When you use multiple service accounts with your Forseti Security deployments, you implement the security best practice of privilege separation. Following are the scenarios for which it’s best to use separate service accounts:
When naming service accounts, it’s best to use a descriptive name like
This service account is used by core modules of the Forseti service. For
forseti_inventory uses this service account to read and store the
supported resources. It’s also used by
forseti_scanner to scan
A good name for this service account would be
It’s best to use a separate service account for G Suite Groups inventory for
privilege separation because the service account key must be local to
forseti_inventory. By using a separate service account, the key scope is
limited to G Suite Groups if the machine is compromised.
If you enable
G Suite Group inventory and create a service account, a good name
for the service account would be
You can use the Forseti Security service account for IAM Explain. However,
explain service is an interactive tool and runs on its own
Compute Engine instance, it’s best to apply privilege separation principles
by creating a separate service account for IAM Explain.
If you enable IAM Explain and create a service account, a good name for the
service account would be
Whether you install and deploy Forseti manually or by using the setup wizard, you’ll need to store the keys securely. Google has published best practices on least privilege, secure storage, and rotation.
It’s important to know that if you don’t plan to execute a particular piece of
Forseti, such as
forseti_enforcer, you don’t need to create that service account
or grant those permissions.
Forseti Security needs the following roles for
Granted at the Organization level
Granted on the project where Forseti Security is deployed
To inventory G Suite Groups and their members, Forseti Security uses a service account enabled for G Suite domain-wide delegation. The only permission this service account needs is read-access on the Groups and Group Members services.
Forseti Explain should have its own service account and it only requires access to read from the inventory stored in Cloud SQL.
Granted on the project where Forseti Explain is deployed