GCP Connection Permissions

1.0 GCP Connection Permissions

This article describes the read permissions required to onboard a Google Cloud Platform (GCP) connection in Fortanix Key Insight. It provides a detailed list of permissions that must be granted to enable secure and successful integration with GCP keys and services.

NOTE
Fortanix Key Insight does not have access to customer data. The permissions outlined in the article are exclusively for cryptographic operations and security enforcement.

1.1 Predefined IAM Roles

This section describes the predefined GCP IAM roles required to integrate GCP services with Fortanix Key Insight.

GCP Service	Required Role	Required API	Description
Cloud Key Management Service (KMS)	Cloud KMS Viewer	Cloud Key Management Service (KMS) API	Provides read-only access to Cloud KMS keys and key metadata. For more information on the associated permissions for this role, refer to Cloud Key Management Service roles and permissions.
Cloud SQL	Cloud SQL Viewer	Cloud SQL Admin API	Provides read-only access to Cloud SQL instances, configurations, and metadata. For more information on the associated permissions for this role, refer to Cloud SQL roles and permissions.
Cloud Storage	Storage Bucket Viewer (beta)	Cloud Storage API	Provides read-only access to Cloud Storage bucket metadata. For more information on the associated permissions for this role, refer to Cloud Storage roles and permissions.
Google Kubernetes Engine (GKE)	Kubernetes Engine Viewer	Kubernetes Engine API	Provides read-only access to GKE resources, including cluster configuration, node metadata, and workload information. For more information on the associated permissions for this role, refer to Google Kubernetes Engine roles and permissions.
Google Compute Engine (GCE)	Compute Viewer	Compute Engine API	Provides read-only access to GCE virtual machine (VM) instances, disks, images, and related metadata. For more information on the associated permissions for this role, refer to Compute Engine roles and permissions.

For more information on the complete GCP IAM roles and permissions, refer to IAM roles and permissions index.

NOTE
Predefined IAM roles can be assigned at both the organization and project levels.

1.2 Custom Role (Least Privilege Permissions)

Instead of multiple predefined IAM roles, you can create a custom IAM role with the following minimum read-only permissions to integrate GCP services with Fortanix Key Insight:

GCP Service	Permissions	Description
Cloud Key Management Service (KMS)	`cloudkms.cryptoKeyVersions.get` `cloudkms.cryptoKeyVersions.list` `cloudkms.cryptoKeys.get` `cloudkms.cryptoKeys.list` `cloudkms.keyRings.get` `cloudkms.keyRings.list` `cloudkms.locations.list`	Allow Fortanix Key Insight to discover KMS locations, enumerate key rings and cryptographic keys, and retrieve key version metadata, including protection level and configuration details.
Cloud SQL	`cloudsql.instances.get` `cloudsql.instances.list` `cloudsql.databases.list` `cloudsql.users.list`	Allows Fortanix Key Insight to discover Cloud SQL instances, enumerate associated databases and users, and retrieve configuration metadata necessary for security visibility.
Cloud Storage	`storage.buckets.get` `storage.buckets.list`	Allows Fortanix Key Insight to enumerate storage buckets and retrieve bucket metadata, including encryption configuration.
Google Kubernetes Engine (GKE)	`container.clusters.get` `container.clusters.list`	Allows Fortanix Key Insight to discover Kubernetes clusters and retrieve cluster configuration metadata for encryption and security monitoring purposes.
Google Compute Engine (GCE)	`compute.instances.get` `compute.instances.list` `compute.projects.get` `compute.regions.list` `compute.zones.list`	Allows Fortanix Key Insight to retrieve project-level compute configuration, enumerate regions and zones, and discover virtual machine instance metadata for encryption and security posture assessment.

NOTE
The custom role with least-privilege permissions can be assigned only at the project level.