By default, Forseti will create and use multiple service accounts in its default deployment. In doing this, Forseti implements the security best practice of privilege separation and least privilege.
Following are the service accounts Forseti creates on your behalf.
The image below shows how the default service accounts created by Forseti are used.
The Deployer service account, named the cloud-foundation-forseti
service account in IAM, is used to install Forseti through Terraform.
In order to install Forseti using Terraform, the cloud-foundation-forseti
service account
requires the following permissions:
Granted at the organization level
roles/resourcemanager.organizationAdmin
roles/iam.securityReviewer
Granted at the project level
roles/compute.instanceAdmin
roles/compute.networkViewer
roles/compute.securityAdmin
roles/iam.serviceAccountAdmin
roles/serviceusage.serviceUsageAdmin
roles/iam.serviceAccountUser
roles/storage.admin
roles/cloudsql.admin
The forseti-server-gcp
service account has more access and is used
exclusively on the forseti-server-vm
virtual machine instance.
This service account is used by core modules of the Forseti service. For example, Inventory uses this service account to read and store the supported resources. Scanner also uses the service account to audit policies.
For Forseti to work properly, the forseti-server-gcp
service account
requires the following permissions:
Granted at the organization level
roles/appengine.appViewer
(server)roles/bigquery.metadataViewer
(server)roles/browser
(server)roles/cloudasset.viewer
(server)roles/cloudsql.viewer
(server)roles/compute.networkViewer
(server)roles/iam.securityReviewer
(server)roles/orgpolicy.policyViewer
(server)roles/servicemanagement.quotaViewer
(server)roles/serviceusage.serviceUsageConsumer
(server)Granted at the project level
roles/cloudsql.client
(server)roles/logging.logWriter
(server, client)roles/monitoring.metricWriter
(server)roles/storage.objectViewer
(server, client)roles/storage.objectCreator
(server)Granted at the service account level
roles/iam.serviceAccountTokenCreator
(server)Users can grant additional roles to the forseti-server-gcp
service account to utilize optional features:
Optional roles
roles/compute.securityAdmin
(server)
Users can grant the roles/compute.securityAdmin
at the organization level in order to use the
Forseti Enforcer module.
To grant this role, set variable enable_write = true
in your Terraform main.tf
.
roles/cloudprofiler.agent
(server)
Users can grant the roles/cloudprofiler.agent
at the project level in order to use
Cloud Profiler.
To grant this role, set variable cloud_profiler_enabled = true
in your Terraform main.tf
.
The forseti-client-gcp
service account has less access and is used
exclusively on the forseti-client-vm
virtual machine instance.
This service account is used to communicate with the
forseti-server-vm
. The separation between service accounts is key to
securing the granted rights of the forseti-server-gcp
service account
from that of the forseti-client-gcp
service account.
By using separate service accounts, you can grant many users access to the
forseti-client-vm
without over-granting access required for proper operation
of the core modules.
For Forseti to work properly, the forseti-client-gcp
service account
requires the following permissions:
Granted on the project level
roles/storage.objectViewer
roles/logging.logWriter
The forseti-enforcer-gcp
service account has specific permissions used for Real-Time Enforcer
and is used exclusively on the forseti-enforcer-vm
virtual machine instance.
For Real-Time Enforcer to work properly, the forseti-enforcer-gcp
service account
requires the following permissions:
Granted at the organization level
storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.setIamPolicy
storage.buckets.update
bigquery.datasets.get
bigquery.datasets.getIamPolicy
bigquery.datasets.setIamPolicy
bigquery.datasets.update
cloudsql.instances.get
cloudsql.instances.update
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.setIamPolicy
serviceusage.services.use
Granted at the project level
roles/storage.objectViewer
roles/logging.logWriter