Service Accounts

By default, Forseti will create and use multiple service accounts in its default deployment. In doing this, Forseti implements the security best practice of privilege separation and least privilege.

Following are the service accounts Forseti creates on your behalf.


The image below shows how the default service accounts created by Forseti are used.

service account architecture diagram

The Deployer Service Account

The Deployer service account, named the cloud-foundation-forseti service account in IAM, is used to install Forseti through Terraform.

Permissions

In order to install Forseti using Terraform, the cloud-foundation-forseti service account requires the following permissions:

Granted at the organization level

  • roles/resourcemanager.organizationAdmin
  • roles/iam.securityReviewer

Granted at the project level

  • roles/compute.instanceAdmin
  • roles/compute.networkViewer
  • roles/compute.securityAdmin
  • roles/iam.serviceAccountAdmin
  • roles/serviceusage.serviceUsageAdmin
  • roles/iam.serviceAccountUser
  • roles/storage.admin
  • roles/cloudsql.admin

The Server Service Account

The forseti-server-gcp service account has more access and is used exclusively on the forseti-server-vm virtual machine instance.

This service account is used by core modules of the Forseti service. For example, Inventory uses this service account to read and store the supported resources. Scanner also uses the service account to audit policies.

Permissions

For Forseti to work properly, the forseti-server-gcp service account requires the following permissions:

Granted at the organization level

  • roles/appengine.appViewer (server)
  • roles/bigquery.metadataViewer (server)
  • roles/browser (server)
  • roles/cloudasset.viewer (server)
  • roles/cloudsql.viewer (server)
  • roles/compute.networkViewer (server)
  • roles/iam.securityReviewer (server)
  • roles/orgpolicy.policyViewer (server)
  • roles/servicemanagement.quotaViewer (server)
  • roles/serviceusage.serviceUsageConsumer (server)

Granted at the project level

  • roles/cloudsql.client (server)
  • roles/logging.logWriter (server, client)
  • roles/monitoring.metricWriter (server)
  • roles/storage.objectViewer (server, client)
  • roles/storage.objectCreator (server)

Granted at the service account level

  • roles/iam.serviceAccountTokenCreator (server)

Users can grant additional roles to the forseti-server-gcp service account to utilize optional features:

Optional roles

  • roles/compute.securityAdmin (server)

    Users can grant the roles/compute.securityAdmin at the organization level in order to use the Forseti Enforcer module.

    To grant this role, set variable enable_write = true in your Terraform main.tf.

  • roles/cloudprofiler.agent (server)

    Users can grant the roles/cloudprofiler.agent at the project level in order to use Cloud Profiler.

    To grant this role, set variable cloud_profiler_enabled = true in your Terraform main.tf.

The Client Service Account

The forseti-client-gcp service account has less access and is used exclusively on the forseti-client-vm virtual machine instance.

This service account is used to communicate with the forseti-server-vm. The separation between service accounts is key to securing the granted rights of the forseti-server-gcp service account from that of the forseti-client-gcp service account.

By using separate service accounts, you can grant many users access to the forseti-client-vm without over-granting access required for proper operation of the core modules.

Permissions

For Forseti to work properly, the forseti-client-gcp service account requires the following permissions:

Granted on the project level

  • roles/storage.objectViewer
  • roles/logging.logWriter

The Real-Time Enforcer Service Account

The forseti-enforcer-gcp service account has specific permissions used for Real-Time Enforcer and is used exclusively on the forseti-enforcer-vm virtual machine instance.

Permissions

For Real-Time Enforcer to work properly, the forseti-enforcer-gcp service account requires the following permissions:

Granted at the organization level

  • storage.buckets.get
  • storage.buckets.getIamPolicy
  • storage.buckets.setIamPolicy
  • storage.buckets.update
  • bigquery.datasets.get
  • bigquery.datasets.getIamPolicy
  • bigquery.datasets.setIamPolicy
  • bigquery.datasets.update
  • cloudsql.instances.get
  • cloudsql.instances.update
  • resourcemanager.projects.get
  • resourcemanager.projects.getIamPolicy
  • resourcemanager.projects.setIamPolicy
  • serviceusage.services.use

Granted at the project level

  • roles/storage.objectViewer
  • roles/logging.logWriter

What’s next