Roles and Required Permissions
There are two group of IAM roles and permissions, based on how you add your account into CloudVerse:
With Organization
Billing Account Viewer
Default Role
Organization
Can view information about billing accounts
Viewer
Default Role
Organization
View most Google Cloud resources
CloudVerseRole
Custom Role
Organization
recommender.usageCommitmentRecommendations.update
recommender.computeAddressIdleResourceRecommendations.update
recommender.computeDiskIdleResourceRecommendations.update
recommender.computeImageIdleResourceRecommendations.update
recommender.computeInstanceGroupManagerMachineTypeRecommendations.update
recommender.computeInstanceIdleResourceRecommendations.update
recommender.computeInstanceMachineTypeRecommendations.update
recommender.iamPolicyRecommendations.update
cloudasset.assets.exportResource
billing.accounts.get
billing.resourceAssociations.list
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager.organizations.get
resourcemanager.projects.list
resourcemanager.projects.get
You have to assign the Viewer and CloudVerseRole roles to the CloudVerse Service Account in your Organization. Every project in your organization will inherit this assignment. CloudVerse will help you with this task by generating a script, which you only need to run once. After that, if you want to add any project that has the same Billing Account and Organization, you don't need to run the script again.
For more infomation about permissions, please see Permission Details.
Without Organization
Billing Account Viewer
Default Role
Project
Can view information about billing accounts
Viewer
Default Role
Project
View most Google Cloud resources
CloudVerseRole
Custom Role
Project
recommender.usageCommitmentRecommendations.update
recommender.computeAddressIdleResourceRecommendations.update
recommender.computeDiskIdleResourceRecommendations.update
recommender.computeImageIdleResourceRecommendations.update
recommender.computeInstanceGroupManagerMachineTypeRecommendations.update
recommender.computeInstanceIdleResourceRecommendations.update
recommender.computeInstanceMachineTypeRecommendations.update
recommender.iamPolicyRecommendations.update
cloudasset.assets.exportResource
You have to assign Viewer and CloudVerseRole roles to the CloudVerse Service Account in every project that you want to add to CloudVerse and the project that contains Billing export BigQuery Dataset. CloudVerse will assist you by generating a script, that will help you to assign the roles automatially.
For more infomation about permissions, please see Permission Details.
APIs And Services
Compute Engine API
compute.googleapis.com
Getting compute assets details
Cloud Asset API
cloudasset.googleapis.com
Exporting assets inventory
Recommender API
recommender.googleapis.com
Collecting GCP recommendations
You have to enable these three API in every project that you want to add to CloudVerse.
CloudVerse will help you to do this job by generating a script, and you only need to run the script. If you want to do it manually, please see GCP | Enable and Disable Apis.
Last updated