Skip to main content

Google Cloud IAM Permissions

Each version of Fix Inventory programmatically generates the specific IAM permissions it requires to collect (and optionally, manipulate) Google Cloud resources.

Service Namespacefix_accessfix_mutate
cloudsql
  • backupRuns.list
  • databases.list
  • instances.get
  • instances.list
  • users.list
  • instances.delete
  • instances.update
compute
  • acceleratorTypes.list
  • addresses.list
  • autoscalers.list
  • backendBuckets.list
  • backendServices.list
  • commitments.list
  • diskTypes.list
  • disks.list
  • externalVpnGateways.list
  • firewalls.list
  • forwardingRules.list
  • globalOperations.list
  • healthChecks.list
  • httpHealthChecks.list
  • httpsHealthChecks.list
  • images.list
  • instanceGroupManagers.list
  • instanceGroups.list
  • instanceTemplates.list
  • instances.list
  • interconnectAttachments.list
  • interconnectLocations.list
  • interconnects.list
  • licenses.list
  • machineImages.list
  • machineTypes.get
  • machineTypes.list
  • networkEdgeSecurityServices.list
  • networkEndpointGroups.list
  • networks.list
  • nodeGroups.list
  • nodeTemplates.list
  • nodeTypes.list
  • packetMirrorings.list
  • publicAdvertisedPrefixes.list
  • publicDelegatedPrefixes.list
  • regionHealthCheckServices.list
  • regionNotificationEndpoints.list
  • resourcePolicies.list
  • routers.list
  • routes.list
  • securityPolicies.list
  • serviceAttachments.list
  • snapshots.list
  • sslCertificates.list
  • sslPolicies.list
  • subnetworks.list
  • targetGrpcProxies.list
  • targetHttpProxies.list
  • targetHttpsProxies.list
  • targetInstances.list
  • targetPools.list
  • targetSslProxies.list
  • targetTcpProxies.list
  • targetVpnGateways.list
  • urlMaps.list
  • vpnGateways.list
  • vpnTunnels.list
  • addresses.delete
  • autoscalers.delete
  • autoscalers.update
  • backendBuckets.delete
  • backendBuckets.update
  • backendServices.delete
  • backendServices.update
  • commitments.update
  • disks.delete
  • disks.setLabels
  • externalVpnGateways.delete
  • externalVpnGateways.setLabels
  • firewalls.delete
  • firewalls.update
  • forwardingRules.delete
  • globalOperations.delete
  • healthChecks.delete
  • healthChecks.update
  • httpHealthChecks.delete
  • httpHealthChecks.update
  • httpsHealthChecks.delete
  • httpsHealthChecks.update
  • images.delete
  • images.setLabels
  • instanceGroupManagers.delete
  • instanceGroupManagers.update
  • instanceGroups.delete
  • instanceGroups.update
  • instanceTemplates.delete
  • instances.delete
  • instances.setLabels
  • interconnectAttachments.delete
  • interconnectAttachments.setLabels
  • interconnects.delete
  • interconnects.setLabels
  • licenses.delete
  • machineImages.delete
  • networkEdgeSecurityServices.delete
  • networkEdgeSecurityServices.update
  • networkEndpointGroups.delete
  • networks.delete
  • nodeGroups.delete
  • nodeGroups.update
  • nodeTemplates.delete
  • packetMirrorings.delete
  • packetMirrorings.update
  • publicAdvertisedPrefixes.delete
  • publicAdvertisedPrefixes.update
  • publicDelegatedPrefixes.delete
  • publicDelegatedPrefixes.update
  • regionHealthCheckServices.delete
  • regionHealthCheckServices.update
  • regionNotificationEndpoints.delete
  • regionNotificationEndpoints.update
  • resourcePolicies.delete
  • resourcePolicies.update
  • routers.delete
  • routers.update
  • routes.delete
  • securityPolicies.setLabels
  • serviceAttachments.delete
  • serviceAttachments.update
  • snapshots.delete
  • snapshots.setLabels
  • sslCertificates.delete
  • sslPolicies.delete
  • subnetworks.delete
  • targetGrpcProxies.delete
  • targetGrpcProxies.update
  • targetHttpProxies.delete
  • targetHttpProxies.update
  • targetHttpsProxies.delete
  • targetHttpsProxies.update
  • targetInstances.delete
  • targetPools.delete
  • targetPools.update
  • targetSslProxies.delete
  • targetSslProxies.update
  • targetTcpProxies.delete
  • targetTcpProxies.update
  • targetVpnGateways.delete
  • urlMaps.delete
  • vpnGateways.delete
  • vpnGateways.setLabels
  • vpnTunnels.delete
container
  • clusters.list
  • operations.list
  • clusters.delete
  • clusters.update
storage
  • buckets.list
  • buckets.delete
  • buckets.update

fix_access​

https://cdn.some.engineering/fix/gcp/edge/fix_access.yaml
title: fix_access
description: Permissions required to collect resources.
stage: GA
includedPermissions:
  - cloudsql.backupRuns.list
  - cloudsql.databases.list
  - cloudsql.instances.get
  - cloudsql.instances.list
  - cloudsql.users.list
  - compute.acceleratorTypes.list
  - compute.addresses.list
  - compute.autoscalers.list
  - compute.backendBuckets.list
  - compute.backendServices.list
  - compute.commitments.list
  - compute.diskTypes.list
  - compute.disks.list
  - compute.externalVpnGateways.list
  - compute.firewalls.list
  - compute.forwardingRules.list
  - compute.globalOperations.list
  - compute.healthChecks.list
  - compute.httpHealthChecks.list
  - compute.httpsHealthChecks.list
  - compute.images.list
  - compute.instanceGroupManagers.list
  - compute.instanceGroups.list
  - compute.instanceTemplates.list
  - compute.instances.list
  - compute.interconnectAttachments.list
  - compute.interconnectLocations.list
  - compute.interconnects.list
  - compute.licenses.list
  - compute.machineImages.list
  - compute.machineTypes.get
  - compute.machineTypes.list
  - compute.networkEdgeSecurityServices.list
  - compute.networkEndpointGroups.list
  - compute.networks.list
  - compute.nodeGroups.list
  - compute.nodeTemplates.list
  - compute.nodeTypes.list
  - compute.packetMirrorings.list
  - compute.publicAdvertisedPrefixes.list
  - compute.publicDelegatedPrefixes.list
  - compute.regionHealthCheckServices.list
  - compute.regionNotificationEndpoints.list
  - compute.resourcePolicies.list
  - compute.routers.list
  - compute.routes.list
  - compute.securityPolicies.list
  - compute.serviceAttachments.list
  - compute.snapshots.list
  - compute.sslCertificates.list
  - compute.sslPolicies.list
  - compute.subnetworks.list
  - compute.targetGrpcProxies.list
  - compute.targetHttpProxies.list
  - compute.targetHttpsProxies.list
  - compute.targetInstances.list
  - compute.targetPools.list
  - compute.targetSslProxies.list
  - compute.targetTcpProxies.list
  - compute.targetVpnGateways.list
  - compute.urlMaps.list
  - compute.vpnGateways.list
  - compute.vpnTunnels.list
  - container.clusters.list
  - container.operations.list
  - storage.buckets.list

fix_mutate​

https://cdn.some.engineering/fix/gcp/edge/fix_mutate.yaml
title: fix_mutate
description: Permissions required to mutate resources.
stage: GA
includedPermissions:
  - cloudsql.instances.delete
  - cloudsql.instances.update
  - compute.addresses.delete
  - compute.autoscalers.delete
  - compute.autoscalers.update
  - compute.backendBuckets.delete
  - compute.backendBuckets.update
  - compute.backendServices.delete
  - compute.backendServices.update
  - compute.commitments.update
  - compute.disks.delete
  - compute.disks.setLabels
  - compute.externalVpnGateways.delete
  - compute.externalVpnGateways.setLabels
  - compute.firewalls.delete
  - compute.firewalls.update
  - compute.forwardingRules.delete
  - compute.globalOperations.delete
  - compute.healthChecks.delete
  - compute.healthChecks.update
  - compute.httpHealthChecks.delete
  - compute.httpHealthChecks.update
  - compute.httpsHealthChecks.delete
  - compute.httpsHealthChecks.update
  - compute.images.delete
  - compute.images.setLabels
  - compute.instanceGroupManagers.delete
  - compute.instanceGroupManagers.update
  - compute.instanceGroups.delete
  - compute.instanceGroups.update
  - compute.instanceTemplates.delete
  - compute.instances.delete
  - compute.instances.setLabels
  - compute.interconnectAttachments.delete
  - compute.interconnectAttachments.setLabels
  - compute.interconnects.delete
  - compute.interconnects.setLabels
  - compute.licenses.delete
  - compute.machineImages.delete
  - compute.networkEdgeSecurityServices.delete
  - compute.networkEdgeSecurityServices.update
  - compute.networkEndpointGroups.delete
  - compute.networks.delete
  - compute.nodeGroups.delete
  - compute.nodeGroups.update
  - compute.nodeTemplates.delete
  - compute.packetMirrorings.delete
  - compute.packetMirrorings.update
  - compute.publicAdvertisedPrefixes.delete
  - compute.publicAdvertisedPrefixes.update
  - compute.publicDelegatedPrefixes.delete
  - compute.publicDelegatedPrefixes.update
  - compute.regionHealthCheckServices.delete
  - compute.regionHealthCheckServices.update
  - compute.regionNotificationEndpoints.delete
  - compute.regionNotificationEndpoints.update
  - compute.resourcePolicies.delete
  - compute.resourcePolicies.update
  - compute.routers.delete
  - compute.routers.update
  - compute.routes.delete
  - compute.securityPolicies.setLabels
  - compute.serviceAttachments.delete
  - compute.serviceAttachments.update
  - compute.snapshots.delete
  - compute.snapshots.setLabels
  - compute.sslCertificates.delete
  - compute.sslPolicies.delete
  - compute.subnetworks.delete
  - compute.targetGrpcProxies.delete
  - compute.targetGrpcProxies.update
  - compute.targetHttpProxies.delete
  - compute.targetHttpProxies.update
  - compute.targetHttpsProxies.delete
  - compute.targetHttpsProxies.update
  - compute.targetInstances.delete
  - compute.targetPools.delete
  - compute.targetPools.update
  - compute.targetSslProxies.delete
  - compute.targetSslProxies.update
  - compute.targetTcpProxies.delete
  - compute.targetTcpProxies.update
  - compute.targetVpnGateways.delete
  - compute.urlMaps.delete
  - compute.vpnGateways.delete
  - compute.vpnGateways.setLabels
  - compute.vpnTunnels.delete
  - container.clusters.delete
  - container.clusters.update
  - storage.buckets.delete
  - storage.buckets.update