Overview
This article lists the minimum GCP IAM permissions Snowplow needs to deploy,
operate, maintain, and destroy a base Snowplow pipeline in a Private Managed
Cloud (PMC) environment on Google Cloud. It is intended for customers whose
security policy does not allow broad or Admin-scoped roles (for example
roles/owner or roles/iam.roleAdmin) and who need
a named, service-level permission set to review and approve.
The standard PMC setup grants the
techops-cloud-admin@snowplowanalytics.com group a set of predefined
roles on your project, as described in the
PMC GCP setup guide.
Some of those roles are Admin-scoped. If your security policy does not permit
that, the permission set below can be attached to a service account that
you own and control, and Snowplow accesses it through service account impersonation.
How service account impersonation works
Under this model you keep ownership of the access. The setup has three parts.
You create a service account in your own GCP project and assign it the permissions listed in this article. This is the identity that runs the pipeline, and it needs these permissions to function.
You grant the techops-cloud-admin@snowplowanalytics.com group
the iam.serviceAccountTokenCreator role on that service account.
This lets Snowplow impersonate the service account you created. Without this
grant, Snowplow cannot access the project. You can revoke it at any time.
You grant the techops-cloud-admin@snowplowanalytics.com group
the roles/viewer role on the project. This is read-only. The
GCP Console does not support login through impersonation, so read-only Console
access is what allows Snowplow to inspect the state of the project during
troubleshooting. It carries no ability to change anything.
All infrastructure changes are applied through Terraform, defined as code and applied programmatically. No one at Snowplow logs into the GCP Console to make manual changes in your environment.
Please read before you apply this list
This permission is accurate to the best of current knowledge, but it has not been tested end to end to confirm that a new pipeline can be deployed, maintained, and then destroyed using only these permissions.
Because Snowplow normally operates with broader roles rather than an explicit named set, a permission that is only exercised in a specific situation may be missing. If that happens during deployment or operation, Snowplow will identify the specific permission needed and request that single addition, rather than asking for a broad grant.
This list covers a base pipeline only. It does not include the permissions required for Signals or Identities. If you plan to deploy either of those, additional permissions are needed for the extra resources they use. Contact Snowplow Support for the current additions.
Permission set summary
The set contains 613 permissions across 18 GCP services. The table below shows the services covered and how many permissions each contributes. The complete list follows.
| Service | API prefix | Permissions |
|---|---|---|
| Cloud Functions |
cloudfunctions
|
10 |
| Cloud SQL |
cloudsql
|
36 |
| Compute Engine |
compute
|
225 |
| Google Kubernetes Engine (GKE) |
container
|
186 |
| Dataflow |
dataflow
|
6 |
| Datastore / Firestore |
datastore
|
16 |
| Cloud DNS |
dns
|
7 |
| IAM |
iam
|
18 |
| Identity-Aware Proxy (IAP) |
iap
|
5 |
| Cloud Logging |
logging
|
4 |
| Cloud Monitoring |
monitoring
|
15 |
| Pub/Sub |
pubsub
|
17 |
| Resource Manager |
resourcemanager
|
3 |
| Cloud Run |
run
|
39 |
| Service Management |
servicemanagement
|
4 |
| Service Networking |
servicenetworking
|
1 |
| Service Usage |
serviceusage
|
3 |
| Cloud Storage |
storage
|
18 |
| Total | 613 |
Full permission list
The complete set of permissions to attach to the service account:
cloudfunctions.functions.create
cloudfunctions.functions.delete
cloudfunctions.functions.get
cloudfunctions.functions.getIamPolicy
cloudfunctions.functions.list
cloudfunctions.functions.setIamPolicy
cloudfunctions.functions.sourceCodeSet
cloudfunctions.functions.update
cloudfunctions.operations.get
cloudfunctions.operations.list
cloudsql.databases.create
cloudsql.databases.delete
cloudsql.databases.get
cloudsql.databases.list
cloudsql.databases.update
cloudsql.instances.addServerCa
cloudsql.instances.clone
cloudsql.instances.connect
cloudsql.instances.create
cloudsql.instances.createTagBinding
cloudsql.instances.delete
cloudsql.instances.deleteTagBinding
cloudsql.instances.demoteMaster
cloudsql.instances.export
cloudsql.instances.failover
cloudsql.instances.get
cloudsql.instances.import
cloudsql.instances.list
cloudsql.instances.listEffectiveTags
cloudsql.instances.listServerCas
cloudsql.instances.listTagBindings
cloudsql.instances.login
cloudsql.instances.promoteReplica
cloudsql.instances.resetSslConfig
cloudsql.instances.restart
cloudsql.instances.restoreBackup
cloudsql.instances.rotateServerCa
cloudsql.instances.startReplica
cloudsql.instances.stopReplica
cloudsql.instances.truncateLog
cloudsql.instances.update
cloudsql.users.create
cloudsql.users.delete
cloudsql.users.get
cloudsql.users.list
cloudsql.users.update
compute.backendServices.create
compute.backendServices.delete
compute.backendServices.get
compute.backendServices.getIamPolicy
compute.backendServices.list
compute.backendServices.setIamPolicy
compute.backendServices.setSecurityPolicy
compute.backendServices.update
compute.backendServices.use
compute.disks.addResourcePolicies
compute.disks.create
compute.disks.createSnapshot
compute.disks.createTagBinding
compute.disks.delete
compute.disks.deleteTagBinding
compute.disks.get
compute.disks.getIamPolicy
compute.disks.list
compute.disks.listEffectiveTags
compute.disks.listTagBindings
compute.disks.removeResourcePolicies
compute.disks.resize
compute.disks.setIamPolicy
compute.disks.setLabels
compute.disks.update
compute.disks.use
compute.disks.useReadOnly
compute.firewalls.create
compute.firewalls.delete
compute.firewalls.get
compute.firewalls.list
compute.firewalls.update
compute.globalAddresses.create
compute.globalAddresses.delete
compute.globalAddresses.get
compute.globalAddresses.list
compute.globalAddresses.setLabels
compute.globalAddresses.use
compute.globalForwardingRules.create
compute.globalForwardingRules.delete
compute.globalForwardingRules.get
compute.globalForwardingRules.list
compute.globalForwardingRules.setLabels
compute.globalForwardingRules.setTarget
compute.globalForwardingRules.update
compute.globalOperations.delete
compute.globalOperations.get
compute.globalOperations.getIamPolicy
compute.globalOperations.list
compute.globalOperations.setIamPolicy
compute.healthChecks.create
compute.healthChecks.delete
compute.healthChecks.get
compute.healthChecks.list
compute.healthChecks.update
compute.healthChecks.use
compute.healthChecks.useReadOnly
compute.images.create
compute.images.createTagBinding
compute.images.delete
compute.images.deleteTagBinding
compute.images.deprecate
compute.images.get
compute.images.getFromFamily
compute.images.getIamPolicy
compute.images.list
compute.images.listEffectiveTags
compute.images.listTagBindings
compute.images.setIamPolicy
compute.images.setLabels
compute.images.update
compute.images.useReadOnly
compute.instanceGroupManagers.create
compute.instanceGroupManagers.delete
compute.instanceGroupManagers.get
compute.instanceGroupManagers.list
compute.instanceGroupManagers.update
compute.instanceGroupManagers.use
compute.instanceGroups.create
compute.instanceGroups.delete
compute.instanceGroups.get
compute.instanceGroups.list
compute.instanceGroups.update
compute.instanceGroups.use
compute.instances.addAccessConfig
compute.instances.addMaintenancePolicies
compute.instances.addResourcePolicies
compute.instances.attachDisk
compute.instances.create
compute.instances.createTagBinding
compute.instances.delete
compute.instances.deleteAccessConfig
compute.instances.deleteTagBinding
compute.instances.detachDisk
compute.instances.get
compute.instances.getEffectiveFirewalls
compute.instances.getGuestAttributes
compute.instances.getIamPolicy
compute.instances.getScreenshot
compute.instances.getSerialPortOutput
compute.instances.getShieldedInstanceIdentity
compute.instances.getShieldedVmIdentity
compute.instances.list
compute.instances.listEffectiveTags
compute.instances.listReferrers
compute.instances.listTagBindings
compute.instances.osAdminLogin
compute.instances.osLogin
compute.instances.removeMaintenancePolicies
compute.instances.removeResourcePolicies
compute.instances.reset
compute.instances.resume
compute.instances.sendDiagnosticInterrupt
compute.instances.setDeletionProtection
compute.instances.setDiskAutoDelete
compute.instances.setIamPolicy
compute.instances.setLabels
compute.instances.setMachineResources
compute.instances.setMachineType
compute.instances.setMetadata
compute.instances.setMinCpuPlatform
compute.instances.setScheduling
compute.instances.setServiceAccount
compute.instances.setShieldedInstanceIntegrityPolicy
compute.instances.setShieldedVmIntegrityPolicy
compute.instances.setTags
compute.instances.start
compute.instances.startWithEncryptionKey
compute.instances.stop
compute.instances.suspend
compute.instances.update
compute.instances.updateAccessConfig
compute.instances.updateDisplayDevice
compute.instances.updateNetworkInterface
compute.instances.updateSecurity
compute.instances.updateShieldedInstanceConfig
compute.instances.updateShieldedVmConfig
compute.instances.use
compute.instances.useReadOnly
compute.instanceTemplates.create
compute.instanceTemplates.delete
compute.instanceTemplates.get
compute.instanceTemplates.getIamPolicy
compute.instanceTemplates.list
compute.instanceTemplates.setIamPolicy
compute.instanceTemplates.useReadOnly
compute.machineImages.get
compute.machineImages.getIamPolicy
compute.machineImages.list
compute.machineImages.setIamPolicy
compute.machineImages.useReadOnly
compute.networkEndpointGroups.attachNetworkEndpoints
compute.networkEndpointGroups.create
compute.networkEndpointGroups.delete
compute.networkEndpointGroups.detachNetworkEndpoints
compute.networkEndpointGroups.get
compute.networkEndpointGroups.getIamPolicy
compute.networkEndpointGroups.list
compute.networkEndpointGroups.setIamPolicy
compute.networkEndpointGroups.use
compute.networks.access
compute.networks.addPeering
compute.networks.create
compute.networks.delete
compute.networks.get
compute.networks.getEffectiveFirewalls
compute.networks.getRegionEffectiveFirewalls
compute.networks.list
compute.networks.listPeeringRoutes
compute.networks.mirror
compute.networks.removePeering
compute.networks.setFirewallPolicy
compute.networks.switchToCustomMode
compute.networks.update
compute.networks.updatePeering
compute.networks.updatePolicy
compute.networks.use
compute.networks.useExternalIp
compute.regions.get
compute.routers.create
compute.routers.delete
compute.routers.get
compute.routers.list
compute.routers.update
compute.routers.use
compute.sslCertificates.create
compute.sslCertificates.delete
compute.sslCertificates.get
compute.sslCertificates.list
compute.subnetworks.create
compute.subnetworks.delete
compute.subnetworks.expandIpCidrRange
compute.subnetworks.get
compute.subnetworks.getIamPolicy
compute.subnetworks.list
compute.subnetworks.mirror
compute.subnetworks.setIamPolicy
compute.subnetworks.setPrivateIpGoogleAccess
compute.subnetworks.update
compute.subnetworks.use
compute.subnetworks.useExternalIp
compute.targetHttpProxies.create
compute.targetHttpProxies.delete
compute.targetHttpProxies.get
compute.targetHttpProxies.list
compute.targetHttpProxies.setUrlMap
compute.targetHttpProxies.use
compute.targetHttpsProxies.create
compute.targetHttpsProxies.delete
compute.targetHttpsProxies.get
compute.targetHttpsProxies.list
compute.targetHttpsProxies.setSslCertificates
compute.targetHttpsProxies.setSslPolicy
compute.targetHttpsProxies.setUrlMap
compute.targetHttpsProxies.use
compute.urlMaps.create
compute.urlMaps.delete
compute.urlMaps.get
compute.urlMaps.invalidateCache
compute.urlMaps.list
compute.urlMaps.update
compute.urlMaps.use
compute.urlMaps.validate
compute.zones.get
compute.zones.list
container.clusterRoleBindings.create
container.clusterRoleBindings.delete
container.clusterRoleBindings.get
container.clusterRoleBindings.list
container.clusterRoleBindings.update
container.clusterRoles.create
container.clusterRoles.delete
container.clusterRoles.get
container.clusterRoles.list
container.clusterRoles.update
container.clusters.create
container.clusters.createTagBinding
container.clusters.delete
container.clusters.deleteTagBinding
container.clusters.get
container.clusters.getCredentials
container.clusters.list
container.clusters.listEffectiveTags
container.clusters.listTagBindings
container.clusters.update
container.configMaps.create
container.configMaps.delete
container.configMaps.get
container.configMaps.list
container.configMaps.update
container.cronJobs.create
container.cronJobs.delete
container.cronJobs.get
container.cronJobs.getStatus
container.cronJobs.list
container.cronJobs.update
container.cronJobs.updateStatus
container.customResourceDefinitions.create
container.customResourceDefinitions.delete
container.customResourceDefinitions.get
container.customResourceDefinitions.list
container.customResourceDefinitions.update
container.daemonSets.create
container.daemonSets.delete
container.daemonSets.get
container.daemonSets.getStatus
container.daemonSets.list
container.daemonSets.update
container.daemonSets.updateStatus
container.deployments.create
container.deployments.delete
container.deployments.get
container.deployments.getScale
container.deployments.getStatus
container.deployments.list
container.deployments.rollback
container.deployments.update
container.deployments.updateScale
container.deployments.updateStatus
container.events.get
container.events.list
container.horizontalPodAutoscalers.create
container.horizontalPodAutoscalers.delete
container.horizontalPodAutoscalers.get
container.horizontalPodAutoscalers.getStatus
container.horizontalPodAutoscalers.list
container.horizontalPodAutoscalers.update
container.horizontalPodAutoscalers.updateStatus
container.ingresses.create
container.ingresses.delete
container.ingresses.get
container.ingresses.getStatus
container.ingresses.list
container.ingresses.update
container.ingresses.updateStatus
container.jobs.create
container.jobs.delete
container.jobs.get
container.jobs.getStatus
container.jobs.list
container.jobs.update
container.jobs.updateStatus
container.limitRanges.create
container.limitRanges.delete
container.limitRanges.get
container.limitRanges.list
container.limitRanges.update
container.mutatingWebhookConfigurations.create
container.mutatingWebhookConfigurations.delete
container.mutatingWebhookConfigurations.get
container.mutatingWebhookConfigurations.list
container.mutatingWebhookConfigurations.update
container.namespaces.create
container.namespaces.delete
container.namespaces.finalize
container.namespaces.get
container.namespaces.getStatus
container.namespaces.list
container.namespaces.update
container.namespaces.updateStatus
container.networkPolicies.create
container.networkPolicies.delete
container.networkPolicies.get
container.networkPolicies.list
container.networkPolicies.update
container.nodes.get
container.nodes.list
container.operations.get
container.operations.list
container.persistentVolumeClaims.create
container.persistentVolumeClaims.delete
container.persistentVolumeClaims.get
container.persistentVolumeClaims.list
container.persistentVolumeClaims.update
container.persistentVolumes.create
container.persistentVolumes.delete
container.persistentVolumes.get
container.persistentVolumes.list
container.persistentVolumes.update
container.podDisruptionBudgets.create
container.podDisruptionBudgets.delete
container.podDisruptionBudgets.get
container.podDisruptionBudgets.list
container.podDisruptionBudgets.update
container.priorityClasses.create
container.priorityClasses.delete
container.priorityClasses.get
container.priorityClasses.list
container.priorityClasses.update
container.replicaSets.create
container.replicaSets.delete
container.replicaSets.get
container.replicaSets.getScale
container.replicaSets.getStatus
container.replicaSets.list
container.replicaSets.update
container.replicaSets.updateScale
container.replicaSets.updateStatus
container.resourceQuotas.create
container.resourceQuotas.delete
container.resourceQuotas.get
container.resourceQuotas.list
container.resourceQuotas.update
container.roleBindings.create
container.roleBindings.delete
container.roleBindings.get
container.roleBindings.list
container.roleBindings.update
container.roles.create
container.roles.delete
container.roles.get
container.roles.list
container.roles.update
container.secrets.create
container.secrets.delete
container.secrets.get
container.secrets.list
container.secrets.update
container.serviceAccounts.create
container.serviceAccounts.createToken
container.serviceAccounts.delete
container.serviceAccounts.get
container.serviceAccounts.list
container.serviceAccounts.update
container.services.create
container.services.delete
container.services.get
container.services.getStatus
container.services.list
container.services.proxy
container.services.update
container.services.updateStatus
container.statefulSets.create
container.statefulSets.delete
container.statefulSets.get
container.statefulSets.getScale
container.statefulSets.getStatus
container.statefulSets.list
container.statefulSets.update
container.statefulSets.updateScale
container.statefulSets.updateStatus
container.storageClasses.create
container.storageClasses.delete
container.storageClasses.get
container.storageClasses.list
container.storageClasses.update
container.validatingWebhookConfigurations.create
container.validatingWebhookConfigurations.delete
container.validatingWebhookConfigurations.get
container.validatingWebhookConfigurations.list
container.validatingWebhookConfigurations.update
dataflow.jobs.cancel
dataflow.jobs.create
dataflow.jobs.get
dataflow.jobs.list
dataflow.jobs.snapshot
dataflow.jobs.updateContents
datastore.databases.create
datastore.databases.createTagBinding
datastore.databases.delete
datastore.databases.deleteTagBinding
datastore.databases.get
datastore.databases.getMetadata
datastore.databases.list
datastore.databases.listEffectiveTags
datastore.databases.listTagBindings
datastore.databases.update
datastore.locations.get
datastore.locations.list
datastore.operations.cancel
datastore.operations.delete
datastore.operations.get
datastore.operations.list
dns.managedZoneOperations.get
dns.managedZoneOperations.list
dns.managedZones.create
dns.managedZones.delete
dns.managedZones.get
dns.managedZones.list
dns.managedZones.update
iam.roles.create
iam.roles.delete
iam.roles.get
iam.roles.list
iam.roles.undelete
iam.roles.update
iam.serviceAccountKeys.create
iam.serviceAccountKeys.delete
iam.serviceAccountKeys.get
iam.serviceAccountKeys.list
iam.serviceAccounts.actAs
iam.serviceAccounts.create
iam.serviceAccounts.delete
iam.serviceAccounts.get
iam.serviceAccounts.getIamPolicy
iam.serviceAccounts.list
iam.serviceAccounts.setIamPolicy
iam.serviceAccounts.update
iap.tunnel.getIamPolicy
iap.tunnel.setIamPolicy
iap.tunnelInstances.accessViaIAP
iap.tunnelInstances.getIamPolicy
iap.tunnelInstances.setIamPolicy
logging.logMetrics.create
logging.logMetrics.get
logging.logMetrics.list
logging.logMetrics.update
monitoring.alertPolicies.create
monitoring.alertPolicies.delete
monitoring.alertPolicies.get
monitoring.alertPolicies.list
monitoring.alertPolicies.update
monitoring.notificationChannelDescriptors.get
monitoring.notificationChannelDescriptors.list
monitoring.notificationChannels.create
monitoring.notificationChannels.delete
monitoring.notificationChannels.get
monitoring.notificationChannels.getVerificationCode
monitoring.notificationChannels.list
monitoring.notificationChannels.sendVerificationCode
monitoring.notificationChannels.update
monitoring.notificationChannels.verify
pubsub.subscriptions.create
pubsub.subscriptions.delete
pubsub.subscriptions.get
pubsub.subscriptions.getIamPolicy
pubsub.subscriptions.list
pubsub.subscriptions.setIamPolicy
pubsub.subscriptions.update
pubsub.topics.attachSubscription
pubsub.topics.create
pubsub.topics.delete
pubsub.topics.detachSubscription
pubsub.topics.get
pubsub.topics.getIamPolicy
pubsub.topics.list
pubsub.topics.setIamPolicy
pubsub.topics.update
pubsub.topics.updateTag
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.setIamPolicy
run.configurations.get
run.configurations.list
run.executions.cancel
run.executions.delete
run.executions.get
run.executions.list
run.jobs.create
run.jobs.createTagBinding
run.jobs.delete
run.jobs.deleteTagBinding
run.jobs.get
run.jobs.getIamPolicy
run.jobs.list
run.jobs.listEffectiveTags
run.jobs.listTagBindings
run.jobs.run
run.jobs.runWithOverrides
run.jobs.setIamPolicy
run.jobs.update
run.locations.list
run.operations.delete
run.operations.get
run.operations.list
run.revisions.delete
run.revisions.get
run.revisions.list
run.routes.get
run.routes.list
run.services.create
run.services.createTagBinding
run.services.delete
run.services.deleteTagBinding
run.services.get
run.services.getIamPolicy
run.services.list
run.services.listEffectiveTags
run.services.listTagBindings
run.services.setIamPolicy
run.services.update
servicemanagement.services.check
servicemanagement.services.get
servicemanagement.services.list
servicemanagement.services.quota
servicenetworking.services.get
serviceusage.services.enable
serviceusage.services.get
serviceusage.services.list
storage.buckets.create
storage.buckets.createTagBinding
storage.buckets.delete
storage.buckets.deleteTagBinding
storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.list
storage.buckets.listEffectiveTags
storage.buckets.listTagBindings
storage.buckets.setIamPolicy
storage.buckets.update
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.getIamPolicy
storage.objects.list
storage.objects.setIamPolicy
storage.objects.update
Creating a custom role
You can create a custom role from this permission set using the
gcloud CLI. Save the definition below as
snowplow-pmc-role.json:
{
"title": "Snowplow PMC Pipeline",
"description": "Minimum permissions for Snowplow to deploy and manage a base pipeline via service account impersonation",
"stage": "GA",
"includedPermissions": [
"cloudfunctions.functions.create",
"cloudfunctions.functions.delete",
"cloudfunctions.functions.get",
"cloudfunctions.functions.getIamPolicy",
"cloudfunctions.functions.list",
"cloudfunctions.functions.setIamPolicy",
"cloudfunctions.functions.sourceCodeSet",
"cloudfunctions.functions.update",
"cloudfunctions.operations.get",
"cloudfunctions.operations.list",
"cloudsql.databases.create",
"cloudsql.databases.delete",
"cloudsql.databases.get",
"cloudsql.databases.list",
"cloudsql.databases.update",
"cloudsql.instances.addServerCa",
"cloudsql.instances.clone",
"cloudsql.instances.connect",
"cloudsql.instances.create",
"cloudsql.instances.createTagBinding",
"cloudsql.instances.delete",
"cloudsql.instances.deleteTagBinding",
"cloudsql.instances.demoteMaster",
"cloudsql.instances.export",
"cloudsql.instances.failover",
"cloudsql.instances.get",
"cloudsql.instances.import",
"cloudsql.instances.list",
"cloudsql.instances.listEffectiveTags",
"cloudsql.instances.listServerCas",
"cloudsql.instances.listTagBindings",
"cloudsql.instances.login",
"cloudsql.instances.promoteReplica",
"cloudsql.instances.resetSslConfig",
"cloudsql.instances.restart",
"cloudsql.instances.restoreBackup",
"cloudsql.instances.rotateServerCa",
"cloudsql.instances.startReplica",
"cloudsql.instances.stopReplica",
"cloudsql.instances.truncateLog",
"cloudsql.instances.update",
"cloudsql.users.create",
"cloudsql.users.delete",
"cloudsql.users.get",
"cloudsql.users.list",
"cloudsql.users.update",
"compute.backendServices.create",
"compute.backendServices.delete",
"compute.backendServices.get",
"compute.backendServices.getIamPolicy",
"compute.backendServices.list",
"compute.backendServices.setIamPolicy",
"compute.backendServices.setSecurityPolicy",
"compute.backendServices.update",
"compute.backendServices.use",
"compute.disks.addResourcePolicies",
"compute.disks.create",
"compute.disks.createSnapshot",
"compute.disks.createTagBinding",
"compute.disks.delete",
"compute.disks.deleteTagBinding",
"compute.disks.get",
"compute.disks.getIamPolicy",
"compute.disks.list",
"compute.disks.listEffectiveTags",
"compute.disks.listTagBindings",
"compute.disks.removeResourcePolicies",
"compute.disks.resize",
"compute.disks.setIamPolicy",
"compute.disks.setLabels",
"compute.disks.update",
"compute.disks.use",
"compute.disks.useReadOnly",
"compute.firewalls.create",
"compute.firewalls.delete",
"compute.firewalls.get",
"compute.firewalls.list",
"compute.firewalls.update",
"compute.globalAddresses.create",
"compute.globalAddresses.delete",
"compute.globalAddresses.get",
"compute.globalAddresses.list",
"compute.globalAddresses.setLabels",
"compute.globalAddresses.use",
"compute.globalForwardingRules.create",
"compute.globalForwardingRules.delete",
"compute.globalForwardingRules.get",
"compute.globalForwardingRules.list",
"compute.globalForwardingRules.setLabels",
"compute.globalForwardingRules.setTarget",
"compute.globalForwardingRules.update",
"compute.globalOperations.delete",
"compute.globalOperations.get",
"compute.globalOperations.getIamPolicy",
"compute.globalOperations.list",
"compute.globalOperations.setIamPolicy",
"compute.healthChecks.create",
"compute.healthChecks.delete",
"compute.healthChecks.get",
"compute.healthChecks.list",
"compute.healthChecks.update",
"compute.healthChecks.use",
"compute.healthChecks.useReadOnly",
"compute.images.create",
"compute.images.createTagBinding",
"compute.images.delete",
"compute.images.deleteTagBinding",
"compute.images.deprecate",
"compute.images.get",
"compute.images.getFromFamily",
"compute.images.getIamPolicy",
"compute.images.list",
"compute.images.listEffectiveTags",
"compute.images.listTagBindings",
"compute.images.setIamPolicy",
"compute.images.setLabels",
"compute.images.update",
"compute.images.useReadOnly",
"compute.instanceGroupManagers.create",
"compute.instanceGroupManagers.delete",
"compute.instanceGroupManagers.get",
"compute.instanceGroupManagers.list",
"compute.instanceGroupManagers.update",
"compute.instanceGroupManagers.use",
"compute.instanceGroups.create",
"compute.instanceGroups.delete",
"compute.instanceGroups.get",
"compute.instanceGroups.list",
"compute.instanceGroups.update",
"compute.instanceGroups.use",
"compute.instances.addAccessConfig",
"compute.instances.addMaintenancePolicies",
"compute.instances.addResourcePolicies",
"compute.instances.attachDisk",
"compute.instances.create",
"compute.instances.createTagBinding",
"compute.instances.delete",
"compute.instances.deleteAccessConfig",
"compute.instances.deleteTagBinding",
"compute.instances.detachDisk",
"compute.instances.get",
"compute.instances.getEffectiveFirewalls",
"compute.instances.getGuestAttributes",
"compute.instances.getIamPolicy",
"compute.instances.getScreenshot",
"compute.instances.getSerialPortOutput",
"compute.instances.getShieldedInstanceIdentity",
"compute.instances.getShieldedVmIdentity",
"compute.instances.list",
"compute.instances.listEffectiveTags",
"compute.instances.listReferrers",
"compute.instances.listTagBindings",
"compute.instances.osAdminLogin",
"compute.instances.osLogin",
"compute.instances.removeMaintenancePolicies",
"compute.instances.removeResourcePolicies",
"compute.instances.reset",
"compute.instances.resume",
"compute.instances.sendDiagnosticInterrupt",
"compute.instances.setDeletionProtection",
"compute.instances.setDiskAutoDelete",
"compute.instances.setIamPolicy",
"compute.instances.setLabels",
"compute.instances.setMachineResources",
"compute.instances.setMachineType",
"compute.instances.setMetadata",
"compute.instances.setMinCpuPlatform",
"compute.instances.setScheduling",
"compute.instances.setServiceAccount",
"compute.instances.setShieldedInstanceIntegrityPolicy",
"compute.instances.setShieldedVmIntegrityPolicy",
"compute.instances.setTags",
"compute.instances.start",
"compute.instances.startWithEncryptionKey",
"compute.instances.stop",
"compute.instances.suspend",
"compute.instances.update",
"compute.instances.updateAccessConfig",
"compute.instances.updateDisplayDevice",
"compute.instances.updateNetworkInterface",
"compute.instances.updateSecurity",
"compute.instances.updateShieldedInstanceConfig",
"compute.instances.updateShieldedVmConfig",
"compute.instances.use",
"compute.instances.useReadOnly",
"compute.instanceTemplates.create",
"compute.instanceTemplates.delete",
"compute.instanceTemplates.get",
"compute.instanceTemplates.getIamPolicy",
"compute.instanceTemplates.list",
"compute.instanceTemplates.setIamPolicy",
"compute.instanceTemplates.useReadOnly",
"compute.machineImages.get",
"compute.machineImages.getIamPolicy",
"compute.machineImages.list",
"compute.machineImages.setIamPolicy",
"compute.machineImages.useReadOnly",
"compute.networkEndpointGroups.attachNetworkEndpoints",
"compute.networkEndpointGroups.create",
"compute.networkEndpointGroups.delete",
"compute.networkEndpointGroups.detachNetworkEndpoints",
"compute.networkEndpointGroups.get",
"compute.networkEndpointGroups.getIamPolicy",
"compute.networkEndpointGroups.list",
"compute.networkEndpointGroups.setIamPolicy",
"compute.networkEndpointGroups.use",
"compute.networks.access",
"compute.networks.addPeering",
"compute.networks.create",
"compute.networks.delete",
"compute.networks.get",
"compute.networks.getEffectiveFirewalls",
"compute.networks.getRegionEffectiveFirewalls",
"compute.networks.list",
"compute.networks.listPeeringRoutes",
"compute.networks.mirror",
"compute.networks.removePeering",
"compute.networks.setFirewallPolicy",
"compute.networks.switchToCustomMode",
"compute.networks.update",
"compute.networks.updatePeering",
"compute.networks.updatePolicy",
"compute.networks.use",
"compute.networks.useExternalIp",
"compute.regions.get",
"compute.routers.create",
"compute.routers.delete",
"compute.routers.get",
"compute.routers.list",
"compute.routers.update",
"compute.routers.use",
"compute.sslCertificates.create",
"compute.sslCertificates.delete",
"compute.sslCertificates.get",
"compute.sslCertificates.list",
"compute.subnetworks.create",
"compute.subnetworks.delete",
"compute.subnetworks.expandIpCidrRange",
"compute.subnetworks.get",
"compute.subnetworks.getIamPolicy",
"compute.subnetworks.list",
"compute.subnetworks.mirror",
"compute.subnetworks.setIamPolicy",
"compute.subnetworks.setPrivateIpGoogleAccess",
"compute.subnetworks.update",
"compute.subnetworks.use",
"compute.subnetworks.useExternalIp",
"compute.targetHttpProxies.create",
"compute.targetHttpProxies.delete",
"compute.targetHttpProxies.get",
"compute.targetHttpProxies.list",
"compute.targetHttpProxies.setUrlMap",
"compute.targetHttpProxies.use",
"compute.targetHttpsProxies.create",
"compute.targetHttpsProxies.delete",
"compute.targetHttpsProxies.get",
"compute.targetHttpsProxies.list",
"compute.targetHttpsProxies.setSslCertificates",
"compute.targetHttpsProxies.setSslPolicy",
"compute.targetHttpsProxies.setUrlMap",
"compute.targetHttpsProxies.use",
"compute.urlMaps.create",
"compute.urlMaps.delete",
"compute.urlMaps.get",
"compute.urlMaps.invalidateCache",
"compute.urlMaps.list",
"compute.urlMaps.update",
"compute.urlMaps.use",
"compute.urlMaps.validate",
"compute.zones.get",
"compute.zones.list",
"container.clusterRoleBindings.create",
"container.clusterRoleBindings.delete",
"container.clusterRoleBindings.get",
"container.clusterRoleBindings.list",
"container.clusterRoleBindings.update",
"container.clusterRoles.create",
"container.clusterRoles.delete",
"container.clusterRoles.get",
"container.clusterRoles.list",
"container.clusterRoles.update",
"container.clusters.create",
"container.clusters.createTagBinding",
"container.clusters.delete",
"container.clusters.deleteTagBinding",
"container.clusters.get",
"container.clusters.getCredentials",
"container.clusters.list",
"container.clusters.listEffectiveTags",
"container.clusters.listTagBindings",
"container.clusters.update",
"container.configMaps.create",
"container.configMaps.delete",
"container.configMaps.get",
"container.configMaps.list",
"container.configMaps.update",
"container.cronJobs.create",
"container.cronJobs.delete",
"container.cronJobs.get",
"container.cronJobs.getStatus",
"container.cronJobs.list",
"container.cronJobs.update",
"container.cronJobs.updateStatus",
"container.customResourceDefinitions.create",
"container.customResourceDefinitions.delete",
"container.customResourceDefinitions.get",
"container.customResourceDefinitions.list",
"container.customResourceDefinitions.update",
"container.daemonSets.create",
"container.daemonSets.delete",
"container.daemonSets.get",
"container.daemonSets.getStatus",
"container.daemonSets.list",
"container.daemonSets.update",
"container.daemonSets.updateStatus",
"container.deployments.create",
"container.deployments.delete",
"container.deployments.get",
"container.deployments.getScale",
"container.deployments.getStatus",
"container.deployments.list",
"container.deployments.rollback",
"container.deployments.update",
"container.deployments.updateScale",
"container.deployments.updateStatus",
"container.events.get",
"container.events.list",
"container.horizontalPodAutoscalers.create",
"container.horizontalPodAutoscalers.delete",
"container.horizontalPodAutoscalers.get",
"container.horizontalPodAutoscalers.getStatus",
"container.horizontalPodAutoscalers.list",
"container.horizontalPodAutoscalers.update",
"container.horizontalPodAutoscalers.updateStatus",
"container.ingresses.create",
"container.ingresses.delete",
"container.ingresses.get",
"container.ingresses.getStatus",
"container.ingresses.list",
"container.ingresses.update",
"container.ingresses.updateStatus",
"container.jobs.create",
"container.jobs.delete",
"container.jobs.get",
"container.jobs.getStatus",
"container.jobs.list",
"container.jobs.update",
"container.jobs.updateStatus",
"container.limitRanges.create",
"container.limitRanges.delete",
"container.limitRanges.get",
"container.limitRanges.list",
"container.limitRanges.update",
"container.mutatingWebhookConfigurations.create",
"container.mutatingWebhookConfigurations.delete",
"container.mutatingWebhookConfigurations.get",
"container.mutatingWebhookConfigurations.list",
"container.mutatingWebhookConfigurations.update",
"container.namespaces.create",
"container.namespaces.delete",
"container.namespaces.finalize",
"container.namespaces.get",
"container.namespaces.getStatus",
"container.namespaces.list",
"container.namespaces.update",
"container.namespaces.updateStatus",
"container.networkPolicies.create",
"container.networkPolicies.delete",
"container.networkPolicies.get",
"container.networkPolicies.list",
"container.networkPolicies.update",
"container.nodes.get",
"container.nodes.list",
"container.operations.get",
"container.operations.list",
"container.persistentVolumeClaims.create",
"container.persistentVolumeClaims.delete",
"container.persistentVolumeClaims.get",
"container.persistentVolumeClaims.list",
"container.persistentVolumeClaims.update",
"container.persistentVolumes.create",
"container.persistentVolumes.delete",
"container.persistentVolumes.get",
"container.persistentVolumes.list",
"container.persistentVolumes.update",
"container.podDisruptionBudgets.create",
"container.podDisruptionBudgets.delete",
"container.podDisruptionBudgets.get",
"container.podDisruptionBudgets.list",
"container.podDisruptionBudgets.update",
"container.priorityClasses.create",
"container.priorityClasses.delete",
"container.priorityClasses.get",
"container.priorityClasses.list",
"container.priorityClasses.update",
"container.replicaSets.create",
"container.replicaSets.delete",
"container.replicaSets.get",
"container.replicaSets.getScale",
"container.replicaSets.getStatus",
"container.replicaSets.list",
"container.replicaSets.update",
"container.replicaSets.updateScale",
"container.replicaSets.updateStatus",
"container.resourceQuotas.create",
"container.resourceQuotas.delete",
"container.resourceQuotas.get",
"container.resourceQuotas.list",
"container.resourceQuotas.update",
"container.roleBindings.create",
"container.roleBindings.delete",
"container.roleBindings.get",
"container.roleBindings.list",
"container.roleBindings.update",
"container.roles.create",
"container.roles.delete",
"container.roles.get",
"container.roles.list",
"container.roles.update",
"container.secrets.create",
"container.secrets.delete",
"container.secrets.get",
"container.secrets.list",
"container.secrets.update",
"container.serviceAccounts.create",
"container.serviceAccounts.createToken",
"container.serviceAccounts.delete",
"container.serviceAccounts.get",
"container.serviceAccounts.list",
"container.serviceAccounts.update",
"container.services.create",
"container.services.delete",
"container.services.get",
"container.services.getStatus",
"container.services.list",
"container.services.proxy",
"container.services.update",
"container.services.updateStatus",
"container.statefulSets.create",
"container.statefulSets.delete",
"container.statefulSets.get",
"container.statefulSets.getScale",
"container.statefulSets.getStatus",
"container.statefulSets.list",
"container.statefulSets.update",
"container.statefulSets.updateScale",
"container.statefulSets.updateStatus",
"container.storageClasses.create",
"container.storageClasses.delete",
"container.storageClasses.get",
"container.storageClasses.list",
"container.storageClasses.update",
"container.validatingWebhookConfigurations.create",
"container.validatingWebhookConfigurations.delete",
"container.validatingWebhookConfigurations.get",
"container.validatingWebhookConfigurations.list",
"container.validatingWebhookConfigurations.update",
"dataflow.jobs.cancel",
"dataflow.jobs.create",
"dataflow.jobs.get",
"dataflow.jobs.list",
"dataflow.jobs.snapshot",
"dataflow.jobs.updateContents",
"datastore.databases.create",
"datastore.databases.createTagBinding",
"datastore.databases.delete",
"datastore.databases.deleteTagBinding",
"datastore.databases.get",
"datastore.databases.getMetadata",
"datastore.databases.list",
"datastore.databases.listEffectiveTags",
"datastore.databases.listTagBindings",
"datastore.databases.update",
"datastore.locations.get",
"datastore.locations.list",
"datastore.operations.cancel",
"datastore.operations.delete",
"datastore.operations.get",
"datastore.operations.list",
"dns.managedZoneOperations.get",
"dns.managedZoneOperations.list",
"dns.managedZones.create",
"dns.managedZones.delete",
"dns.managedZones.get",
"dns.managedZones.list",
"dns.managedZones.update",
"iam.roles.create",
"iam.roles.delete",
"iam.roles.get",
"iam.roles.list",
"iam.roles.undelete",
"iam.roles.update",
"iam.serviceAccountKeys.create",
"iam.serviceAccountKeys.delete",
"iam.serviceAccountKeys.get",
"iam.serviceAccountKeys.list",
"iam.serviceAccounts.actAs",
"iam.serviceAccounts.create",
"iam.serviceAccounts.delete",
"iam.serviceAccounts.get",
"iam.serviceAccounts.getIamPolicy",
"iam.serviceAccounts.list",
"iam.serviceAccounts.setIamPolicy",
"iam.serviceAccounts.update",
"iap.tunnel.getIamPolicy",
"iap.tunnel.setIamPolicy",
"iap.tunnelInstances.accessViaIAP",
"iap.tunnelInstances.getIamPolicy",
"iap.tunnelInstances.setIamPolicy",
"logging.logMetrics.create",
"logging.logMetrics.get",
"logging.logMetrics.list",
"logging.logMetrics.update",
"monitoring.alertPolicies.create",
"monitoring.alertPolicies.delete",
"monitoring.alertPolicies.get",
"monitoring.alertPolicies.list",
"monitoring.alertPolicies.update",
"monitoring.notificationChannelDescriptors.get",
"monitoring.notificationChannelDescriptors.list",
"monitoring.notificationChannels.create",
"monitoring.notificationChannels.delete",
"monitoring.notificationChannels.get",
"monitoring.notificationChannels.getVerificationCode",
"monitoring.notificationChannels.list",
"monitoring.notificationChannels.sendVerificationCode",
"monitoring.notificationChannels.update",
"monitoring.notificationChannels.verify",
"pubsub.subscriptions.create",
"pubsub.subscriptions.delete",
"pubsub.subscriptions.get",
"pubsub.subscriptions.getIamPolicy",
"pubsub.subscriptions.list",
"pubsub.subscriptions.setIamPolicy",
"pubsub.subscriptions.update",
"pubsub.topics.attachSubscription",
"pubsub.topics.create",
"pubsub.topics.delete",
"pubsub.topics.detachSubscription",
"pubsub.topics.get",
"pubsub.topics.getIamPolicy",
"pubsub.topics.list",
"pubsub.topics.setIamPolicy",
"pubsub.topics.update",
"pubsub.topics.updateTag",
"resourcemanager.projects.get",
"resourcemanager.projects.getIamPolicy",
"resourcemanager.projects.setIamPolicy",
"run.configurations.get",
"run.configurations.list",
"run.executions.cancel",
"run.executions.delete",
"run.executions.get",
"run.executions.list",
"run.jobs.create",
"run.jobs.createTagBinding",
"run.jobs.delete",
"run.jobs.deleteTagBinding",
"run.jobs.get",
"run.jobs.getIamPolicy",
"run.jobs.list",
"run.jobs.listEffectiveTags",
"run.jobs.listTagBindings",
"run.jobs.run",
"run.jobs.runWithOverrides",
"run.jobs.setIamPolicy",
"run.jobs.update",
"run.locations.list",
"run.operations.delete",
"run.operations.get",
"run.operations.list",
"run.revisions.delete",
"run.revisions.get",
"run.revisions.list",
"run.routes.get",
"run.routes.list",
"run.services.create",
"run.services.createTagBinding",
"run.services.delete",
"run.services.deleteTagBinding",
"run.services.get",
"run.services.getIamPolicy",
"run.services.list",
"run.services.listEffectiveTags",
"run.services.listTagBindings",
"run.services.setIamPolicy",
"run.services.update",
"servicemanagement.services.check",
"servicemanagement.services.get",
"servicemanagement.services.list",
"servicemanagement.services.quota",
"servicenetworking.services.get",
"serviceusage.services.enable",
"serviceusage.services.get",
"serviceusage.services.list",
"storage.buckets.create",
"storage.buckets.createTagBinding",
"storage.buckets.delete",
"storage.buckets.deleteTagBinding",
"storage.buckets.get",
"storage.buckets.getIamPolicy",
"storage.buckets.list",
"storage.buckets.listEffectiveTags",
"storage.buckets.listTagBindings",
"storage.buckets.setIamPolicy",
"storage.buckets.update",
"storage.objects.create",
"storage.objects.delete",
"storage.objects.get",
"storage.objects.getIamPolicy",
"storage.objects.list",
"storage.objects.setIamPolicy",
"storage.objects.update"
]
}
Then create the role in your project, replacing PROJECT_ID with
your project:
gcloud iam roles create snowplowPmcPipeline \
--project=PROJECT_ID \
--file=snowplow-pmc-role.json
Assign the custom role to the service account you created for Snowplow, then
grant the techops-cloud-admin@snowplowanalytics.com group the
iam.serviceAccountTokenCreator role on that service account
and the roles/viewer role on the project, as described above.