Reference: Google Cloud permissions
Turbonomic requires specific permissions to monitor your Google Cloud workloads and billing data.
Permissions for the Google Cloud target
The Google Cloud target that you add to the Turbonomic user interface monitors your Google Cloud workloads. You can grant the target permissions to monitor workloads in individual projects, individual folders, or your entire organization.
Optionally, you can grant the target permissions to execute actions for your workloads automatically.
-
Project-level permissions
Note:Be sure to set up a service account in Google Cloud, create a custom role, and then assign the custom role to the service account. You need to specify these permissions when you create the custom role.
When a service account has been properly configured for use with Turbonomic, add a Google Cloud target in the user interface.
-
(Required) Monitoring permissions
-
compute.commitments.list
-
compute.disks.get
-
compute.disks.list
-
compute.diskTypes.list
-
compute.instances.get
-
compute.instances.list
-
compute.instanceGroupManagers.get
-
compute.instanceGroupManagers.list
-
compute.instanceGroups.get
-
compute.instanceGroups.list
-
compute.machineTypes.get
-
compute.machineTypes.list
-
compute.regions.list
-
compute.zones.list
-
container.clusters.get
-
logging.logEntries.list
-
logging.views.get
-
logging.views.list
-
monitoring.services.get
-
monitoring.services.list
-
monitoring.timeSeries.list
-
resourcemanager.projects.get
-
serviceusage.services.get
-
-
(Optional) Action execution permissions
-
compute.disks.create
-
compute.disks.createSnapshot
-
compute.disks.delete
-
compute.disks.resize
-
compute.disks.setLabels
-
compute.disks.update
-
compute.disks.use
-
compute.disks.useReadOnly
-
compute.globalOperations.get
-
compute.instanceGroupManagers.update
-
compute.instanceGroups.get
-
compute.instanceGroups.list
-
compute.instanceGroups.use
-
compute.instances.attachDisk
-
compute.instances.detachDisk
-
compute.instances.setLabels
-
compute.instances.setMachineType
-
compute.instances.start
-
compute.instances.stop
-
compute.instances.useReadOnly
-
compute.instanceTemplates.list
-
compute.instantSnapshots.list
-
compute.regionOperations.get
-
compute.reservations.list
-
compute.resourcePolicies.use
-
compute.snapshots.create
-
compute.snapshots.delete
-
compute.snapshots.get
-
compute.snapshots.list
-
compute.snapshots.useReadOnly
-
compute.zoneOperations.get
-
container.clusters.update
-
iam.serviceAccounts.actAs
-
-
-
Folder-level permissions
To monitor workloads at the folder level, organization-level permissions are required (see the next item).
-
Organization-level permissions
Note:Be sure to set up a service account in Google Cloud, create a custom role, and then assign the custom role to the service account. You need to specify these permissions when you create the custom role.
When a service account has been properly configured for use with Turbonomic, add a Google Cloud target in the user interface.
-
(Required) Monitoring permissions
-
Workload monitoring
-
billing.accounts.list
-
billing.resourceAssociations.list
-
compute.commitments.list
-
compute.disks.get
-
compute.disks.list
-
compute.diskTypes.list
-
compute.instances.get
-
compute.instances.list
-
compute.instanceGroupManagers.get
-
compute.instanceGroupManagers.list
-
compute.instanceGroups.get
-
compute.instanceGroups.list
-
compute.machineTypes.get
-
compute.machineTypes.list
-
compute.regions.list
-
compute.zones.list
-
container.clusters.get
-
logging.logEntries.list
-
logging.views.get
-
logging.views.list
-
monitoring.services.get
-
monitoring.services.list
-
monitoring.timeSeries.list
-
resourcemanager.projects.get
-
serviceusage.services.get
-
-
Resource hierarchy monitoring
-
resourcemanager.folders.get
-
resourcemanager.folders.list
-
resourcemanager.organizations.get
-
resourcemanager.projects.get
-
resourcemanager.projects.list
-
-
-
(Optional) Action execution permissions
-
compute.disks.create
-
compute.disks.createSnapshot
-
compute.disks.delete
-
compute.disks.resize
-
compute.disks.setLabels
-
compute.disks.update
-
compute.disks.use
-
compute.disks.useReadOnly
-
compute.globalOperations.get
-
compute.instanceGroupManagers.update
-
compute.instanceGroups.get
-
compute.instanceGroups.list
-
compute.instanceGroups.use
-
compute.instances.attachDisk
-
compute.instances.detachDisk
-
compute.instances.setLabels
-
compute.instances.setMachineType
-
compute.instances.start
-
compute.instances.stop
-
compute.instances.useReadOnly
-
compute.instanceTemplates.list
-
compute.instantSnapshots.list
-
compute.regionOperations.get
-
compute.reservations.list
-
compute.resourcePolicies.use
-
compute.snapshots.create
-
compute.snapshots.delete
-
compute.snapshots.get
-
compute.snapshots.list
-
compute.snapshots.useReadOnly
-
compute.zoneOperations.get
-
container.clusters.update
-
iam.serviceAccounts.actAs
-
-
Permissions for the Google Cloud Billing target
The Google Cloud Billing target grants Turbonomic access to billing data from a billing export to BigQuery. Turbonomic uses this data to visualize historical cloud expenses and discover Committed Use Discounts.
Be sure to set up a service account in Google Cloud, create a custom role, and then assign the custom role to the service account. You need to specify these permissions when you create the custom role.
When a service account has been properly configured for use with Turbonomic, add a Google Cloud Billing target in the user interface.
-
bigquery.jobs.create
-
bigquery.tables.get
-
bigquery.tables.getData
-
bigquery.tables.list
-
billing.accounts.get
-
billing.resourceAssociations.list
-
compute.commitments.list
-
compute.diskTypes.list
-
compute.machineTypes.list
-
compute.regions.list
-
compute.zones.list