Views:

Learn which resources are deployed in your Google Cloud environment for each Trend Vision One feature that you can enable on a Google Cloud project. For more information about each feature and permission set, see Google Cloud features and permissions.

Google Cloud Project Services deployed by feature

Feature name
Google Cloud Project services deployed (number)
Core features and permissions
Resources:
  • Service Account (1)
  • Workload Identity Pool (1)
  • Workload Identity Pool Provider (1)
  • IAM (3)
  • Tag Key (1)
  • Tag Value (1)
  • Cloud Storage (1)
Enabled APIs:
  • IAM Service Account Credentials
  • Cloud Resource Manager
  • Identity and Access Management
  • Cloud Build
  • Deployment Manager
  • Cloud Functions
  • Cloud Pub/Sub
  • Secret Manager
Agentless Vulnerability & Threat Detection
Resources:
  • Control Plane Service Account
  • Customer Role Service Account
  • Data Plane Service Account
For more information on the permissions required for each service account, see Google Cloud required permissions.
Real-Time Posture Monitoring
Resources:
  • Logging Sink
  • Pub/Sub Topic
  • Pub/Sub IAM Binding
  • Cloud Storage Bucket
  • Cloud Storage Object
  • Service Account
  • Cloud Function (Gen 2)
  • Cloud Run Service IAM Binding
  • Eventarc Trigger
  • Artifact Registry Repository
Enabled APIs:
  • Cloud Logging API (Service: logging.googleapis.com)
  • Cloud Pub/Sub API (Service: pubsub.googleapis.com)
  • Cloud Storage API (Service: storage.googleapis.com)
  • Cloud Functions API (Service: cloudfunctions.googleapis.com)
  • Cloud Run Admin API (Service: run.googleapis.com)
  • Eventarc API (Service: eventarc.googleapis.com)
  • Cloud Build API (Service: cloudbuild.googleapis.com)
  • Artifact Registry API (Service: artifactregistry.googleapis.com)
  • Cloud Deployment Manager (Service: deploymentmanager.googleapis.com)
  • Identity and Access Management (IAM) API (Service: iam.googleapis.com)
Permissions:
Used in deployment:
  • resourcemanager.projects.get
  • iam.serviceAccounts.create
  • iam.serviceAccounts.delete
  • iam.serviceAccounts.get
  • iam.serviceAccounts.actAs
  • cloudfunctions.functions.create
  • cloudfunctions.functions.delete
  • cloudfunctions.functions.get
  • cloudfunctions.functions.update
  • run.services.get
  • run.services.setIamPolicy
  • eventarc.triggers.create
  • eventarc.triggers.delete
  • eventarc.triggers.get
  • artifactregistry.repositories.create
  • artifactregistry.repositories.get
  • pubsub.topics.create
  • pubsub.topics.delete
  • pubsub.topics.get
  • pubsub.topics.setIamPolicy
  • pubsub.topics.getIamPolicy
  • logging.sinks.create
  • logging.sinks.delete
  • logging.sinks.get
  • storage.buckets.create
  • storage.buckets.get
  • storage.buckets.delete
  • storage.objects.create
  • storage.objects.delete
  • storage.objects.get
  • deploymentmanager.deployments.get
  • deploymentmanager.deployments.delete
Roles used by the service account created:
  • roles/run.invoker
  • roles/pubsub.publisher