Accounts and permissions for Google Cloud Projects
Three accounts and a federation with some permissions are automatically created when you connect an Google Cloud Project (GCP) account with IBM Guardium DSPM.
The following three accounts and the federation are:
- Cross Project service account
- Analyzer service account
- Polar Installation service account
- Workload Identity federation
For more information about the functions of these service accounts, see Results sub-section in the Connecting with Google Cloud Project accounts section.
Cross Project service account
The Cross Project service account is created for every GCP account that is connected with Guardium DSPM. This role can access the metadata of the connected GCP account for Guardium DSPM. The scope of this role is read-only actions that do not affect state of any GCP resource and can view most Google Cloud resources of the GCP account.
Analyzer service account
The Cross Project service account is a service account that operates between the GCP cloud accounts but is created for every GCP account connected with Guardium DSPM to scan the data in the cloud accounts. The following table provides the scope of permissions that this role has over various GCP services in the cloud account.
GCP services | Scope of permissions | Additional information about permissions |
---|---|---|
BigQuery | BigQuery Job User, Viewer | |
Cloud Storage |
|
Permissions are conditioned only for the Guardium DSPM cloud storage. |
Datastore | Viewer | |
Cloud KMS |
|
Polar Installation service account
The Polar Installation service account operates between the backend of Guardium DSPMand connected GCP cloud accounts. This role has the following scope of permissions to enable the updating of the Analyzer. The following table provides the scope of permissions that this role has over various GCP services in the cloud account.
GCP services | Scope of permissions |
---|---|
IAM | Service Account User |
Compute Engine |
|