Service Account roles and Required APIs

This page lists the IAM roles to be granted and APIs to be enabled in order to execute the Forseti Terraform module.


IAM Roles

For this module to work, you need the following roles enabled on the Service Account:

On the organization:

  • roles/resourcemanager.organizationAdmin
  • roles/iam.securityReviewer

On the project:

  • roles/owner
  • roles/compute.instanceAdmin
  • roles/compute.networkViewer
  • roles/compute.securityAdmin
  • roles/iam.serviceAccountAdmin
  • roles/serviceusage.serviceUsageAdmin
  • roles/iam.serviceAccountUser
  • roles/storage.admin
  • roles/cloudsql.admin

On the host project (when using shared VPC)

  • roles/compute.securityAdmin
  • roles/compute.networkAdmin

APIs

For this module to work, you need the following APIs enabled on the Forseti project:

  • cloudresourcemanager.googleapis.com
  • compute.googleapis.com
  • serviceusage.googleapis.com