Reference: Google Cloud permissions

Edit online

Turbonomic requires specific permissions to monitor your Google Cloud workloads and billing data.

Permissions for the Google Cloud target (organization-level permissions)

The permissions listed in this section allow the Google Cloud target in Turbonomic to monitor and optimize workloads in individual folders or your entire organization. Note that organization-level permissions are required to monitor and optimize workloads at the folder level.

Note:

Skip to the previous section if you want the target to monitor and optimize workloads in individual projects.

Be sure to set up a service account in Google Cloud, create a custom role, and then assign the custom role to the service account. You need to specify these permissions when you create the custom role.

When a service account has been properly configured for use with Turbonomic, add a Google Cloud target in the user interface.

  • Workload monitoring permissions

    Turbonomic functionality Required permissions

    Access to Google Cloud APIs to discover workloads

    • serviceusage.services.get

      Verifies access to Google Cloud APIs
    Discovery of organization data

    • billing.accounts.list

      Gets a list of billing accounts

    • billing.resourceAssociations.list

      Gets a list of resources associated with billing accounts

    Discovery of resource hierarchy (organization, folders, and projects)

    • resourcemanager.organizations.get

      Gets organization information

    • resourcemanager.folders.get

      Gets folder information

    • resourcemanager.folders.list

      Gets folder information

    • resourcemanager.projects.get

      Gets project information

    • resourcemanager.projects.list

      Gets project information

    Discovery of regions

    • compute.regions.list

      Gets supported regions

    Discovery of zones

    • compute.zones.list

      Gets supported zones

    Discovery of projects

    • resourcemanager.projects.get

      Gets project-level information

    Discovery of metrics for various entities

    • monitoring.services.get

      Gets data for the Monitoring Viewer role from Cloud Monitoring

    • monitoring.services.list

      Gets data for the Monitoring Viewer role from Cloud Monitoring

    • monitoring.timeSeries.list

      Gets time series data from Cloud Monitoring

    Discovery of historical metrics (used to generate VM scale actions on the same day a new Google Cloud target is added)

    • logging.logEntries.list

      Provides permissions for the Logs Viewer role

    • logging.views.get

      Provides permissions for the Logs Viewer role

    • logging.views.list

      Provides permissions for the Logs Viewer role

    • resourcemanager.projects.get

      Provides permissions for the Logs Viewer role

    Discovery of VMs and instance types (machine types)

    • compute.instances.get

      Gets instance properties

    • compute.instances.list

      Gets instances

    • compute.machineTypes.get

      Gets machine type properties

    • compute.machineTypes.list

      Gets supported machine types

    Discovery of discounts (resource-based CUDs)

    • compute.commitments.list

      Gets commitment information

    Discovery of instance groups and types (managed or unmanaged)

    • compute.instanceGroups.list

      Gets instance groups

    Discovery of managed instance groups (MIGs)

    • compute.autoscalers.list

      Gets auto scaling details for a MIG

    • compute.instanceGroupManagers.get

      Gets MIG properties

    • compute.instanceGroupManagers.list

      Gets MIGs

    • compute.instanceTemplates.list

      Gets compute tier and instance templates of MIG

    Discovery of Google Kubernetes Engine (GKE) node pools

    • container.clusters.get

      Gets node pools

    • compute.instanceGroups.get

      Gets instance group information

    Discovery of volumes and disk types

    • compute.disks.get

      Gets disk properties

    • compute.disks.list

      Gets disks

    • compute.diskTypes.list

      Gets supported disk types

  • Action execution permissions

    Turbonomic functionality Required permissions
    Execution of actions for all supported entities

    • iam.serviceAccounts.actAs

      Grants a service account the necessary permissions to perform various operations on Google Cloud APIs
    Verification of action execution status for all supported entities

    • compute.globalOperations.get

      Checks the status of async operations

    • compute.regionOperations.get

      Checks the status of async operations

    • compute.zoneOperations.get

      Checks the status of async operations
    Execution of actions for VMs

    • compute.instances.setMachineType

      Sets the machine type of a virtual machine to support scaling from one machine type to another

    • compute.instances.start

      Restarts a virtual machine after action execution

    • compute.instances.stop

      Stops a virtual machine before changing its properties
    Execution of actions for MIGs

    • compute.autoscalers.get

      Gets the configuration of an autoscaler

    • compute.autoscalers.update

      Updates the configuration of an autoscaler

    • compute.instanceGroupManagers.get

      Gets the state and configuration of a zonal or regional MIG

    • compute.instanceGroupManagers.update

      Updates the minimum and maximum replicas in a zonal MIG
    Execution of actions for GKE nodes

    • container.clusters.get

      Gets cluster information

    • container.clusters.update

      Updates cluster information

    • compute.instanceGroups.get

      Gets instance group information

    • compute.instanceGroups.list

      Gets instance groups

    • compute.instanceGroups.use

      Allows using instance groups APIs

    • compute.instanceGroupManagers.update

      Updates instance group properties
    Execution of actions for volumes

    • compute.disks.create

      Creates a new disk from a snapshot

    • compute.disks.createSnapshot

      Creates disk snapshots in conjunction with compute.snapshots.create

    • compute.disks.delete

      Deletes disks as part of resize and delete actions

    • compute.disks.resize

      Resizes disks as part of resize actions

    • compute.disks.update

      Updates disk properties as part of resize actions

    • compute.disks.use

      Creates or attaches disk operations in conjunction with compute.disks.useReadOnly

    • compute.disks.useReadOnly

      Creates or attaches disk operations in conjunction with compute.disks.use

    • compute.instances.attachDisk

      Attaches the snapshot-created disk to a virtual machine

    • compute.instances.detachDisk

      Detaches the original disk from a virtual machine

    • compute.instances.start

      Restarts a virtual machine as part of cleanup operations during resize actions

    • compute.instances.stop

      Stops a virtual machine before resizing a disk

    • compute.snapshots.create

      Creates disk snapshots in conjunction with compute.disks.createSnapshot

    • compute.snapshots.get

      Gets snapshot information

Permissions for the Google Cloud target (project-level permissions)

The permissions listed in this section allow the Google Cloud target in Turbonomic to monitor and optimize workloads in individual projects.

Note:

See the next section if you want the target to monitor and optimize workloads in individual folders or your entire organization.

Be sure to set up a service account in Google Cloud, create a custom role, and then assign the custom role to the service account. You need to specify these permissions when you create the custom role.

When a service account has been properly configured for use with Turbonomic, add a Google Cloud target in the user interface.

  • Workload monitoring permissions

    Turbonomic functionality Required permissions

    Access to Google Cloud APIs to discover workloads

    • serviceusage.services.get

      Verifies access to Google Cloud APIs

    Discovery of regions

    • compute.regions.list

      Gets supported regions

    Discovery of zones

    • compute.zones.list

      Gets supported zones

    Discovery of projects

    • resourcemanager.projects.get

      Gets project-level information

    Discovery of metrics for various entities

    • monitoring.services.get

      Gets data for the Monitoring Viewer role from Cloud Monitoring

    • monitoring.services.list

      Gets data for the Monitoring Viewer role from Cloud Monitoring

    • monitoring.timeSeries.list

      Gets time series data from Cloud Monitoring

    Discovery of historical metrics (used to generate VM scale actions on the same day a new Google Cloud target is added)

    • logging.logEntries.list

      Provides permissions for the Logs Viewer role

    • logging.views.get

      Provides permissions for the Logs Viewer role

    • logging.views.list

      Provides permissions for the Logs Viewer role

    • resourcemanager.projects.get

      Provides permissions for the Logs Viewer role

    Discovery of VMs and instance types (machine types)

    • compute.instances.get

      Gets instance properties

    • compute.instances.list

      Gets instances

    • compute.machineTypes.get

      Gets machine type properties

    • compute.machineTypes.list

      Gets supported machine types

    Discovery of discounts (resource-based CUDs)

    • compute.commitments.list

      Gets commitment information

    Discovery of instance groups and types (managed or unmanaged)

    • compute.instanceGroups.list

      Gets instance groups

    Discovery of managed instance groups (MIGs)

    • compute.autoscalers.list

      Gets auto scaling details for a MIG

    • compute.instanceGroupManagers.get

      Gets MIG properties

    • compute.instanceGroupManagers.list

      Gets MIGs

    • compute.instanceTemplates.list

      Gets compute tier and instance templates of MIG

    Discovery of Google Kubernetes Engine (GKE) node pools

    • container.clusters.get

      Gets node pools

    • compute.instanceGroups.get

      Gets instance group information

    Discovery of volumes and disk types

    • compute.disks.get

      Gets disk properties

    • compute.disks.list

      Gets disks

    • compute.diskTypes.list

      Gets supported disk types

  • Action execution permissions

    Turbonomic functionality Required permissions
    Execution of actions for all supported entities

    • iam.serviceAccounts.actAs

      Grants a service account the necessary permissions to perform various operations on Google Cloud APIs
    Verification of action execution status for all supported entities

    • compute.globalOperations.get

      Checks the status of async operations

    • compute.regionOperations.get

      Checks the status of async operations

    • compute.zoneOperations.get

      Checks the status of async operations
    Execution of actions for VMs

    • compute.instances.setMachineType

      Sets the machine type of a virtual machine to support scaling from one machine type to another

    • compute.instances.start

      Restarts a virtual machine after action execution

    • compute.instances.stop

      Stops a virtual machine before changing its properties
    Execution of actions for MIGs

    • compute.autoscalers.get

      Gets the configuration of an autoscaler

    • compute.autoscalers.update

      Updates the configuration of an autoscaler

    • compute.instanceGroupManagers.get

      Gets the state and configuration of a zonal or regional MIG

    • compute.instanceGroupManagers.update

      Updates the minimum and maximum replicas in a zonal MIG
    Execution of actions for GKE nodes

    • container.clusters.get

      Gets cluster information

    • container.clusters.update

      Updates cluster information

    • compute.instanceGroups.get

      Gets instance group information

    • compute.instanceGroups.list

      Gets instance groups

    • compute.instanceGroups.use

      Allows using instance groups APIs

    • compute.instanceGroupManagers.update

      Updates instance group properties
    Execution of actions for volumes

    • compute.disks.create

      Creates a new disk from a snapshot

    • compute.disks.createSnapshot

      Creates disk snapshots in conjunction with compute.snapshots.create

    • compute.disks.delete

      Deletes disks as part of resize and delete actions

    • compute.disks.resize

      Resizes disks as part of resize actions

    • compute.disks.update

      Updates disk properties as part of resize actions

    • compute.disks.use

      Creates or attaches disk operations in conjunction with compute.disks.useReadOnly

    • compute.disks.useReadOnly

      Creates or attaches disk operations in conjunction with compute.disks.use

    • compute.instances.attachDisk

      Attaches the snapshot-created disk to a virtual machine

    • compute.instances.detachDisk

      Detaches the original disk from a virtual machine

    • compute.instances.start

      Restarts a virtual machine as part of cleanup operations during resize actions

    • compute.instances.stop

      Stops a virtual machine before resizing a disk

    • compute.snapshots.create

      Creates disk snapshots in conjunction with compute.disks.createSnapshot

    • compute.snapshots.get

      Gets snapshot information

Permissions for the Google Cloud Billing target

The Google Cloud Billing target grants Turbonomic access to billing data from a billing export to BigQuery. Turbonomic uses this data to optimize workloads with full cost awareness, discover resource-based CUDs, and visualize historical cloud expenses.

Note:

Be sure to set up a service account in Google Cloud, create a custom role, and then assign the custom role to the service account. You need to specify these permissions when you create the custom role.

When a service account has been properly configured for use with Turbonomic, add a Google Cloud Billing target in the user interface.

Turbonomic functionality Required permissions
Discovery of billing data

  • bigquery.jobs.create

    Allows querying billing data for the associated billing account from BigQuery using the Billing Viewer role

  • bigquery.tables.get

    Queries billing data for the associated billing account from BigQuery using the Billing Viewer role

  • bigquery.tables.getData

    Queries billing data for the associated billing account from BigQuery using the Billing Viewer role

  • bigquery.tables.list

    Queries billing data for the associated billing account from BigQuery using the Billing Viewer role

  • billing.accounts.get

    Gets billing account data for the associated billing account using the Billing Viewer role

  • billing.resourceAssociations.list

    Gets related projects for the associated billing account using the Billing Viewer role to map billing data appropriately

  • compute.commitments.list

    Gets a list of commitments for the associated billing account

  • compute.diskTypes.list

    Gets a list of disk types for the associated billing account to map billing data appropriately

  • compute.machineTypes.list

    Gets a list of machine types for the associated billing account to map billing data appropriately

  • compute.regions.list

    Gets a list of regions for the associated billing account to map billing data appropriately

  • compute.zones.list

    Gets a list of zones for the associated billing account to map billing data appropriately