Views:

Review the permissions required to deploy resources and the permissions granted when connecting Google Cloud projects and organizations to Trend Vision One.

Trend Micro recommends accessing the project using a sign in that has the Owner role. If you are adding a Google Cloud organization, the sign in must also have the Organization Administrator role. Ensure your account and role meet the following requirements to be able to successfully deploy Trend Vision One cloud security resources to your project.
  • The associated Google account must be a valid billing account.
  • The user role must have access to the following Google Cloud services and features:
    • Cloud Shell
    • Cloud Storage
    • Service Account
    • Workload Identity Pool
    • Workload Identity Pool Provider
    • IAM
    • Tag Key
    • Tag Value
    • Enable GCP API
The Terraform process assigns certain permissions to itself to establish the connection with Cloud Accounts and Trend Vision One cloud security services. These permissions include enabling the Cloud Accounts app and security services to obtain temporary credentials and complete tasks within your Google Cloud environment. The required permissions are listed in the following table:

Google Cloud required permissions

Feature
Required permissions
Core Features
  • compute.regions.list
  • iam.roles.create
  • iam.roles.delete
  • iam.roles.get
  • iam.serviceAccounts.actAs
  • iam.serviceAccounts.create
  • iam.serviceAccounts.delete
  • iam.serviceAccounts.get
  • iam.serviceAccounts.getIamPolicy
  • iam.serviceAccounts.setIamPolicy
  • iam.workloadIdentityPoolProviderKeys.delete
  • iam.workloadIdentityPoolProviders.create
  • iam.workloadIdentityPoolProviders.delete
  • iam.workloadIdentityPoolProviders.get
  • iam.workloadIdentityPools.create
  • iam.workloadIdentityPools.delete
  • iam.workloadIdentityPools.get
  • iam.workloadIdentityPools.update
  • iam.workloadIdentityPools.list
  • resourcemanager.projects.get
  • resourcemanager.projects.getIamPolicy
  • resourcemanager.projects.setIamPolicy
  • resourcemanager.tagKeys.create
  • resourcemanager.tagKeys.delete
  • resourcemanager.tagKeys.get
  • resourcemanager.tagKeys.list
  • resourcemanager.tagValues.create
  • resourcemanager.tagValues.delete
  • resourcemanager.tagValues.get
  • resourcemanager.tagValues.list
  • serviceusage.services.enable
  • serviceusage.services.list
  • serviceusage.services.use
  • storage.buckets.create
  • storage.buckets.delete
  • storage.buckets.get
  • storage.objects.update
  • storage.buckets.getIamPolicy
  • storage.buckets.setIamPolicy
  • storage.buckets.list
  • storage.buckets.update
  • storage.objects.create
  • storage.objects.delete
  • storage.objects.get
  • storage.objects.getIamPolicy
  • storage.objects.list
  • storage.objects.move
  • storage.objects.setIamPolicy
Cloud Security Posture
actions:
  • accessapproval.settings.get
  • alloydb.clusters.list
  • alloydb.instances.list
  • apigateway.locations.get
  • apigateway.gateways.list
  • apigateway.gateways.getIamPolicy
  • apigateway.apis.list
  • apigateway.apis.get
  • apigateway.apis.getIamPolicy
  • apigateway.apiconfigs.list
  • apigateway.apiconfigs.getIamPolicy
  • apigee.apiproducts.list
  • apigee.deployments.list
  • apigee.envgroupattachments.list
  • apigee.envgroups.list
  • apigee.environments.getStats
  • apigee.instanceattachments.list
  • apigee.instances.list
  • apigee.proxies.list
  • apigee.proxyrevisions.get
  • apikeys.keys.list
  • artifactregistry.repositories.list
  • bigtable.instances.list
  • bigtable.clusters.list
  • bigtable.instances.getIamPolicy
  • bigquery.datasets.get
  • bigquery.tables.get
  • bigquery.tables.list
  • bigquery.tables.getIamPolicy
  • cloudkms.cryptoKeys.getIamPolicy
  • cloudkms.cryptoKeys.list
  • cloudkms.keyRings.list
  • cloudkms.locations.list
  • cloudsql.instances.list
  • cloudsql.instances.listServerCas
  • cloudsql.instances.listServerCas
  • compute.backendServices.getIamPolicy
  • compute.backendServices.list
  • compute.disks.getIamPolicy
  • compute.disks.list
  • compute.regionBackendServices.getIamPolicy
  • compute.regionBackendServices.list
  • compute.regionSslPolicies.list
  • compute.firewalls.list
  • compute.globalForwardingRules.list
  • compute.images.getIamPolicy
  • compute.images.list
  • compute.instances.list
  • compute.instances.getIamPolicy
  • compute.machineImages.getIamPolicy
  • compute.machineImages.list
  • compute.networks.list
  • compute.subnetworks.list
  • compute.subnetworks.getIamPolicy
  • compute.projects.get
  • compute.targetHttpsProxies.list
  • compute.targetSslProxies.list
  • compute.sslPolicies.list
  • compute.urlMaps.list
  • compute.targetVpnGateways.list
  • compute.vpnGateways.list
  • compute.instanceGroups.list
  • compute.zones.list
  • container.clusters.list
  • container.clusters.get
  • dataproc.clusters.list
  • dataproc.clusters.getIamPolicy
  • datastore.databases.list
  • dns.policies.list
  • dns.managedZones.list
  • file.instances.list
  • iam.serviceAccounts.get
  • iam.serviceAccounts.list
  • iam.serviceAccounts.getIamPolicy
  • iam.serviceAccountKeys.list
  • iam.roles.list
  • logging.logEntries.list
  • logging.logMetrics.list
  • logging.sinks.list
  • memcache.instances.list
  • monitoring.alertPolicies.list
  • orgpolicy.policy.get
  • pubsub.topics.get
  • pubsub.topics.getIamPolicy
  • pubsub.topics.list
  • pubsub.subscriptions.get
  • pubsublite.topics.list
  • pubsublite.topics.listSubscriptions
  • redis.clusters.list
  • redis.instances.list
  • resourcemanager.projects.get
  • resourcemanager.projects.getIamPolicy
  • servicemanagement.services.get
  • serviceusage.services.list
  • spanner.instances.getIamPolicy
  • spanner.instances.list
  • storage.buckets.getIamPolicy
  • storage.buckets.list
  • certificatemanager.certs.list
  • compute.routers.list
  • cloudfunctions.functions.list
  • cloudfunctions.functions.getIamPolicy
  • networkconnectivity.hubs.list
  • networkconnectivity.hubs.listSpokes
  • networkconnectivity.hubs.getIamPolicy
  • notebooks.instances.list
  • notebooks.instances.getIamPolicy
  • artifactregistry.dockerimages.list
Agentless Vulnerability & Threat Detection
Control Plane Service Account
Purpose: Manages control plane operations
Customer project permissions:
  • Artifact Registry Reader (roles/artifactregistry.reader)
  • Cloud Functions Viewer (roles/cloudfunctions.viewer)
  • Service Account User (roles/iam.serviceAccountUser)
  • Custom role with compute.disks.createSnapshot permission
Sidecar project permissions:
  • Artifact Registry Reader (roles/artifactregistry.reader)
  • Cloud Functions Viewer (roles/cloudfunctions.viewer)
  • Service Account User (roles/iam.serviceAccountUser)
  • Compute Viewer (roles/compute.viewer)
  • Workflows Viewer (roles/workflows.viewer)
  • Logging Writer (roles/logging.logWriter)
  • Custom role with snapshot and disk management permissions
Customer Role Service Account
Purpose: Handles customer-specific operations
Customer project permissions:
  • Artifact Registry Reader (roles/artifactregistry.reader)
  • Compute Viewer (roles/compute.viewer)
  • Service Account User (roles/iam.serviceAccountUser)
  • Service Account Token Creator (roles/iam.serviceAccountTokenCreator)
Sidecar project permissions:
  • Cloud Run Invoker (roles/run.invoker)
Data Plane Service Account
Purpose: Executes data plane operations
Sidecar project permissions:
  • Storage Object Viewer (roles/storage.objectViewer)
  • Artifact Registry Reader (roles/artifactregistry.reader)
  • Cloud Functions Viewer (roles/cloudfunctions.viewer)
  • Service Account User (roles/iam.serviceAccountUser)
  • Logging Writer (roles/logging.logWriter)
  • Workflows Invoker (roles/workflows.invoker) and Viewer
  • Eventarc Event Receiver (roles/eventarc.eventReceiver)
  • Service Account Token Creator (roles/iam.serviceAccountTokenCreator)
  • Custom role with VM and disk management permissions
Customer project permissions:
  • Compute Viewer (roles/compute.viewer)
Real-Time Posture Monitoring
No permissions required.