If you enable granular permissions, you must update the custom role and add additional permissions that maybe required to ingest data from any new service that is added on Prisma Cloud.
To enable dataflow log compression using the Dataflow service, you must enable additional permissions. See Flow Log Compression on GCP for details on ingesting network log data.
Create a YAML file with the custom permissions.
Create a YAML file and add the granular permissions for the custom role.
Use this YAML format as an example. You must add the permissions for onboarding your GCP project or organization, from the link above, to this file:
title: prisma-custom-role description: prisma-custom-role stage: beta includedPermissions: - compute.networks.list - compute.backendServices.list
Create the custom role.
When creating a service account, you must select a GCP project because GCP does not allow the service account to belong directly under the GCP Organization.
Select the GCP project in which you want to create the custom role.
-
Upload the YAML file to the Cloud Shell.
Run the gcloud command
gcloud iam roles create <prisma customrole name> --project <project-ID> --file <YAML file name>
Create a Service Account and attach the custom role to it.
Select page in the Google Cloud Console.
Create Service Account
and add the role you created earlier to it.Create a key
and download the private key.
(For onboarding
GCP Organization only
) Create the custom role in the GCP Organization level.
Select your GCP Organization.
Run the gcloud command
gcloud iam roles create <prisma customrole name> --organization <org ID> --file <YAML File name>
(For onboarding
GCP Organization only
) Set up your Service Account to monitor all the GCP folders and projects within the GCP Organization.
You must associate the Service account you created in the project in Create a Service Account With a Custom Role for GCP to the GCP Organization-level and add the custom role you created in the previous step. Additionally, you must add the predefined role for Organization Viewer to the service account. All these tasks together enable the service account to monitor all the GCP projects that are within the GCP Organizational hierarchy.
Copy the service account member address.
Select the project that you used to create the service account, and select to copy the service account member address.
Select your Organization, select to
Add
members to the service account.Paste the service account member address you copied as
New members
, andSelect a role
.Select , and
Folder Viewer
role, andSave
.The Organization Viewer role enables permissions to view the Organization name without granting access to all resources in the Organization. The Folder Viewer roles is also required to onboard your GCP folders.
Controlling access and permissions to the Rackspace and GCP control planes (APIs and UIs) along with the resources you deploy at GCP are a critical part of the overall security of your environment.
Rackspace Account Permissions¶
You can grant other members of your company access to Billing and Payments and Support Ticketing by clicking the Account dropdown in the top right corner of the Managed Services for Google Cloud Platform Control Panel and selecting User Management. From there, you can add and manage existing users, selecting which parts of the Rackspace Control Panel they should have access to.
GCP Project Permissions¶
GCP project permissions are managed via Google Cloud Identity and Access Management. If you have questions regarding the permissions you should grant users in your company, contact a member of your support team.
Identity/IAM¶
Both Google and Rackspace encourage the use of the least permissive model for IAM. In essence, access should only be granted where necessary to accomplish tasks. Due to our Google Deployment Manager (GDM) based infrastructure-as-code deployment model, minimizing users beyond the account used to allow Rackspace access for management is suggested. Using GDM to deploy infrastructure means user accounts with permission to manually create/destroy resources in Google Cloud Platform (GCP) is not supported, and instead the GDM templates should be updated and used to deploy the infrastructure changes.
The top-down permissions model used by Google means users granted organizational access have permissions that override more granular permissions applied at service levels, for example. Rackspace’s policy to avoid granting access unless necessary, and then grant it at the most granular level possible is necessary to ensure unintentional access is not granted.
To ensure that your Aviator or Service Blocks projects meet this permissions model, Rackspace might periodically audit the permissions being passed to the project and require adjustments to use the least permissive model.
Service Accounts¶
Rackspace adds a primary service account with these roles to each of your GCP projects that we manage:
Project Browser
Project Billing Manager
Project IAM Admin
Additionally, we grant these service accounts access with the following roles to enable support tooling for all Aviator and Service Blocks projects:
The Resource Observer collects project metadata for support inventory
Viewer
Smart Tickets works with Watchman to provide automated diagnostics and additional context for monitoring alerts that are turned to tickets for Rackers to address
Viewer
IAP-secured Tunnel User
Compute Instance Admin
Compute Security Admin
MGCP Operations facilitates integration of Operations monitoring (formerly Stackdriver) with Watchman
Viewer
Monitoring Admin
Do not remove these accounts or alter their permissions in any way without first consulting with your support team.
We also temporarily add accounts from the gcp.rackspace.com domain as Rackers and automations need access to your projects, so do not remove those accounts or alter their permissions.
Google Organization Permissions¶
Rackspace will also add our service account with the Project Creator role on your Google organization, allowing both you and us to create additional projects for new applications, as needed.