Accounts and permissions for Google Cloud Projects

Three accounts and a federation with some permissions are automatically created when you connect an Google Cloud Project (GCP) account with IBM Guardium DSPM.

The following three accounts and the federation are:

  • Cross Project service account
  • Analyzer service account
  • Polar Installation service account
  • Workload Identity federation

For more information about the functions of these service accounts, see Results sub-section in the Connecting with Google Cloud Project accounts section.

Cross Project service account

The Cross Project service account is created for every GCP account that is connected with Guardium DSPM. This role can access the metadata of the connected GCP account for Guardium DSPM. The scope of this role is read-only actions that do not affect state of any GCP resource and can view most Google Cloud resources of the GCP account.

Analyzer service account

The Cross Project service account is a service account that operates between the GCP cloud accounts but is created for every GCP account connected with Guardium DSPM to scan the data in the cloud accounts. The following table provides the scope of permissions that this role has over various GCP services in the cloud account.

Table 1. Read-only permissions for the Analyzer service account
GCP services Scope of permissions Additional information about permissions
BigQuery BigQuery Job User, Viewer  
Cloud Storage
  • storage.objects.get
  • storage.buckets.create
  • storage.buckets.update
  • storage.objects.create
  • storage.objects.delete
  • storage.objects.get
Permissions are conditioned only for the Guardium DSPM cloud storage.
Datastore Viewer  
Cloud KMS
  • cloudkms.cryptoKeyVersions.useToDecrypt

  • cloudkms.cryptoKeyVersions.useToDecryptViaDelegation
  • cloudkms.cryptoKeys.create
  • cloudkms.cryptoKeys.setIamPolicy
  • cloudkms.keyRings.create
 

Polar Installation service account

The Polar Installation service account operates between the backend of Guardium DSPMand connected GCP cloud accounts. This role has the following scope of permissions to enable the updating of the Analyzer. The following table provides the scope of permissions that this role has over various GCP services in the cloud account.

Table 2. Read-only permissions for the Polar Installation service account
GCP services Scope of permissions
IAM Service Account User
Compute Engine
  • compute.autoscalers.get
  • compute.autoscalers.update
  • compute.disks.create
  • compute.globalOperations.get
  • compute.globalOperations.getIamPolicy
  • compute.globalOperations.list
  • compute.images.get
  • compute.images.useReadOnly
  • compute.instanceGroupManagers.create
  • compute.instanceGroupManagers.delete
  • compute.instanceGroupManagers.get
  • compute.instanceGroupManagers.list
  • compute.instanceGroupManagers.update
  • compute.instanceGroupManagers.use
  • compute.instanceGroups.create
  • compute.instanceGroups.delete
  • compute.instanceGroups.get
  • compute.instanceGroups.list
  • compute.instanceGroups.update
  • compute.instanceGroups.use
  • compute.instanceTemplates.create
  • compute.instanceTemplates.delete
  • compute.instanceTemplates.get
  • compute.instanceTemplates.getIamPolicy
  • compute.instanceTemplates.list
  • compute.instanceTemplates.setIamPolicy
  • compute.instanceTemplates.useReadOnly
  • compute.instances.create
  • compute.instances.setMetadata
  • compute.instances.setTags
  • compute.subnetworks.use
  • compute.subnetworks.externalize