By default, Forseti will create and use multiple service accounts in its default deployment. In doing this, Forseti implements the security best practice of privilege separation and least privilege.
Following are the service accounts Forseti creates on your behalf.
The image below shows how the default service accounts created by Forseti are used.
The forseti-server-gcp
service account has more access and is used
exclusively on the forseti-server-vm
virtual machine instance.
This service account is used by core modules of the Forseti service. For example, Inventory uses this service account to read and store the supported resources. Scanner also uses the service account to audit policies.
For Forseti to work properly, the forseti-server-gcp
service account
requires the following permissions:
Granted at the organization level
roles/appengine.appViewer
(server)roles/bigquery.metadataViewer
(server)roles/browser
(server)roles/cloudasset.viewer
(server)roles/cloudsql.viewer
(server)roles/compute.networkViewer
(server)roles/compute.securityAdmin
(server)roles/iam.securityReviewer
(server)roles/orgpolicy.policyViewer
(server)roles/servicemanagement.quotaViewer
(server)roles/serviceusage.serviceUsageConsumer
(server)Granted at the project level
roles/cloudsql.client
(server)roles/logging.logWriter
(server, client)roles/monitoring.metricWriter
(server)roles/storage.objectViewer
(server, client)roles/storage.objectCreator
(server)Granted at the service account level
roles/iam.serviceAccountTokenCreator
(server)The forseti-client-gcp
service account has less access and is used
exclusively on the forseti-client-vm
virtual machine instance.
This service account is used to communicate with the
forseti-server-vm
. The separation between service accounts is key to
securing the granted rights of the forseti-server-gcp
service account
from that of the forseti-client-gcp
service account.
By using separate service accounts, you can grant many users access to the
forseti-client-vm
without over-granting access required for proper operation
of the core modules.
For Forseti to work properly, the forseti-client-gcp
service account
requires the following permissions:
Granted on the project level
roles/storage.objectViewer
roles/logging.logWriter
The cloud-foundation-forseti
service account is used to install Forseti through Terraform.
In order to install Forseti using Terraform, the cloud-foundation-forseti
service account
requires the following permissions:
Granted at the organization level
roles/resourcemanager.organizationAdmin
roles/iam.securityReviewer
Granted at the project level
roles/compute.instanceAdmin
roles/compute.networkViewer
roles/compute.securityAdmin
roles/iam.serviceAccountAdmin
roles/serviceusage.serviceUsageAdmin
roles/iam.serviceAccountUser
roles/storage.admin
roles/cloudsql.admin
The forseti-enforcer-gcp
service account has specific permissions used for Real-Time Enforcer
and is used exclusively on the forseti-enforcer-vm
virtual machine instance.
For Real-Time Enforcer to work properly, the forseti-enforcer-gcp
service account
requires the following permissions:
Granted at the organization level
storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.setIamPolicy
storage.buckets.update
bigquery.datasets.get
bigquery.datasets.getIamPolicy
bigquery.datasets.setIamPolicy
bigquery.datasets.update
cloudsql.instances.get
cloudsql.instances.update
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.setIamPolicy
serviceusage.services.use
Granted at the project level
roles/storage.objectViewer
roles/logging.logWriter