPolicies.get",
"monitoring.alertPolicies.list",
"monitoring.dashboards.get",
"monitoring.dashboards.list",
"monitoring.groups.get",
"monitoring.groups.list",
"monitoring.metricDescriptors.get",
"monitoring.metricDescriptors.list",
"monitoring.monitoredResourceDescriptors.get",
"monitoring.monitoredResourceDescriptors.list",
"monitoring.notificationChannelDescriptors.get",
"monitoring.notificationChannelDescriptors.list",
"monitoring.notificationChannels.get",
"monitoring.notificationChannels.list",
"monitoring.publicWidgets.get",
"monitoring.publicWidgets.list",
"monitoring.services.get",
"monitoring.services.list",
"monitoring.slos.get",
"monitoring.slos.list",
"monitoring.timeSeries.list",
"monitoring.uptimeCheckConfigs.get",
"monitoring.uptimeCheckConfigs.list",
"storage.buckets.get",
"storage.buckets.getIamPolicy",
"pubsub.topics.getIamPolicy",
"pubsub.subscriptions.getIamPolicy",
"cloudsecurityscanner.scans.list",
"firebaserules.rulesets.get",
"clientauthconfig.clients.listWithSecrets",
"bigquery.tables.get",
"serviceusage.services.use",
"clouddeploy.config.get",
"clouddeploy.locations.list",
"clouddeploy.deliveryPipelines.list",
"clouddeploy.deliveryPipelines.getIamPolicy",
"clouddeploy.targets.list",
"clouddeploy.targets.getIamPolicy",
"analyticshub.dataExchanges.list",
"storage.objects.get",
"storage.objects.list",
"cloudbuild.builds.get",
"cloudbuild.builds.list",
"eventarc.channelConnections.get",
"eventarc.channelConnections.getIamPolicy",
"eventarc.channelConnections.list",
"eventarc.channels.get",
"eventarc.channels.getIamPolicy",
"eventarc.channels.list",
"eventarc.googleChannelConfigs.get",
"eventarc.locations.get",
"eventarc.locations.list",
"eventarc.operations.get",
"eventarc.operations.list",
"eventarc.providers.get",
"eventarc.providers.list",
"eventarc.triggers.get",
"eventarc.triggers.getIamPolicy",
"eventarc.triggers.list",
"recommender.locations.get",
"recommender.locations.list",
"recommender.runServiceIdentityInsights.get",
"recommender.runServiceIdentityInsights.list",
"recommender.runServiceIdentityRecommendations.get",
"recommender.runServiceIdentityRecommendations.list",
"recommender.runServiceSecurityInsights.get",
"recommender.runServiceSecurityInsights.list",
"recommender.runServiceSecurityRecommendations.get",
"recommender.runServiceSecurityRecommendations.list",
"remotebuildexecution.blobs.get",
"run.configurations.get",
"run.configurations.list",
"run.executions.get",
"run.executions.list",
"run.jobs.get",
"run.jobs.getIamPolicy",
"run.jobs.list",
"run.locations.list",
"run.operations.get",
"run.operations.list",
"run.revisions.get",
"run.revisions.list",
"run.routes.get",
"run.routes.list",
"run.services.get",
"run.services.getIamPolicy",
"run.services.list",
"run.services.listEffectiveTags",
"run.services.listTagBindings",
"run.tasks.get",
"run.tasks.list",
"serviceusage.quotas.get",
"serviceusage.services.get",
"serviceusage.services.list",
"osconfig.patchJobs.exec",
"osconfig.patchJobs.list",
"osconfig.patchJobs.get",
"storage.buckets.create",
"storage.buckets.delete",
"storage.objects.create",
"storage.objects.delete",
"compute.disks.create",
"compute.instances.create",
"compute.instances.delete",
"compute.instances.setMetadata",
"compute.instances.setTags",
"compute.networks.updatePolicy",
"compute.networks.use",
"compute.networks.useExternalIp",
"compute.subnetworks.use",
"compute.subnetworks.useExternalIp",
"artifactregistry.repositories.list",
"artifactregistry.repositories.get",
"artifactregistry.repositories.downloadArtifacts",
"artifactregistry.files.list",
"artifactregistry.files.get",
"artifactregistry.packages.list",
"artifactregistry.repositories.listTagBindings",
"artifactregistry.repositories.listEffectiveTags",
"artifactregistry.tags.list",
"artifactregistry.tags.get",
"artifactregistry.versions.list",
"artifactregistry.versions.get",
"compute.firewalls.update",
"storage.buckets.update",
"container.clusters.update",
"compute.subnetworks.update",
"storage.buckets.setIamPolicy",
"compute.subnetworks.setPrivateIpGoogleAccess",
"cloudfunctions.functions.sourceCodeGet",
"compute.instances.setLabels",
"compute.networks.create",
"compute.networks.delete",
"compute.snapshots.create",
"compute.snapshots.delete",
"compute.snapshots.setLabels",
"compute.snapshots.useReadOnly",
"compute.subnetworks.create",
"compute.subnetworks.delete"
],
"type": "list"
},
"project_id": {
"default": "abc",
"type": "string"
},
"project_iam_policy_managed_roles": {
"default": [
"roles/viewer",
"roles/storage.objectViewer",
"roles/container.clusterViewer",
"roles/cloudfunctions.viewer",
"roles/storage.admin",
"roles/compute.networkAdmin"
],
"type": "list"
},
"flowlog_bucket_name": {
"default": "abc",
"type": "string"
},
"project_services": {
"default": [
"bigquery.googleapis.com",
"dns.googleapis.com",
"cloudkms.googleapis.com",
"cloudresourcemanager.googleapis.com",
"monitoring.googleapis.com",
"logging.googleapis.com",
"container.googleapis.com",
"iam.googleapis.com",
"storage-component.googleapis.com",
"sql-component.googleapis.com",
"compute.googleapis.com",
"redis.googleapis.com",
"cloudfunctions.googleapis.com",
"recommender.googleapis.com",
"dataproc.googleapis.com",
"bigtableadmin.googleapis.com",
"serviceusage.googleapis.com",
"appengine.googleapis.com",
"run.googleapis.com",
"pubsub.googleapis.com",
"spanner.googleapis.com",
"sourcerepo.googleapis.com",
"websecurityscanner.googleapis.com",
"binaryauthorization.googleapis.com",
"cloudtasks.googleapis.com",
"secretmanager.googleapis.com",
"healthcare.googleapis.com",
"file.googleapis.com",
"cloudasset.googleapis.com",
"firebaserules.googleapis.com",
"composer.googleapis.com",
"containeranalysis.googleapis.com",
"ml.googleapis.com",
"apigateway.googleapis.com",
"datafusion.googleapis.com",
"apikeys.googleapis.com",
"iap.googleapis.com",
"privateca.googleapis.com",
"accessapproval.googleapis.com",
"essentialcontacts.googleapis.com",
"servicedirectory.googleapis.com",
"orgpolicy.googleapis.com",
"managedidentities.googleapis.com",
"datacatalog.googleapis.com",
"securitycenter.googleapis.com",
"notebooks.googleapis.com",
"artifactregistry.googleapis.com",
"datastore.googleapis.com",
"networksecurity.googleapis.com",
"dlp.googleapis.com",
"firebaseremoteconfig.googleapis.com",
"clouddeploy.googleapis.com",
"analyticshub.googleapis.com",
"networkservices.googleapis.com",
"memcache.googleapis.com",
"networkconnectivity.googleapis.com",
"vpcaccess.googleapis.com"
],
"type": "list"
}
},
"terraform": {
"required_providers": {
"random": "~> 3.1",
"google-beta": "~> 3.90",
"google": "~> 3.90"
}
}
}
Sample Request and Response for GCP Organization
Sample Request
curl --request POST 'https://api.prismacloud.io/cas/v1/gcp_template' \
--header 'accept: application/json' \
--header 'content-type: application/json' \
--header 'x-redlock-auth: <YOUR_TOKEN>' \
--data-raw '{
"accountType": "organization",
"name": "<account-name-to-be-onboarded>",
"authenticationType": "service_account",
"features": [
"Agentless Scanning",
"Auto Protect",
"Serverless Function Scanning",
"Remediation"
],
"flowLogBucket": "<flowlogs-storage-bucket-name>",
"orgId": "<organization-id>"
}'
Sample Response
{
"output": {
"user_instruction": {
"value": "Successfully Configured !!\n\n What to do next ?\n\t1. Please download the file ${local_file.key.filename}\n\nUse the downloaded JSON file and Proceed at Prisma Cloud UI"
}
},
"provider": {
"random": {},
"google": {}
},
"resource": {
"random_string": {
"unique_id": {
"special": false,
"length": 5,
"min_lower": 5
}
},
"google_storage_bucket_iam_member": {
"prisma_cloud_service_account_binding_to_flowlogs_bucket": {
"bucket": "${var.flowlog_bucket_name}",
"role": "projects/${var.project_id}/roles/${google_project_iam_custom_role.prisma_cloud_custom_role_flowlog.role_id}",
"member": "serviceAccount:${google_service_account.prisma_cloud_service_account.email}"
}
},
"google_service_account": {
"prisma_cloud_service_account": {
"account_id": "prisma-cloud-serv-${random_string.unique_id.result}",
"project": "${var.project_id}",
"display_name": "Prisma Cloud Service Account"
}
},
"google_organization_iam_custom_role": {
"prisma_cloud_organization_custom_role": {
"role_id": "prismaCloudViewer${random_string.unique_id.result}",
"org_id": "${var.org_id}",
"permissions": "${var.org_iam_policy_custom_role_permissions}",
"description": "This is a custom role created for Prisma Cloud. Contains granular additional permission which is not covered by built-in roles",
"title": "Prisma Cloud Viewer ${random_string.unique_id.result}"
}
},
"google_project_iam_custom_role": {
"prisma_cloud_custom_role_flowlog": {
"role_id": "prismaCloudFlowLogViewer${random_string.unique_id.result}",
"permissions": [
"storage.objects.get",
"storage.objects.list"
],
"project": "${var.project_id}",
"description": "This is a custom role created for Prisma Cloud. Contains granular permission which is needed for flow logs",
"title": "Prisma Cloud Flow Logs Viewer ${random_string.unique_id.result}"
}
},
"google_service_account_key": {
"prisma_cloud_service_account_key": {
"service_account_id": "${google_service_account.prisma_cloud_service_account.name}"
}
},
"google_project_service": {
"project_apis": {
"service": "${var.project_services[count.index]}",
"disable_on_destroy": false,
"count": "${length(var.project_services)}",
"project": "${var.project_id}"
},
"org_onboarding_apis": {
"service": "${var.org_services[count.index]}",
"count": "${length(var.org_services)}",
"project": "${var.project_id}"
}
},
"local_file": {
"key": {
"filename": "${var.project_id}-${random_string.unique_id.result}.json",
"content": "${base64decode(google_service_account_key.prisma_cloud_service_account_key.private_key)}"
}
},
"google_organization_iam_member": {
"bind_custom_role_to_org_iam_policy": {
"role": "organizations/${var.org_id}/roles/${google_organization_iam_custom_role.prisma_cloud_organization_custom_role.role_id}",
"org_id": "${var.org_id}",
"member": "serviceAccount:${google_service_account.prisma_cloud_service_account.email}"
},
"bind_managed_roles_to_org_iam_policy": {
"role": "${var.org_iam_policy_managed_roles[count.index]}",
"org_id": "${var.org_id}",
"count": "${length(var.org_iam_policy_managed_roles)}",
"member": "serviceAccount:${google_service_account.prisma_cloud_service_account.email}"
}
}
},
"variable": {
"project_id": {
"type": "string"
},
"org_id": {
"default": "org_id",
"type": "string"
},
"org_iam_policy_managed_roles": {
"default": [
"roles/viewer",
"roles/iam.organizationRoleViewer",
"roles/resourcemanager.folderViewer",
"roles/storage.objectViewer",
"roles/container.clusterViewer",
"roles/cloudfunctions.viewer",
"roles/storage.admin",
"roles/compute.networkAdmin"
],
"type": "list"
},
"org_iam_policy_custom_role_permissions": {
"default": [
"autoscaling.sites.getIamPolicy",
"autoscaling.sites.readRecommendations",
"compute.acceleratorTypes.get",
"compute.acceleratorTypes.list",
"compute.addresses.get",
"compute.addresses.list",
"compute.autoscalers.get",
"compute.autoscalers.list",
"compute.backendBuckets.get",
"compute.backendBuckets.getIamPolicy",
"compute.backendBuckets.list",
"compute.backendServices.get",
"compute.backendServices.getIamPolicy",
"compute.backendServices.list",
"compute.commitments.get",
"compute.commitments.list",
"compute.diskTypes.get",
"compute.diskTypes.list",
"compute.disks.createSnapshot",
"compute.disks.get",
"compute.disks.getIamPolicy",
"compute.disks.list",
"compute.disks.listEffectiveTags",
"compute.disks.listTagBindings",
"compute.disks.useReadOnly",
"compute.externalVpnGateways.get",
"compute.externalVpnGateways.list",
"compute.firewallPolicies.get",
"compute.firewallPolicies.getIamPolicy",
"compute.firewallPolicies.list",
"compute.firewalls.get",
"compute.firewalls.list",
"compute.forwardingRules.get",
"compute.forwardingRules.list",
"compute.globalAddresses.get",
"compute.globalAddresses.list",
"compute.globalForwardingRules.get",
"compute.globalForwardingRules.list",
"compute.globalForwardingRules.pscGet",
"compute.globalNetworkEndpointGroups.get",
"compute.globalNetworkEndpointGroups.list",
"compute.globalOperations.get",
"compute.globalOperations.getIamPolicy",
"compute.globalOperations.list",
"compute.globalPublicDelegatedPrefixes.get",
"compute.globalPublicDelegatedPrefixes.list",
"compute.healthChecks.get",
"compute.healthChecks.list",
"compute.healthChecks.useReadOnly",
"compute.httpHealthChecks.get",
"compute.httpHealthChecks.list",
"compute.httpHealthChecks.useReadOnly",
"compute.httpsHealthChecks.get",
"compute.httpsHealthChecks.list",
"compute.httpsHealthChecks.useReadOnly",
"compute.images.get",
"compute.images.getFromFamily",
"compute.images.getIamPolicy",
"compute.images.list",
"compute.images.listEffectiveTags",
"compute.images.listTagBindings",
"compute.images.useReadOnly",
"compute.instanceGroupManagers.get",
"compute.instanceGroupManagers.list",
"compute.instanceGroups.get",
"compute.instanceGroups.list",
"compute.instanceTemplates.get",
"compute.instanceTemplates.getIamPolicy",
"compute.instanceTemplates.list",
"compute.instanceTemplates.useReadOnly",
"compute.instances.get",
"compute.instances.getEffectiveFirewalls",
"compute.instances.getGuestAttributes",
"compute.instances.getIamPolicy",
"compute.instances.getScreenshot",
"compute.instances.getSerialPortOutput",
"compute.instances.getShieldedInstanceIdentity",
"compute.instances.getShieldedVmIdentity",
"compute.instances.list",
"compute.instances.listEffectiveTags",
"compute.instances.listReferrers",
"compute.instances.listTagBindings",
"compute.instances.useReadOnly",
"compute.interconnectAttachments.get",
"compute.interconnectAttachments.list",
"compute.interconnectLocations.get",
"compute.interconnectLocations.list",
"compute.interconnects.get",
"compute.interconnects.list",
"compute.licenseCodes.get",
"compute.licenseCodes.getIamPolicy",
"compute.licenseCodes.list",
"compute.licenses.get",
"compute.licenses.getIamPolicy",
"compute.licenses.list",
"compute.machineImages.get",
"compute.machineImages.getIamPolicy",
"compute.machineImages.list",
"compute.machineImages.useReadOnly",
"compute.machineTypes.get",
"compute.machineTypes.list",
"compute.maintenancePolicies.get",
"compute.maintenancePolicies.getIamPolicy",
"compute.maintenancePolicies.list",
"compute.networkAttachments.get",
"compute.networkAttachments.list",
"compute.networkEdgeSecurityServices.get",
"compute.networkEdgeSecurityServices.list",
"compute.networkEndpointGroups.get",
"compute.networkEndpointGroups.getIamPolicy",
"compute.networkEndpointGroups.list",
"compute.networks.get",
"compute.networks.getEffectiveFirewalls",
"compute.networks.getRegionEffectiveFirewalls",
"compute.networks.list",
"compute.networks.listPeeringRoutes",
"compute.nodeGroups.get",
"compute.nodeGroups.getIamPolicy",
"compute.nodeGroups.list",
"compute.nodeTemplates.get",
"compute.nodeTemplates.getIamPolicy",
"compute.nodeTemplates.list",
"compute.nodeTypes.get",
"compute.nodeTypes.list",
"compute.organizations.listAssociations",
"compute.packetMirrorings.get",
"compute.packetMirrorings.list",
"compute.projects.get",
"compute.publicAdvertisedPrefixes.get",
"compute.publicAdvertisedPrefixes.list",
"compute.publicDelegatedPrefixes.get",
"compute.publicDelegatedPrefixes.list",
"compute.regionBackendServices.get",
"compute.regionBackendServices.getIamPolicy",
"compute.regionBackendServices.list",
"compute.regionFirewallPolicies.get",
"compute.regionFirewallPolicies.getIamPolicy",
"compute.regionFirewallPolicies.list",
"compute.regionHealthCheckServices.get",
"compute.regionHealthCheckServices.list",
"compute.regionHealthChecks.get",
"compute.regionHealthChecks.list",
"compute.regionHealthChecks.useReadOnly",
"compute.regionNetworkEndpointGroups.get",
"compute.regionNetworkEndpointGroups.list",
"compute.regionNotificationEndpoints.get",
"compute.regionNotificationEndpoints.list",
"compute.regionOperations.get",
"compute.regionOperations.getIamPolicy",
"compute.regionOperations.list",
"compute.regionSecurityPolicies.get",
"compute.regionSecurityPolicies.list",
"compute.regionSslCertificates.get",
"compute.regionSslCertificates.list",
"compute.regionSslPolicies.get",
"compute.regionSslPolicies.list",
"compute.regionSslPolicies.listAvailableFeatures",
"compute.regionTargetHttpProxies.get",
"compute.regionTargetHttpProxies.list",
"compute.regionTargetHttpsProxies.get",
"compute.regionTargetHttpsProxies.list",
"compute.regionTargetTcpProxies.get",
"compute.regionTargetTcpProxies.list",
"compute.regionUrlMaps.get",
"compute.regionUrlMaps.list",
"compute.regions.get",
"compute.regions.list",
"compute.reservations.get",
"compute.reservations.list",
"compute.resourcePolicies.get",
"compute.resourcePolicies.getIamPolicy",
"compute.resourcePolicies.list",
"compute.routers.get",
"compute.routers.list",
"compute.routes.get",
"compute.routes.list",
"compute.securityPolicies.get",
"compute.securityPolicies.getIamPolicy",
"compute.securityPolicies.list",
"compute.serviceAttachments.get",
"compute.serviceAttachments.getIamPolicy",
"compute.serviceAttachments.list",
"compute.snapshots.get",
"compute.snapshots.getIamPolicy",
"compute.snapshots.list",
"compute.snapshots.listEffectiveTags",
"compute.snapshots.listTagBindings",
"compute.sslCertificates.get",
"compute.sslCertificates.list",
"compute.sslPolicies.get",
"compute.sslPolicies.list",
"compute.sslPolicies.listAvailableFeatures",
"compute.subnetworks.get",
"compute.subnetworks.getIamPolicy",
"compute.subnetworks.list",
"compute.targetGrpcProxies.get",
"compute.targetGrpcProxies.list",
"compute.targetHttpProxies.get",
"compute.targetHttpProxies.list",
"compute.targetHttpsProxies.get",
"compute.targetHttpsProxies.list",
"compute.targetInstances.get",
"compute.targetInstances.list",
"compute.targetPools.get",
"compute.targetPools.list",
"compute.targetSslProxies.get",
"compute.targetSslProxies.list",
"compute.targetTcpProxies.get",
"compute.targetTcpProxies.list",
"compute.targetVpnGateways.get",
"compute.targetVpnGateways.list",
"compute.urlMaps.get",
"compute.urlMaps.list",
"compute.vpnGateways.get",
"compute.vpnGateways.list",
"compute.vpnTunnels.get",
"compute.vpnTunnels.list",
"compute.zoneOperations.get",
"compute.zoneOperations.getIamPolicy",
"compute.zoneOperations.list",
"compute.zones.get",
"compute.zones.list",
"bigquery.bireservations.get",
"bigquery.capacityCommitments.get",
"bigquery.capacityCommitments.list",
"bigquery.config.get",
"bigquery.connections.get",
"bigquery.connections.getIamPolicy",
"bigquery.connections.list",
"bigquery.dataPolicies.get",
"bigquery.dataPolicies.getIamPolicy",
"bigquery.dataPolicies.list",
"bigquery.datasets.get",
"bigquery.datasets.getIamPolicy",
"bigquery.datasets.listTagBindings",
"bigquery.jobs.get",
"bigquery.jobs.list",
"bigquery.jobs.listExecutionMetadata",
"bigquery.models.getData",
"bigquery.models.getMetadata",
"bigquery.models.list",
"bigquery.readsessions.getData",
"bigquery.reservationAssignments.list",
"bigquery.reservations.get",
"bigquery.reservations.list",
"bigquery.routines.get",
"bigquery.routines.list",
"bigquery.rowAccessPolicies.getIamPolicy",
"bigquery.rowAccessPolicies.list",
"bigquery.savedqueries.get",
"bigquery.savedqueries.list",
"bigquery.tables.getIamPolicy",
"bigquery.transfers.get",
"cloudfunctions.functions.get",
"cloudfunctions.functions.getIamPolicy",
"cloudfunctions.functions.list",
"cloudfunctions.locations.get",
"cloudfunctions.locations.list",
"cloudfunctions.operations.get",
"cloudfunctions.operations.list",
"cloudfunctions.runtimes.list",
"dns.changes.get",
"dns.changes.list",
"dns.dnsKeys.get",
"dns.dnsKeys.list",
"dns.managedZoneOperations.get",
"dns.managedZoneOperations.list",
"dns.managedZones.get",
"dns.managedZones.getIamPolicy",
"dns.managedZones.list",
"dns.policies.get",
"dns.policies.getIamPolicy",
"dns.policies.list",
"dns.projects.get",
"dns.resourceRecordSets.get",
"dns.resourceRecordSets.list",
"dns.responsePolicies.get",
"dns.responsePolicies.list",
"dns.responsePolicyRules.get",
"dns.responsePolicyRules.list",
"cloudsql.backupRuns.get",
"cloudsql.backupRuns.list",
"cloudsql.databases.get",
"cloudsql.databases.list",
"cloudsql.instances.get",
"cloudsql.instances.list",
"cloudsql.instances.listEffectiveTags",
"cloudsql.instances.listServerCas",
"cloudsql.instances.listTagBindings",
"cloudsql.sslCerts.get",
"cloudsql.sslCerts.list",
"cloudsql.users.get",
"cloudsql.users.list",
"dataproc.agents.get",
"dataproc.agents.list",
"dataproc.autoscalingPolicies.get",
"dataproc.autoscalingPolicies.getIamPolicy",
"dataproc.autoscalingPolicies.list",
"dataproc.batches.get",
"dataproc.batches.list",
"dataproc.clusters.get",
"dataproc.clusters.getIamPolicy",
"dataproc.clusters.list",
"dataproc.jobs.get",
"dataproc.jobs.getIamPolicy",
"dataproc.jobs.list",
"dataproc.operations.get",
"dataproc.operations.getIamPolicy",
"dataproc.operations.list",
"dataproc.tasks.listInvalidatedLeases",
"dataproc.workflowTemplates.get",
"dataproc.workflowTemplates.getIamPolicy",
"dataproc.workflowTemplates.list",
"dataprocessing.datasources.get",
"dataprocessing.datasources.list",
"dataprocessing.featurecontrols.list",
"dataprocessing.groupcontrols.get",
"dataprocessing.groupcontrols.list",
"resourcemanager.hierarchyNodes.listEffectiveTags",
"resourcemanager.hierarchyNodes.listTagBindings",
"resourcemanager.projects.get",
"resourcemanager.projects.getIamPolicy",
"resourcemanager.projects.list",
"resourcemanager.tagHolds.list",
"resourcemanager.tagKeys.get",
"resourcemanager.tagKeys.getIamPolicy",
"resourcemanager.tagKeys.list",
"resourcemanager.tagValues.get",
"resourcemanager.tagValues.getIamPolicy",
"resourcemanager.tagValues.list",
"container.apiServices.get",
"container.apiServices.getStatus",
"container.apiServices.list",
"container.auditSinks.get",
"container.auditSinks.list",
"container.backendConfigs.get",
"container.backendConfigs.list",
"container.bindings.get",
"container.bindings.list",
"container.certificateSigningRequests.get",
"container.certificateSigningRequests.getStatus",
"container.certificateSigningRequests.list",
"container.clusterRoleBindings.get",
"container.clusterRoleBindings.list",
"container.clusterRoles.get",
"container.clusterRoles.list",
"container.clusters.get",
"container.clusters.list",
"container.clusters.listEffectiveTags",
"container.clusters.listTagBindings",
"container.componentStatuses.get",
"container.componentStatuses.list",
"container.configMaps.get",
"container.configMaps.list",
"container.controllerRevisions.get",
"container.controllerRevisions.list",
"container.cronJobs.get",
"container.cronJobs.getStatus",
"container.cronJobs.list",
"container.csiDrivers.get",
"container.csiDrivers.list",
"container.csiNodeInfos.get",
"container.csiNodeInfos.list",
"container.csiNodes.get",
"container.csiNodes.list",
"container.customResourceDefinitions.get",
"container.customResourceDefinitions.getStatus",
"container.customResourceDefinitions.list",
"container.daemonSets.get",
"container.daemonSets.getStatus",
"container.daemonSets.list",
"container.deployments.get",
"container.deployments.getStatus",
"container.deployments.list",
"container.endpointSlices.get",
"container.endpointSlices.list",
"container.endpoints.get",
"container.endpoints.list",
"container.events.get",
"container.events.list",
"container.frontendConfigs.get",
"container.frontendConfigs.list",
"container.horizontalPodAutoscalers.get",
"container.horizontalPodAutoscalers.getStatus",
"container.horizontalPodAutoscalers.list",
"container.ingresses.get",
"container.ingresses.getStatus",
"container.ingresses.list",
"container.initializerConfigurations.get",
"container.initializerConfigurations.list",
"container.jobs.get",
"container.jobs.getStatus",
"container.jobs.list",
"container.leases.get",
"container.leases.list",
"container.limitRanges.get",
"container.limitRanges.list",
"container.localSubjectAccessReviews.list",
"container.managedCertificates.get",
"container.managedCertificates.list",
"container.mutatingWebhookConfigurations.get",
"container.mutatingWebhookConfigurations.list",
"container.namespaces.get",
"container.namespaces.getStatus",
"container.namespaces.list",
"container.networkPolicies.get",
"container.networkPolicies.list",
"container.nodes.get",
"container.nodes.getStatus",
"container.nodes.list",
"container.operations.get",
"container.operations.list",
"container.persistentVolumeClaims.get",
"container.persistentVolumeClaims.getStatus",
"container.persistentVolumeClaims.list",
"container.persistentVolumes.get",
"container.persistentVolumes.getStatus",
"container.persistentVolumes.list",
"container.petSets.get",
"container.petSets.list",
"container.podDisruptionBudgets.get",
"container.podDisruptionBudgets.getStatus",
"container.podDisruptionBudgets.list",
"container.podPresets.get",
"container.podPresets.list",
"container.podSecurityPolicies.get",
"container.podSecurityPolicies.list",
"container.podTemplates.get",
"container.podTemplates.list",
"container.pods.get",
"container.pods.getLogs",
"container.pods.getStatus",
"container.pods.list",
"container.priorityClasses.get",
"container.priorityClasses.list",
"container.replicaSets.get",
"container.replicaSets.getScale",
"container.replicaSets.getStatus",
"container.replicaSets.list",
"container.replicationControllers.get",
"container.replicationControllers.getScale",
"container.replicationControllers.getStatus",
"container.replicationControllers.list",
"container.resourceQuotas.get",
"container.resourceQuotas.getStatus",
"container.resourceQuotas.list",
"container.roleBindings.get",
"container.roleBindings.list",
"container.roles.get",
"container.roles.list",
"container.runtimeClasses.get",
"container.runtimeClasses.list",
"container.scheduledJobs.get",
"container.scheduledJobs.list",
"container.selfSubjectAccessReviews.list",
"container.serviceAccounts.get",
"container.serviceAccounts.list",
"container.services.get",
"container.services.getStatus",
"container.services.list",
"container.statefulSets.get",
"container.statefulSets.getScale",
"container.statefulSets.getStatus",
"container.statefulSets.list",
"container.storageClasses.get",
"container.storageClasses.list",
"container.storageStates.get",
"container.storageStates.getStatus",
"container.storageStates.list",
"container.storageVersionMigrations.get",
"container.storageVersionMigrations.getStatus",
"container.storageVersionMigrations.list",
"container.subjectAccessReviews.list",
"container.thirdPartyObjects.get",
"container.thirdPartyObjects.list",
"container.thirdPartyResources.get",
"container.thirdPartyResources.list",
"container.updateInfos.get",
"container.updateInfos.list",
"container.validatingWebhookConfigurations.get",
"container.validatingWebhookConfigurations.list",
"container.volumeAttachments.get",
"container.volumeAttachments.getStatus",
"container.volumeAttachments.list",
"container.volumeSnapshotClasses.get",
"container.volumeSnapshotClasses.list",
"container.volumeSnapshotContents.get",
"container.volumeSnapshotContents.getStatus",
"container.volumeSnapshotContents.list",
"container.volumeSnapshots.get",
"container.volumeSnapshots.getStatus",
"container.volumeSnapshots.list",
"redis.instances.get",
"redis.instances.list",
"redis.locations.get",
"redis.locations.list",
"redis.operations.get",
"redis.operations.list",
"storage.buckets.list",
"storage.buckets.listEffectiveTags",
"storage.buckets.listTagBindings",
"storage.hmacKeys.get",
"storage.hmacKeys.list",
"logging.buckets.get",
"logging.buckets.list",
"logging.cmekSettings.get",
"logging.exclusions.get",
"logging.exclusions.list",
"logging.links.get",
"logging.links.list",
"logging.locations.get",
"logging.locations.list",
"logging.logEntries.list",
"logging.logMetrics.get",
"logging.logMetrics.list",
"logging.logServiceIndexes.list",
"logging.logServices.list",
"logging.logs.list",
"logging.notificationRules.get",
"logging.notificationRules.list",
"logging.operations.get",
"logging.operations.list",
"logging.queries.get",
"logging.queries.list",
"logging.queries.listShared",
"logging.sinks.get",
"logging.sinks.list",
"logging.usage.get",
"logging.views.get",
"logging.views.list",
"logging.views.listLogs",
"logging.views.listResourceKeys",
"logging.views.listResourceValues",
"cloudscheduler.jobs.get",
"cloudscheduler.jobs.list",
"cloudscheduler.locations.get",
"cloudscheduler.locations.list",
"pubsub.schemas.get",
"pubsub.schemas.getIamPolicy",
"pubsub.schemas.list",
"pubsub.snapshots.get",
"pubsub.snapshots.list",
"pubsub.snapshots.seek",
"pubsub.subscriptions.get",
"pubsub.subscriptions.list",
"pubsub.topics.get",
"pubsub.topics.list",
"cloudkms.cryptoKeyVersions.get",
"cloudkms.cryptoKeyVersions.list",
"cloudkms.cryptoKeys.get",
"cloudkms.cryptoKeys.getIamPolicy",
"cloudkms.cryptoKeys.list",
"cloudkms.ekmConnections.get",
"cloudkms.ekmConnections.getIamPolicy",
"cloudkms.ekmConnections.list",
"cloudkms.importJobs.get",
"cloudkms.importJobs.getIamPolicy",
"cloudkms.importJobs.list",
"cloudkms.keyRings.get",
"cloudkms.keyRings.getIamPolicy",
"cloudkms.keyRings.list",
"cloudkms.keyRings.listEffectiveTags",
"cloudkms.keyRings.listTagBindings",
"cloudkms.locations.generateRandomBytes",
"cloudkms.locations.get",
"cloudkms.locations.list",
"iam.denypolicies.get",
"iam.denypolicies.list",
"iam.googleapis.com/workforcePoolProviders.get",
"iam.googleapis.com/workforcePoolProviders.list",
"iam.googleapis.com/workforcePools.get",
"iam.googleapis.com/workforcePools.getIamPolicy",
"iam.googleapis.com/workforcePools.list",
"iam.googleapis.com/workloadIdentityPoolProviders.get",
"iam.googleapis.com/workloadIdentityPoolProviders.list",
"iam.googleapis.com/workloadIdentityPools.get",
"iam.googleapis.com/workloadIdentityPools.list",
"iam.roles.get",
"iam.roles.list",
"iam.serviceAccountKeys.get",
"iam.serviceAccountKeys.list",
"iam.serviceAccounts.get",
"iam.serviceAccounts.getIamPolicy",
"iam.serviceAccounts.list",
"monitoring.alertPolicies.get",
"monitoring.alertPolicies.list",
"monitoring.dashboards.get",
"monitoring.dashboards.list",
"monitoring.groups.get",
"monitoring.groups.list",
"monitoring.metricDescriptors.get",
"monitoring.metricDescriptors.list",
"monitoring.monitoredResourceDescriptors.get",
"monitoring.monitoredResourceDescriptors.list",
"monitoring.notificationChannelDescriptors.get",
"monitoring.notificationChannelDescriptors.list",
"monitoring.notificationChannels.get",
"monitoring.notificationChannels.list",
"monitoring.publicWidgets.get",
"monitoring.publicWidgets.list",
"monitoring.services.get",
"monitoring.services.list",
"monitoring.slos.get",
"monitoring.slos.list",
"monitoring.timeSeries.list",
"monitoring.uptimeCheckConfigs.get",
"monitoring.uptimeCheckConfigs.list",
"storage.buckets.get",
"storage.buckets.getIamPolicy",
"pubsub.topics.getIamPolicy",
"pubsub.subscriptions.getIamPolicy",
"cloudsecurityscanner.scans.list",
"firebaserules.rulesets.get",
"clientauthconfig.clients.listWithSecrets",
"resourcemanager.folders.getIamPolicy",
"bigquery.tables.get",
"serviceusage.services.use",
"clouddeploy.config.get",
"clouddeploy.locations.list",
"clouddeploy.deliveryPipelines.list",
"clouddeploy.deliveryPipelines.getIamPolicy",
"clouddeploy.targets.list",
"clouddeploy.targets.getIamPolicy",
"analyticshub.dataExchanges.list",
"storage.objects.get",
"storage.objects.list",
"cloudbuild.builds.get",
"cloudbuild.builds.list",
"eventarc.channelConnections.get",
"eventarc.channelConnections.getIamPolicy",
"eventarc.channelConnections.list",
"eventarc.channels.get",
"eventarc.channels.getIamPolicy",
"eventarc.channels.list",
"eventarc.googleChannelConfigs.get",
"eventarc.locations.get",
"eventarc.locations.list",
"eventarc.operations.get",
"eventarc.operations.list",
"eventarc.providers.get",
"eventarc.providers.list",
"eventarc.triggers.get",
"eventarc.triggers.getIamPolicy",
"eventarc.triggers.list",
"recommender.locations.get",
"recommender.locations.list",
"recommender.runServiceIdentityInsights.get",
"recommender.runServiceIdentityInsights.list",
"recommender.runServiceIdentityRecommendations.get",
"recommender.runServiceIdentityRecommendations.list",
"recommender.runServiceSecurityInsights.get",
"recommender.runServiceSecurityInsights.list",
"recommender.runServiceSecurityRecommendations.get",
"recommender.runServiceSecurityRecommendations.list",
"remotebuildexecution.blobs.get",
"run.configurations.get",
"run.configurations.list",
"run.executions.get",
"run.executions.list",
"run.jobs.get",
"run.jobs.getIamPolicy",
"run.jobs.list",
"run.locations.list",
"run.operations.get",
"run.operations.list",
"run.revisions.get",
"run.revisions.list",
"run.routes.get",
"run.routes.list",
"run.services.get",
"run.services.getIamPolicy",
"run.services.list",
"run.services.listEffectiveTags",
"run.services.listTagBindings",
"run.tasks.get",
"run.tasks.list",
"serviceusage.quotas.get",
"serviceusage.services.get",
"serviceusage.services.list",
"osconfig.patchJobs.exec",
"osconfig.patchJobs.list",
"osconfig.patchJobs.get",
"storage.buckets.create",
"storage.buckets.delete",
"storage.objects.create",
"storage.objects.delete",
"compute.disks.create",
"compute.instances.create",
"compute.instances.delete",
"compute.instances.setMetadata",
"compute.instances.setTags",
"compute.networks.updatePolicy",
"compute.networks.use",
"compute.networks.useExternalIp",
"compute.subnetworks.use",
"compute.subnetworks.useExternalIp",
"artifactregistry.repositories.list",
"artifactregistry.repositories.get",
"artifactregistry.repositories.downloadArtifacts",
"artifactregistry.files.list",
"artifactregistry.files.get",
"artifactregistry.packages.list",
"artifactregistry.repositories.listTagBindings",
"artifactregistry.repositories.listEffectiveTags",
"artifactregistry.tags.list",
"artifactregistry.tags.get",
"artifactregistry.versions.list",
"artifactregistry.versions.get",
"compute.firewalls.update",
"storage.buckets.update",
"container.clusters.update",
"compute.subnetworks.update",
"storage.buckets.setIamPolicy",
"compute.subnetworks.setPrivateIpGoogleAccess",
"cloudfunctions.functions.sourceCodeGet",
"compute.instances.setLabels",
"compute.snapshots.create",
"compute.snapshots.delete",
"compute.snapshots.setLabels",
"compute.snapshots.useReadOnly",
"compute.networks.create",
"compute.networks.delete",
"compute.subnetworks.create",
"compute.subnetworks.delete"
],
"type": "list"
},
"org_services": {
"default": [
"accesscontextmanager.googleapis.com"
],
"type": "list"
},
"flowlog_bucket_name": {
"default": "flowlogs-storage-bucket-name",
"type": "string"
},
"project_services": {
"default": [
"bigquery.googleapis.com",
"dns.googleapis.com",
"cloudkms.googleapis.com",
"cloudresourcemanager.googleapis.com",
"monitoring.googleapis.com",
"logging.googleapis.com",
"container.googleapis.com",
"iam.googleapis.com",
"storage-component.googleapis.com",
"sql-component.googleapis.com",
"compute.googleapis.com",
"redis.googleapis.com",
"cloudfunctions.googleapis.com",
"recommender.googleapis.com",
"dataproc.googleapis.com",
"bigtableadmin.googleapis.com",
"serviceusage.googleapis.com",
"appengine.googleapis.com",
"run.googleapis.com",
"pubsub.googleapis.com",
"spanner.googleapis.com",
"sourcerepo.googleapis.com",
"websecurityscanner.googleapis.com",
"binaryauthorization.googleapis.com",
"cloudtasks.googleapis.com",
"secretmanager.googleapis.com",
"healthcare.googleapis.com",
"file.googleapis.com",
"cloudasset.googleapis.com",
"firebaserules.googleapis.com",
"composer.googleapis.com",
"containeranalysis.googleapis.com",
"ml.googleapis.com",
"apigateway.googleapis.com",
"datafusion.googleapis.com",
"apikeys.googleapis.com",
"iap.googleapis.com",
"privateca.googleapis.com",
"accessapproval.googleapis.com",
"essentialcontacts.googleapis.com",
"servicedirectory.googleapis.com",
"orgpolicy.googleapis.com",
"managedidentities.googleapis.com",
"datacatalog.googleapis.com",
"securitycenter.googleapis.com",
"notebooks.googleapis.com",
"artifactregistry.googleapis.com",
"datastore.googleapis.com",
"networksecurity.googleapis.com",
"dlp.googleapis.com",
"firebaseremoteconfig.googleapis.com",
"clouddeploy.googleapis.com",
"analyticshub.googleapis.com",
"networkservices.googleapis.com",
"memcache.googleapis.com",
"networkconnectivity.googleapis.com",
"vpcaccess.googleapis.com"
],
"type": "list"
}
},
"terraform": {
"required_providers": {
"random": "~> 3.1",
"google-beta": "~> 3.90",
"google": "~> 3.90"
}
}
}
Sample Request and Response for Master Service Account
Sample Request
curl --request POST 'https://api.prismacloud.io/cas/v1/gcp_template' \
--header 'accept: application/json' \
--header 'content-type: application/json' \
--header 'x-redlock-auth: <YOUR_TOKEN>' \
--data-raw '{
"accountType": "masterServiceAccount",
"name": "<account-name-to-be-onboarded>",
"authenticationType": "service_account",
"features": [
"Agentless Scanning",
"Serverless Function Scanning",
"Auto Protect",
"Remediation"
],
"flowLogBucket": "<flowlog-bucket-name>",
"projectId": "<project-id>"
}'
Sample Response
{
"output": {
"user_instruction": {
"value": "Successfully Configured !!\n\n What to do next ?\n\t1. Please download the file ${local_file.key.filename}\n\nUse the downloaded JSON file and Proceed at Prisma Cloud UI"
}
},
"provider": {
"random": {},
"google": {}
},
"resource": {
"google_project_iam_member": {
"bind_managed_roles_to_project_iam_policy": {
"role": "${var.project_iam_policy_managed_roles[count.index]}",
"count": "${length(var.project_iam_policy_managed_roles)}",
"member": "serviceAccount:${google_service_account.prisma_cloud_service_account.email}",
"project": "${var.project_id}"
},
"bind_custom_role_to_project_iam_policy": {
"role": "projects/${var.project_id}/roles/${google_project_iam_custom_role.prisma_cloud_project_custom_role.role_id}",
"member": "serviceAccount:${google_service_account.prisma_cloud_service_account.email}",
"project": "${var.project_id}"
}
},
"random_string": {
"unique_id": {
"special": false,
"length": 5,
"min_lower": 5
}
},
"google_storage_bucket_iam_member": {
"prisma_cloud_service_account_binding_to_flowlogs_bucket": {
"bucket": "${var.flowlog_bucket_name}",
"role": "projects/${var.project_id}/roles/${google_project_iam_custom_role.prisma_cloud_custom_role_flowlog.role_id}",
"member": "serviceAccount:${google_service_account.prisma_cloud_service_account.email}"
}
},
"google_service_account": {
"prisma_cloud_service_account": {
"account_id": "prisma-cloud-serv-${random_string.unique_id.result}",
"project": "${var.project_id}",
"display_name": "Prisma Cloud Service Account"
}
},
"google_project_iam_custom_role": {
"prisma_cloud_custom_role_flowlog": {
"role_id": "prismaCloudFlowLogViewer${random_string.unique_id.result}",
"permissions": [
"storage.objects.get",
"storage.objects.list"
],
"project": "${var.project_id}",
"description": "This is a custom role created for Prisma Cloud. Contains granular permission which is needed for flow logs",
"title": "Prisma Cloud Flow Logs Viewer ${random_string.unique_id.result}"
},
"prisma_cloud_project_custom_role": {
"role_id": "prismaCloudViewer${random_string.unique_id.result}",
"permissions": "${var.project_iam_policy_custom_role_permissions}",
"project": "${var.project_id}",
"description": "This is a custom role created for Prisma Cloud. Contains granular additional permission which is not covered by built-in roles",
"title": "Prisma Cloud Viewer ${random_string.unique_id.result}"
}
},
"google_service_account_key": {
"prisma_cloud_service_account_key": {
"service_account_id": "${google_service_account.prisma_cloud_service_account.name}"
}
},
"google_project_service": {
"project_apis": {
"service": "${var.project_services[count.index]}",
"disable_on_destroy": false,
"count": "${length(var.project_services)}",
"project": "${var.project_id}"
}
},
"local_file": {
"key": {
"filename": "${var.project_id}-${random_string.unique_id.result}.json",
"content": "${base64decode(google_service_account_key.prisma_cloud_service_account_key.private_key)}"
}
}
},
"variable": {
"project_iam_policy_custom_role_permissions": {
"default": [
"autoscaling.sites.getIamPolicy",
"autoscaling.sites.readRecommendations",
"compute.acceleratorTypes.get",
"compute.acceleratorTypes.list",
"compute.addresses.get",
"compute.addresses.list",
"compute.autoscalers.get",
"compute.autoscalers.list",
"compute.backendBuckets.get",
"compute.backendBuckets.getIamPolicy",
"compute.backendBuckets.list",
"compute.backendServices.get",
"compute.backendServices.getIamPolicy",
"compute.backendServices.list",
"compute.commitments.get",
"compute.commitments.list",
"compute.diskTypes.get",
"compute.diskTypes.list",
"compute.disks.createSnapshot",
"compute.disks.get",
"compute.disks.getIamPolicy",
"compute.disks.list",
"compute.disks.listEffectiveTags",
"compute.disks.listTagBindings",
"compute.disks.useReadOnly",
"compute.externalVpnGateways.get",
"compute.externalVpnGateways.list",
"compute.firewallPolicies.get",
"compute.firewallPolicies.getIamPolicy",
"compute.firewallPolicies.list",
"compute.firewalls.get",
"compute.firewalls.list",
"compute.forwardingRules.get",
"compute.forwardingRules.list",
"compute.globalAddresses.get",
"compute.globalAddresses.list",
"compute.globalForwardingRules.get",
"compute.globalForwardingRules.list",
"compute.globalForwardingRules.pscGet",
"compute.globalNetworkEndpointGroups.get",
"compute.globalNetworkEndpointGroups.list",
"compute.globalOperations.get",
"compute.globalOperations.getIamPolicy",
"compute.globalOperations.list",
"compute.globalPublicDelegatedPrefixes.get",
"compute.globalPublicDelegatedPrefixes.list",
"compute.healthChecks.get",
"compute.healthChecks.list",
"compute.healthChecks.useReadOnly",
"compute.httpHealthChecks.get",
"compute.httpHealthChecks.list",
"compute.httpHealthChecks.useReadOnly",
"compute.httpsHealthChecks.get",
"compute.httpsHealthChecks.list",
"compute.httpsHealthChecks.useReadOnly",
"compute.images.get",
"compute.images.getFromFamily",
"compute.images.getIamPolicy",
"compute.images.list",
"compute.images.listEffectiveTags",
"compute.images.listTagBindings",
"compute.images.useReadOnly",
"compute.instanceGroupManagers.get",
"compute.instanceGroupManagers.list",
"compute.instanceGroups.get",
"compute.instanceGroups.list",
"compute.instanceTemplates.get",
"compute.instanceTemplates.getIamPolicy",
"compute.instanceTemplates.list",
"compute.instanceTemplates.useReadOnly",
"compute.instances.get",
"compute.instances.getEffectiveFirewalls",
"compute.instances.getGuestAttributes",
"compute.instances.getIamPolicy",
"compute.instances.getScreenshot",
"compute.instances.getSerialPortOutput",
"compute.instances.getShieldedInstanceIdentity",
"compute.instances.getShieldedVmIdentity",
"compute.instances.list",
"compute.instances.listEffectiveTags",
"compute.instances.listReferrers",
"compute.instances.listTagBindings",
"compute.instances.useReadOnly",
"compute.interconnectAttachments.get",
"compute.interconnectAttachments.list",
"compute.interconnectLocations.get",
"compute.interconnectLocations.list",
"compute.interconnects.get",
"compute.interconnects.list",
"compute.licenseCodes.get",
"compute.licenseCodes.getIamPolicy",
"compute.licenseCodes.list",
"compute.licenses.get",
"compute.licenses.getIamPolicy",
"compute.licenses.list",
"compute.machineImages.get",
"compute.machineImages.getIamPolicy",
"compute.machineImages.list",
"compute.machineImages.useReadOnly",
"compute.machineTypes.get",
"compute.machineTypes.list",
"compute.maintenancePolicies.get",
"compute.maintenancePolicies.getIamPolicy",
"compute.maintenancePolicies.list",
"compute.networkAttachments.get",
"compute.networkAttachments.list",
"compute.networkEdgeSecurityServices.get",
"compute.networkEdgeSecurityServices.list",
"compute.networkEndpointGroups.get",
"compute.networkEndpointGroups.getIamPolicy",
"compute.networkEndpointGroups.list",
"compute.networks.get",
"compute.networks.getEffectiveFirewalls",
"compute.networks.getRegionEffectiveFirewalls",
"compute.networks.list",
"compute.networks.listPeeringRoutes",
"compute.nodeGroups.get",
"compute.nodeGroups.getIamPolicy",
"compute.nodeGroups.list",
"compute.nodeTemplates.get",
"compute.nodeTemplates.getIamPolicy",
"compute.nodeTemplates.list",
"compute.nodeTypes.get",
"compute.nodeTypes.list",
"compute.packetMirrorings.get",
"compute.packetMirrorings.list",
"compute.projects.get",
"compute.publicAdvertisedPrefixes.get",
"compute.publicAdvertisedPrefixes.list",
"compute.publicDelegatedPrefixes.get",
"compute.publicDelegatedPrefixes.list",
"compute.regionBackendServices.get",
"compute.regionBackendServices.getIamPolicy",
"compute.regionBackendServices.list",
"compute.regionFirewallPolicies.get",
"compute.regionFirewallPolicies.getIamPolicy",
"compute.regionFirewallPolicies.list",
"compute.regionHealthCheckServices.get",
"compute.regionHealthCheckServices.list",
"compute.regionHealthChecks.get",
"compute.regionHealthChecks.list",
"compute.regionHealthChecks.useReadOnly",
"compute.regionNetworkEndpointGroups.get",
"compute.regionNetworkEndpointGroups.list",
"compute.regionNotificationEndpoints.get",
"compute.regionNotificationEndpoints.list",
"compute.regionOperations.get",
"compute.regionOperations.getIamPolicy",
"compute.regionOperations.list",
"compute.regionSecurityPolicies.get",
"compute.regionSecurityPolicies.list",
"compute.regionSslCertificates.get",
"compute.regionSslCertificates.list",
"compute.regionSslPolicies.get",
"compute.regionSslPolicies.list",
"compute.regionSslPolicies.listAvailableFeatures",
"compute.regionTargetHttpProxies.get",
"compute.regionTargetHttpProxies.list",
"compute.regionTargetHttpsProxies.get",
"compute.regionTargetHttpsProxies.list",
"compute.regionTargetTcpProxies.get",
"compute.regionTargetTcpProxies.list",
"compute.regionUrlMaps.get",
"compute.regionUrlMaps.list",
"compute.regions.get",
"compute.regions.list",
"compute.reservations.get",
"compute.reservations.list",
"compute.resourcePolicies.get",
"compute.resourcePolicies.getIamPolicy",
"compute.resourcePolicies.list",
"compute.routers.get",
"compute.routers.list",
"compute.routes.get",
"compute.routes.list",
"compute.securityPolicies.get",
"compute.securityPolicies.getIamPolicy",
"compute.securityPolicies.list",
"compute.serviceAttachments.get",
"compute.serviceAttachments.getIamPolicy",
"compute.serviceAttachments.list",
"compute.snapshots.get",
"compute.snapshots.getIamPolicy",
"compute.snapshots.list",
"compute.snapshots.listEffectiveTags",
"compute.snapshots.listTagBindings",
"compute.sslCertificates.get",
"compute.sslCertificates.list",
"compute.sslPolicies.get",
"compute.sslPolicies.list",
"compute.sslPolicies.listAvailableFeatures",
"compute.subnetworks.get",
"compute.subnetworks.getIamPolicy",
"compute.subnetworks.list",
"compute.targetGrpcProxies.get",
"compute.targetGrpcProxies.list",
"compute.targetHttpProxies.get",
"compute.targetHttpProxies.list",
"compute.targetHttpsProxies.get",
"compute.targetHttpsProxies.list",
"compute.targetInstances.get",
"compute.targetInstances.list",
"compute.targetPools.get",
"compute.targetPools.list",
"compute.targetSslProxies.get",
"compute.targetSslProxies.list",
"compute.targetTcpProxies.get",
"compute.targetTcpProxies.list",
"compute.targetVpnGateways.get",
"compute.targetVpnGateways.list",
"compute.urlMaps.get",
"compute.urlMaps.list",
"compute.vpnGateways.get",
"compute.vpnGateways.list",
"compute.vpnTunnels.get",
"compute.vpnTunnels.list",
"compute.zoneOperations.get",
"compute.zoneOperations.getIamPolicy",
"compute.zoneOperations.list",
"compute.zones.get",
"compute.zones.list",
"bigquery.bireservations.get",
"bigquery.capacityCommitments.get",
"bigquery.capacityCommitments.list",
"bigquery.config.get",
"bigquery.connections.get",
"bigquery.connections.getIamPolicy",
"bigquery.connections.list",
"bigquery.dataPolicies.get",
"bigquery.dataPolicies.getIamPolicy",
"bigquery.dataPolicies.list",
"bigquery.datasets.get",
"bigquery.datasets.getIamPolicy",
"bigquery.datasets.listTagBindings",
"bigquery.jobs.get",
"bigquery.jobs.list",
"bigquery.jobs.listExecutionMetadata",
"bigquery.models.getData",
"bigquery.models.getMetadata",
"bigquery.models.list",
"bigquery.readsessions.getData",
"bigquery.reservationAssignments.list",
"bigquery.reservations.get",
"bigquery.reservations.list",
"bigquery.routines.get",
"bigquery.routines.list",
"bigquery.rowAccessPolicies.getIamPolicy",
"bigquery.rowAccessPolicies.list",
"bigquery.savedqueries.get",
"bigquery.savedqueries.list",
"bigquery.tables.getIamPolicy",
"bigquery.transfers.get",
"cloudfunctions.functions.get",
"cloudfunctions.functions.getIamPolicy",
"cloudfunctions.functions.list",
"cloudfunctions.locations.get",
"cloudfunctions.locations.list",
"cloudfunctions.operations.get",
"cloudfunctions.operations.list",
"cloudfunctions.runtimes.list",
"dns.changes.get",
"dns.changes.list",
"dns.dnsKeys.get",
"dns.dnsKeys.list",
"dns.managedZoneOperations.get",
"dns.managedZoneOperations.list",
"dns.managedZones.get",
"dns.managedZones.getIamPolicy",
"dns.managedZones.list",
"dns.policies.get",
"dns.policies.getIamPolicy",
"dns.policies.list",
"dns.projects.get",
"dns.resourceRecordSets.get",
"dns.resourceRecordSets.list",
"dns.responsePolicies.get",
"dns.responsePolicies.list",
"dns.responsePolicyRules.get",
"dns.responsePolicyRules.list",
"cloudsql.backupRuns.get",
"cloudsql.backupRuns.list",
"cloudsql.databases.get",
"cloudsql.databases.list",
"cloudsql.instances.get",
"cloudsql.instances.list",
"cloudsql.instances.listEffectiveTags",
"cloudsql.instances.listServerCas",
"cloudsql.instances.listTagBindings",
"cloudsql.sslCerts.get",
"cloudsql.sslCerts.list",
"cloudsql.users.get",
"cloudsql.users.list",
"dataproc.agents.get",
"dataproc.agents.list",
"dataproc.autoscalingPolicies.get",
"dataproc.autoscalingPolicies.getIamPolicy",
"dataproc.autoscalingPolicies.list",
"dataproc.batches.get",
"dataproc.batches.list",
"dataproc.clusters.get",
"dataproc.clusters.getIamPolicy",
"dataproc.clusters.list",
"dataproc.jobs.get",
"dataproc.jobs.getIamPolicy",
"dataproc.jobs.list",
"dataproc.operations.get",
"dataproc.operations.getIamPolicy",
"dataproc.operations.list",
"dataproc.tasks.listInvalidatedLeases",
"dataproc.workflowTemplates.get",
"dataproc.workflowTemplates.getIamPolicy",
"dataproc.workflowTemplates.list",
"dataprocessing.datasources.get",
"dataprocessing.datasources.list",
"dataprocessing.featurecontrols.list",
"dataprocessing.groupcontrols.get",
"dataprocessing.groupcontrols.list",
"resourcemanager.hierarchyNodes.listEffectiveTags",
"resourcemanager.hierarchyNodes.listTagBindings",
"resourcemanager.projects.get",
"resourcemanager.projects.getIamPolicy",
"resourcemanager.tagHolds.list",
"resourcemanager.tagKeys.get",
"resourcemanager.tagKeys.getIamPolicy",
"resourcemanager.tagKeys.list",
"resourcemanager.tagValues.get",
"resourcemanager.tagValues.getIamPolicy",
"resourcemanager.tagValues.list",
"container.apiServices.get",
"container.apiServices.getStatus",
"container.apiServices.list",
"container.auditSinks.get",
"container.auditSinks.list",
"container.backendConfigs.get",
"container.backendConfigs.list",
"container.bindings.get",
"container.bindings.list",
"container.certificateSigningRequests.get",
"container.certificateSigningRequests.getStatus",
"container.certificateSigningRequests.list",
"container.clusterRoleBindings.get",
"container.clusterRoleBindings.list",
"container.clusterRoles.get",
"container.clusterRoles.list",
"container.clusters.get",
"container.clusters.list",
"container.clusters.listEffectiveTags",
"container.clusters.listTagBindings",
"container.componentStatuses.get",
"container.componentStatuses.list",
"container.configMaps.get",
"container.configMaps.list",
"container.controllerRevisions.get",
"container.controllerRevisions.list",
"container.cronJobs.get",
"container.cronJobs.getStatus",
"container.cronJobs.list",
"container.csiDrivers.get",
"container.csiDrivers.list",
"container.csiNodeInfos.get",
"container.csiNodeInfos.list",
"container.csiNodes.get",
"container.csiNodes.list",
"container.customResourceDefinitions.get",
"container.customResourceDefinitions.getStatus",
"container.customResourceDefinitions.list",
"container.daemonSets.get",
"container.daemonSets.getStatus",
"container.daemonSets.list",
"container.deployments.get",
"container.deployments.getStatus",
"container.deployments.list",
"container.endpointSlices.get",
"container.endpointSlices.list",
"container.endpoints.get",
"container.endpoints.list",
"container.events.get",
"container.events.list",
"container.frontendConfigs.get",
"container.frontendConfigs.list",
"container.horizontalPodAutoscalers.get",
"container.horizontalPodAutoscalers.getStatus",
"container.horizontalPodAutoscalers.list",
"container.ingresses.get",
"container.ingresses.getStatus",
"container.ingresses.list",
"container.initializerConfigurations.get",
"container.initializerConfigurations.list",
"container.jobs.get",
"container.jobs.getStatus",
"container.jobs.list",
"container.leases.get",
"container.leases.list",
"container.limitRanges.get",
"container.limitRanges.list",
"container.localSubjectAccessReviews.list",
"container.managedCertificates.get",
"container.managedCertificates.list",
"container.mutatingWebhookConfigurations.get",
"container.mutatingWebhookConfigurations.list",
"container.namespaces.get",
"container.namespaces.getStatus",
"container.namespaces.list",
"container.networkPolicies.get",
"container.networkPolicies.list",
"container.nodes.get",
"container.nodes.getStatus",
"container.nodes.list",
"container.operations.get",
"container.operations.list",
"container.persistentVolumeClaims.get",
"container.persistentVolumeClaims.getStatus",
"container.persistentVolumeClaims.list",
"container.persistentVolumes.get",
"container.persistentVolumes.getStatus",
"container.persistentVolumes.list",
"container.petSets.get",
"container.petSets.list",
"container.podDisruptionBudgets.get",
"container.podDisruptionBudgets.getStatus",
"container.podDisruptionBudgets.list",
"container.podPresets.get",
"container.podPresets.list",
"container.podSecurityPolicies.get",
"container.podSecurityPolicies.list",
"container.podTemplates.get",
"container.podTemplates.list",
"container.pods.get",
"container.pods.getLogs",
"container.pods.getStatus",
"container.pods.list",
"container.priorityClasses.get",
"container.priorityClasses.list",
"container.replicaSets.get",
"container.replicaSets.getScale",
"container.replicaSets.getStatus",
"container.replicaSets.list",
"container.replicationControllers.get",
"container.replicationControllers.getScale",
"container.replicationControllers.getStatus",
"container.replicationControllers.list",
"container.resourceQuotas.get",
"container.resourceQuotas.getStatus",
"container.resourceQuotas.list",
"container.roleBindings.get",
"container.roleBindings.list",
"container.roles.get",
"container.roles.list",
"container.runtimeClasses.get",
"container.runtimeClasses.list",
"container.scheduledJobs.get",
"container.scheduledJobs.list",
"container.selfSubjectAccessReviews.list",
"container.serviceAccounts.get",
"container.serviceAccounts.list",
"container.services.get",
"container.services.getStatus",
"container.services.list",
"container.statefulSets.get",
"container.statefulSets.getScale",
"container.statefulSets.getStatus",
"container.statefulSets.list",
"container.storageClasses.get",
"container.storageClasses.list",
"container.storageStates.get",
"container.storageStates.getStatus",
"container.storageStates.list",
"container.storageVersionMigrations.get",
"container.storageVersionMigrations.getStatus",
"container.storageVersionMigrations.list",
"container.subjectAccessReviews.list",
"container.thirdPartyObjects.get",
"container.thirdPartyObjects.list",
"container.thirdPartyResources.get",
"container.thirdPartyResources.list",
"container.updateInfos.get",
"container.updateInfos.list",
"container.validatingWebhookConfigurations.get",
"container.validatingWebhookConfigurations.list",
"container.volumeAttachments.get",
"container.volumeAttachments.getStatus",
"container.volumeAttachments.list",
"container.volumeSnapshotClasses.get",
"container.volumeSnapshotClasses.list",
"container.volumeSnapshotContents.get",
"container.volumeSnapshotContents.getStatus",
"container.volumeSnapshotContents.list",
"container.volumeSnapshots.get",
"container.volumeSnapshots.getStatus",
"container.volumeSnapshots.list",
"redis.instances.get",
"redis.instances.list",
"redis.locations.get",
"redis.locations.list",
"redis.operations.get",
"redis.operations.list",
"storage.buckets.list",
"storage.buckets.listEffectiveTags",
"storage.buckets.listTagBindings",
"storage.hmacKeys.get",
"storage.hmacKeys.list",
"logging.buckets.get",
"logging.buckets.list",
"logging.cmekSettings.get",
"logging.exclusions.get",
"logging.exclusions.list",
"logging.links.get",
"logging.links.list",
"logging.locations.get",
"logging.locations.list",
"logging.logEntries.list",
"logging.logMetrics.get",
"logging.logMetrics.list",
"logging.logServiceIndexes.list",
"logging.logServices.list",
"logging.logs.list",
"logging.notificationRules.get",
"logging.notificationRules.list",
"logging.operations.get",
"logging.operations.list",
"logging.queries.get",
"logging.queries.list",
"logging.queries.listShared",
"logging.sinks.get",
"logging.sinks.list",
"logging.usage.get",
"logging.views.get",
"logging.views.list",
"logging.views.listLogs",
"logging.views.listResourceKeys",
"logging.views.listResourceValues",
"cloudscheduler.jobs.get",
"cloudscheduler.jobs.list",
"cloudscheduler.locations.get",
"cloudscheduler.locations.list",
"pubsub.schemas.get",
"pubsub.schemas.getIamPolicy",
"pubsub.schemas.list",
"pubsub.snapshots.get",
"pubsub.snapshots.list",
"pubsub.snapshots.seek",
"pubsub.subscriptions.get",
"pubsub.subscriptions.list",
"pubsub.topics.get",
"pubsub.topics.list",
"cloudkms.cryptoKeyVersions.get",
"cloudkms.cryptoKeyVersions.list",
"cloudkms.cryptoKeys.get",
"cloudkms.cryptoKeys.getIamPolicy",
"cloudkms.cryptoKeys.list",
"cloudkms.ekmConnections.get",
"cloudkms.ekmConnections.getIamPolicy",
"cloudkms.ekmConnections.list",
"cloudkms.importJobs.get",
"cloudkms.importJobs.getIamPolicy",
"cloudkms.importJobs.list",
"cloudkms.keyRings.get",
"cloudkms.keyRings.getIamPolicy",
"cloudkms.keyRings.list",
"cloudkms.keyRings.listEffectiveTags",
"cloudkms.keyRings.listTagBindings",
"cloudkms.locations.generateRandomBytes",
"cloudkms.locations.get",
"cloudkms.locations.list",
"iam.denypolicies.get",
"iam.denypolicies.list",
"iam.googleapis.com/workloadIdentityPoolProviders.get",
"iam.googleapis.com/workloadIdentityPoolProviders.list",
"iam.googleapis.com/workloadIdentityPools.get",
"iam.googleapis.com/workloadIdentityPools.list",
"iam.roles.get",
"iam.roles.list",
"iam.serviceAccountKeys.get",
"iam.serviceAccountKeys.list",
"iam.serviceAccounts.get",
"iam.serviceAccounts.getIamPolicy",
"iam.serviceAccounts.list",
"monitoring.alertPolicies.get",
"monitoring.alertPolicies.list",
"monitoring.dashboards.get",
"monitoring.dashboards.list",
"monitoring.groups.get",
"monitoring.groups.list",
"monitoring.metricDescriptors.get",
"monitoring.metricDescriptors.list",
"monitoring.monitoredResourceDescriptors.get",
"monitoring.monitoredResourceDescriptors.list",
"monitoring.notificationChannelDescriptors.get",
"monitoring.notificationChannelDescriptors.list",
"monitoring.notificationChannels.get",
"monitoring.notificationChannels.list",
"monitoring.publicWidgets.get",
"monitoring.publicWidgets.list",
"monitoring.services.get",
"monitoring.services.list",
"monitoring.slos.get",
"monitoring.slos.list",
"monitoring.timeSeries.list",
"monitoring.uptimeCheckConfigs.get",
"monitoring.uptimeCheckConfigs.list",
"storage.buckets.get",
"storage.buckets.getIamPolicy",
"pubsub.topics.getIamPolicy",
"pubsub.subscriptions.getIamPolicy",
"cloudsecurityscanner.scans.list",
"firebaserules.rulesets.get",
"clientauthconfig.clients.listWithSecrets",
"bigquery.tables.get",
"serviceusage.services.use",
"clouddeploy.config.get",
"clouddeploy.locations.list",
"clouddeploy.deliveryPipelines.list",
"clouddeploy.deliveryPipelines.getIamPolicy",
"clouddeploy.targets.list",
"clouddeploy.targets.getIamPolicy",
"analyticshub.dataExchanges.list",
"storage.objects.get",
"storage.objects.list",
"cloudbuild.builds.get",
"cloudbuild.builds.list",
"eventarc.channelConnections.get",
"eventarc.channelConnections.getIamPolicy",
"eventarc.channelConnections.list",
"eventarc.channels.get",
"eventarc.channels.getIamPolicy",
"eventarc.channels.list",
"eventarc.googleChannelConfigs.get",
"eventarc.locations.get",
"eventarc.locations.list",
"eventarc.operations.get",
"eventarc.operations.list",
"eventarc.providers.get",
"eventarc.providers.list",
"eventarc.triggers.get",
"eventarc.triggers.getIamPolicy",
"eventarc.triggers.list",
"recommender.locations.get",
"recommender.locations.list",
"recommender.runServiceIdentityInsights.get",
"recommender.runServiceIdentityInsights.list",
"recommender.runServiceIdentityRecommendations.get",
"recommender.runServiceIdentityRecommendations.list",
"recommender.runServiceSecurityInsights.get",
"recommender.runServiceSecurityInsights.list",
"recommender.runServiceSecurityRecommendations.get",
"recommender.runServiceSecurityRecommendations.list",
"remotebuildexecution.blobs.get",
"run.configurations.get",
"run.configurations.list",
"run.executions.get",
"run.executions.list",
"run.jobs.get",
"run.jobs.getIamPolicy",
"run.jobs.list",
"run.locations.list",
"run.operations.get",
"run.operations.list",
"run.revisions.get",
"run.revisions.list",
"run.routes.get",
"run.routes.list",
"run.services.get",
"run.services.getIamPolicy",
"run.services.list",
"run.services.listEffectiveTags",
"run.services.listTagBindings",
"run.tasks.get",
"run.tasks.list",
"serviceusage.quotas.get",
"serviceusage.services.get",
"serviceusage.services.list",
"osconfig.patchJobs.exec",
"osconfig.patchJobs.list",
"osconfig.patchJobs.get",
"storage.buckets.create",
"storage.buckets.delete",
"storage.objects.create",
"storage.objects.delete",
"compute.disks.create",
"compute.instances.create",
"compute.instances.delete",
"compute.instances.setMetadata",
"compute.instances.setTags",
"compute.networks.updatePolicy",
"compute.networks.use",
"compute.networks.useExternalIp",
"compute.subnetworks.use",
"compute.subnetworks.useExternalIp",
"artifactregistry.repositories.list",
"artifactregistry.repositories.get",
"artifactregistry.repositories.downloadArtifacts",
"artifactregistry.files.list",
"artifactregistry.files.get",
"artifactregistry.packages.list",
"artifactregistry.repositories.listTagBindings",
"artifactregistry.repositories.listEffectiveTags",
"artifactregistry.tags.list",
"artifactregistry.tags.get",
"artifactregistry.versions.list",
"artifactregistry.versions.get",
"compute.firewalls.update",
"storage.buckets.update",
"container.clusters.update",
"compute.subnetworks.update",
"storage.buckets.setIamPolicy",
"compute.subnetworks.setPrivateIpGoogleAccess",
"cloudfunctions.functions.sourceCodeGet",
"compute.instances.setLabels",
"compute.networks.create",
"compute.networks.delete",
"compute.snapshots.create",
"compute.snapshots.delete",
"compute.snapshots.setLabels",
"compute.snapshots.useReadOnly",
"compute.subnetworks.create",
"compute.subnetworks.delete"
],
"type": "list"
},
"project_id": {
"default": "project_id",
"type": "string"
},
"project_iam_policy_managed_roles": {
"default": [
"roles/viewer",
"roles/storage.objectViewer",
"roles/container.clusterViewer",
"roles/cloudfunctions.viewer",
"roles/storage.admin",
"roles/compute.networkAdmin"
],
"type": "list"
},
"flowlog_bucket_name": {
"default": "flowlog-storage-bucket-name",
"type": "string"
},
"project_services": {
"default": [
"bigquery.googleapis.com",
"dns.googleapis.com",
"cloudkms.googleapis.com",
"cloudresourcemanager.googleapis.com",
"monitoring.googleapis.com",
"logging.googleapis.com",
"container.googleapis.com",
"iam.googleapis.com",
"storage-component.googleapis.com",
"sql-component.googleapis.com",
"compute.googleapis.com",
"redis.googleapis.com",
"cloudfunctions.googleapis.com",
"recommender.googleapis.com",
"dataproc.googleapis.com",
"bigtableadmin.googleapis.com",
"serviceusage.googleapis.com",
"appengine.googleapis.com",
"run.googleapis.com",
"pubsub.googleapis.com",
"spanner.googleapis.com",
"sourcerepo.googleapis.com",
"websecurityscanner.googleapis.com",
"binaryauthorization.googleapis.com",
"cloudtasks.googleapis.com",
"secretmanager.googleapis.com",
"healthcare.googleapis.com",
"file.googleapis.com",
"cloudasset.googleapis.com",
"firebaserules.googleapis.com",
"composer.googleapis.com",
"containeranalysis.googleapis.com",
"ml.googleapis.com",
"apigateway.googleapis.com",
"datafusion.googleapis.com",
"apikeys.googleapis.com",
"iap.googleapis.com",
"privateca.googleapis.com",
"accessapproval.googleapis.com",
"essentialcontacts.googleapis.com",
"servicedirectory.googleapis.com",
"orgpolicy.googleapis.com",
"managedidentities.googleapis.com",
"datacatalog.googleapis.com",
"securitycenter.googleapis.com",
"notebooks.googleapis.com",
"artifactregistry.googleapis.com",
"datastore.googleapis.com",
"networksecurity.googleapis.com",
"dlp.googleapis.com",
"firebaseremoteconfig.googleapis.com",
"clouddeploy.googleapis.com",
"analyticshub.googleapis.com",
"networkservices.googleapis.com",
"memcache.googleapis.com",
"networkconnectivity.googleapis.com",
"vpcaccess.googleapis.com"
],
"type": "list"
}
},
"terraform": {
"required_providers": {
"random": "~> 3.1",
"google-beta": "~> 3.90",
"google": "~> 3.90"
}
}
}
3. Create service account and corresponding permissions in Google Cloud Shell
- Login to the Google Cloud shell.
- Upload the script generated in Step 2 to the Cloud Shell and execute the following commands:
* a. terraform init
* b. terraform apply
- Follow the output instruction in the Google Cloud Shell and download the JSON file.Use the contents of the downloaded file in the next step.
4. Add the GCP Account to Prisma Cloud
Add GCP Account by using Add GCP Account API . Use the credentials, features, and states obtained in the previous steps in the request payload.
For GCP Organization, you can specify the folders or the projects that you want to exclude or include in the hierarchySelection parameter.
Note: By default, the supported features list will contain Cloud Visibility Compliance and Governance. Do not include it as a feature in the supported feature request body parameter. An empty features list indicates that the default capabilities under Cloud Visibility Compliance and Governance are enabled.
Sample Request for GCP Project
curl -v --request POST 'https://api.prismacloud.io/cas/v1/gcp_account' \
--header 'Content-Type: application/json' \
--header 'Accept: application/json' \
--header 'x-redlock-auth: <YOUR_TOKEN>' \
--data-raw '{
"cloudAccount": {
"accountId": "<project-id>",
"accountType": "account",
"enabled": true,
"name": "<account-name-to-be-onboarded>",
"groupIds": [<List of account groups>]
},
"credentials": {
<content-of-the-json-file-from-step-3>
},
"features": [
{
"name": "Agentless Scanning",
"state": "disabled"
},
{
"name": "Auto Protect",
"state": "disabled"
},
{
"name": "Remediation",
"state": "disabled"
},
{
"name": "Serverless Function Scanning",
"state": "disabled"
}
]
}'
Sample Request for GCP Organization
curl -v --request POST 'https://api.prismacloud.io/cas/v1/gcp_account' \
--header 'Content-Type: application/json' \
--header 'Accept: application/json' \
--header 'x-redlock-auth: <YOUR_TOKEN>' \
--data-raw '{
"cloudAccount": {
"accountId": "<org-id>",
"accountType": "organization",
"enabled": true,
"name": "<account-name-to-be-onboarded>"
},
"credentials": {
<content-of-the-json-file-from-step-3>
},
"features": [
{
"name": "Agentless Scanning",
"state": "enabled"
},
{
"name": "Auto Protect",
"state": "enabled"
},
{
"name": "Remediation",
"state": "enabled"
},
{
"name": "Serverless Function Scanning",
"state": "enabled"
}
],
"accountGroupCreationMode": "AUTO"
}'
Sample Request for Master Service Account
curl -v --request POST 'https://api.prismacloud.io/cas/v1/gcp_account' \
--header 'Content-Type: application/json' \
--header 'Accept: application/json' \
--header 'x-redlock-auth: <YOUR_TOKEN>' \
--data-raw '{
"cloudAccount": {
"accountId": "<project-id>",
"accountType": "masterServiceAccount",
"enabled": true,
"name": "account-name-to-be-onboarded"
},
"credentials": {
<content-of-the-json-file-from-step-3>
},
"features": [
{
"name": "Agentless Scanning",
"state": "enabled"
},
{
"name": "Auto Protect",
"state": "enabled"
},
{
"name": "Remediation",
"state": "enabled"
},
{
"name": "Serverless Function Scanning",
"state": "enabled"
}
],
"defaultAccountGroupId": "<account-group-id>"
}'
Sample Response
200 (Success)
Verify that the GCP cloud account is onboarded successfully either by using the List Cloud Account API or by navigating to Cloud Accounts in the Prisma Cloud UI.