Service Accounts

By default, Forseti will create and use multiple service accounts in its default deployment. In doing this, Forseti implements the security best practice of privilege separation and least privilege.

Following are the service accounts Forseti creates on your behalf.


The image below shows how the default service accounts created by Forseti are used.

service account architecture diagram

The Server Service Account

The forseti-server-gcp service account has more access and is used exclusively on the forseti-server-vm virtual machine instance.

This service account is used by core modules of the Forseti service. For example, Inventory uses this service account to read and store the supported resources. Scanner also uses the service account to audit policies.

Permissions

For Forseti to work properly, the forseti-server-gcp service account requires the following permissions:

Granted at the organization level

  • roles/appengine.appViewer (server)
  • roles/bigquery.dataViewer (server)
  • roles/browser (server)
  • roles/cloudasset.viewer (server)
  • roles/cloudsql.viewer (server)
  • roles/compute.networkViewer (server)
  • roles/compute.securityAdmin (server)
  • roles/iam.securityReviewer (server)
  • roles/orgpolicy.policyViewer (server)
  • roles/servicemanagement.quotaViewer (server)
  • roles/serviceusage.serviceUsageConsumer (server)

Granted at the project level

  • roles/cloudsql.client (server)
  • roles/logging.logWriter (server, client)
  • roles/storage.objectViewer (server, client)
  • roles/storage.objectCreator (server)

Granted at the service account level

  • roles/iam.serviceAccountTokenCreator (server)

Granted at the bucket level for CAI

  • roles/storage.objectAdmin (server)

The Client Service Account

The forseti-client-gcp service account has less access and is used exclusively on the forseti-client-vm virtual machine instance.

This service account is used to communicate with the forseti-server-vm. The separation between service accounts is key to securing the granted rights of the forseti-server-gcp service account from that of the forseti-client-gcp service account.

By using separate service accounts, you can grant many users access to the forseti-client-vm without over-granting access required for proper operation of the core modules.

Permissions

For Forseti to work properly, the forseti-client-gcp service account requires the following permissions:

Granted on the project level

  • roles/storage.objectViewer
  • roles/logging.logWriter

What’s next