Integration Permissions Overview

StarOps can integration with both Amazon (AWS) and Google Cloud (GCP) as intrafstructure providers. You will find the related permissions leveraged for both listed below. It is important to note that, by default, integrations to your cloud account will start as READ ONLY. StarOps will only take advantage of full R/W capabilities once you upgrade the integration to that level. Until you have done so, only read queries can be performed against your cloud account.

AWS - IAM Policy Permission

For StarOps to perform various workflows across your AWS Cloud Infrastucture it will require certain permissions. This is provided via automatic IAM Policy setup.

Leveraging CloudFormations, the setup of these IAM policy permissions is a simple process from the Integrations section of StarOps.

By default, your account integration will start in READ ONLY mode.
This will be signified with the Read Only tag you will see on your integration screen:

Any StarOps feature that you request without such upgrade will prompt you accordingly like this:

If you are interested in full StarOps provisioning capabilities on your behalf, you can upgrade any read only integration to READ/WRITE, by selecting the Upgrade option on the integration screen for any account:

FULL READ/WRITE IAM Permissions (as on 10/15/25)

(Get and List Permissions only for Read Only integrations)

• iam:CreateRole - Creating new IAM roles for service accounts and applications
• iam:GetRole - Checking existing role configuration before modifications
• iam:DeleteRole - Cleaning up unused roles during resource deprovisioning
• iam:ListRoles - Discovering existing roles for inventory and management
• iam:UpdateAssumeRolePolicy - Modifying trust relationships for role access
• iam:PutRolePolicy - Attaching inline policies to roles for specific permissions
• iam:GetRolePolicy - Reading current role policies before modifications
• iam:DeleteRolePolicy - Removing unnecessary policies during cleanup
• iam:ListRolePolicies - Listing all policies attached to a role
• iam:CreatePolicy - Creating custom policies for specific use cases
• iam:GetPolicy - Checking policy details before attachment
• iam:GetPolicyVersion - Reviewing specific policy versions
• iam:ListPolicyVersions - Managing policy version history
• iam:DeletePolicy - Removing obsolete policies
• iam:CreateUser - Creating IAM users for service integrations
• iam:GetUser - Retrieving user information for access management
• iam:DeleteUser - Removing users during deprovisioning
• iam:ListUsers - Inventorying existing users
• iam:CreateAccessKey - Generating access keys for programmatic access
• iam:ListAccessKeys - Managing user access keys
• iam:DeleteAccessKey - Rotating or removing access keys
• iam:AttachUserPolicy - Granting permissions to users
• iam:DetachUserPolicy - Removing permissions from users
• iam:DeleteUserPolicy - Cleaning up user-specific policies
• iam:ListAttachedRolePolicies - Auditing role permissions
• iam:ListAttachedUserPolicies - Auditing user permissions
• iam:ListGroupsForUser - Checking user group memberships
• iam:ListInstanceProfilesForRole - Managing EC2 instance profiles
• iam:ListAccountAliases - Retrieving account information for identification
• iam:* - Full IAM access for comprehensive identity management

S3

• s3:ListAllMyBuckets - Discovering existing S3 buckets for inventory
• s3:CreateBucket - Creating new buckets for data storage and model artifacts
• s3:DeleteBucket - Cleaning up unused buckets during resource deprovisioning
• s3:ListBucket - Listing objects within buckets for content management
• s3:GetBucketLocation - Determining bucket regions for compliance and optimization
• s3:PutBucketPolicy - Configuring bucket access policies for security
• s3:GetObject - Retrieving files, models, and configurations from buckets
• s3:PutObject - Uploading models, data, and configuration files
• s3:DeleteObject - Removing obsolete files and cleaning up storage
• s3:HeadObject - Checking object metadata without downloading content
• s3:* - Full S3 access for comprehensive storage management

EKS

• eks:ListClusters - Discovering existing Kubernetes clusters
• eks:DescribeCluster - Retrieving cluster configuration and status
• eks:CreateCluster - Provisioning new Kubernetes clusters
• eks:DeleteCluster - Decommissioning clusters during cleanup
• eks:UpdateClusterConfig - Modifying cluster settings and configurations
• eks:UpdateClusterVersion - Upgrading Kubernetes versions
• eks:AccessKubernetesApi - Interacting with Kubernetes API for workload management
• eks:CreateAccessEntry - Managing cluster access for users and services
• eks:DeleteAccessEntry - Removing cluster access during deprovisioning
• eks:AssociateAccessPolicy - Granting specific permissions within clusters
• eks:DisassociateAccessPolicy - Removing permissions from cluster access
• eks:ListAccessEntries - Auditing cluster access permissions
• eks:ListAccessPolicies - Reviewing available cluster policies
• eks:* - Full EKS access for comprehensive cluster management

EC2

• ec2:DescribeInstances - Inventorying EC2 instances for resource management
• ec2:DescribeVpcs - Discovering network configurations for deployment planning
• ec2:* - Full EC2 access for comprehensive compute and networking management

Route53

• route53:ListHostedZones - Discovering DNS zones for certificate management
• route53:ListHostedZonesByName - Finding specific DNS zones by name
• route53:GetHostedZone - Retrieving DNS zone configuration details
• route53:ListTagsForResource - Checking DNS resource tags for organization
• route53:CreateHostedZone - Creating new DNS hosted zones for domain management
• route53:DeleteHostedZone - Removing DNS hosted zones during cleanup
• route53:GetChange - Checking the status of Route 53 change requests
• route53:ChangeResourceRecordSets - Modifying DNS records within a hosted zone
• route53:ChangeTagsForResource - Managing tags on Route 53 resources
• route53:* - Full Route53 access for comprehensive DNS management

CloudFormation

• cloudformation:DescribeStacks - Checking stack status and outputs
• cloudformation:DeleteStack - Cleaning up CloudFormation stacks
• cloudformation:* - Full CloudFormation access for infrastructure management

Lambda

• lambda:ListFunctions - Discovering existing Lambda functions
• lambda:InvokeFunction - Triggering webhook and notification functions
• lambda:DeleteFunction - Cleaning up Lambda functions during deprovisioning

CloudWatch Logs

• logs:CreateLogGroup - Setting up logging for applications and services
• logs:CreateLogStream - Creating log streams for organized logging
• logs:PutLogEvents - Writing log entries for monitoring and debugging
• logs:* - Full CloudWatch Logs access for comprehensive logging management

CloudFront

• cloudfront:Get* - Retrieving CloudFront distribution configurations, cache behaviors, and settings
• cloudfront:List* - Listing CloudFront distributions, invalidations, and origin access controls

DynamoDB

• dynamodb:List* - Listing DynamoDB tables, backups, and global tables for inventory
• dynamodb:Describe* - Retrieving table metadata, configurations, and status information
• dynamodb:GetItem - Reading individual items from DynamoDB tables
• dynamodb:BatchGetItem - Reading multiple items efficiently from tables
• dynamodb:Query - Querying tables using partition and sort keys
• dynamodb:Scan - Scanning entire tables for data analysis
• dynamodb:ConditionCheckItem - Checking item conditions without modifying data
• dynamodb:ListTagsOfResource - Retrieving tags associated with DynamoDB resources

Service Quotas

• servicequotas:GetServiceQuota - Checking current service quota limits
• servicequotas:ListServiceQuotas - Listing all service quotas for planning
• servicequotas:RequestServiceQuotaIncrease - Requesting quota increases for scaling

Other Services

RDS

• rds:DescribeDBInstances - Discovering database instances for inventory
• rds:Describe* - Full read-only access to RDS metadata, snapshots, and parameters
• rds:ListTagsForResource - Retrieving tags associated with RDS resources

ECR Public

• ecr-public:* - Full ECR Public access for container image management

KMS

• kms:* - Full KMS access for encryption key management

EventBridge

• events:* - Full EventBridge access for event-driven architecture

SQS

• sqs:* - Full SQS access for message queue management

Organizations

• organizations:* - Full Organizations access for account management and information

STS

• sts:GetServiceBearerToken - Obtaining service tokens for authentication

Comprehensive Read-Only Access

Security Services

• guardduty:Get*, guardduty:List* - GuardDuty threat detection data
• inspector:Describe*, inspector:Get*, inspector:List* - Amazon Inspector vulnerability assessments
• macie:Get*, macie:List* - Amazon Macie data security and privacy findings
• detective:Get*, detective:List* - Amazon Detective security investigation data
• securityhub:Get*, securityhub:List* - AWS Security Hub consolidated security findings
• accessanalyzer:Get*, accessanalyzer:List* - IAM Access Analyzer findings
• config:Describe*, config:Get*, config:List* - AWS Config compliance and configuration data
• cloudtrail:Describe*, cloudtrail:Get*, cloudtrail:List* - CloudTrail audit logs and events

Web Application Firewall

• waf:Get*, waf:List* - Classic WAF rules and configurations
• wafv2:Get*, wafv2:List*, wafv2:Describe* - WAFv2 web ACLs and rules
• waf-regional:Get*, waf-regional:List*, waf-regional:Describe* - Regional WAF configurations
• shield:Describe*, shield:Get*, shield:List* - AWS Shield DDoS protection status

Analytics and Machine Learning

• glue:Get*, glue:List* - AWS Glue ETL job and catalog metadata
• athena:Get*, athena:List* - Amazon Athena query execution and results
• kinesis:Describe*, kinesis:Get*, kinesis:List* - Kinesis data streaming services
• firehose:Describe*, firehose:List* - Kinesis Data Firehose delivery streams
• sagemaker:Describe*, sagemaker:Get*, sagemaker:List* - SageMaker ML model and endpoint data
• comprehend:Describe*, comprehend:Get*, comprehend:List* - Amazon Comprehend NLP analysis
• translate:Describe*, translate:Get*, translate:List* - Amazon Translate language translation
• polly:Describe*, polly:Get*, polly:List* - Amazon Polly text-to-speech synthesis
• rekognition:Describe*, rekognition:Get*, rekognition:List* - Amazon Rekognition image analysis
• textract:Get* - Amazon Textract document analysis
• transcribe:Get*, transcribe:List* - Amazon Transcribe speech-to-text

Application and Workflow Services

• states:Describe*, states:Get*, states:List* - AWS Step Functions workflow data
• apigateway:GET - API Gateway REST API configurations (read-only HTTP GET)
• application-insights:Describe*, application-insights:Get*, application-insights:List* - Application performance monitoring
• xray:Get*, xray:BatchGet* - AWS X-Ray distributed tracing data

Storage and Backup

• backup:Describe*, backup:Get*, backup:List* - AWS Backup job status and recovery points
• glacier:Describe*, glacier:Get*, glacier:List* - Amazon Glacier archive storage
• storagegateway:Describe*, storagegateway:List* - AWS Storage Gateway hybrid storage
• datasync:Describe*, datasync:List* - AWS DataSync data transfer tasks
• transfer:Describe*, transfer:List* - AWS Transfer Family file transfer protocols

Enterprise and Productivity

• workspaces:Describe*, workspaces:List* - Amazon WorkSpaces virtual desktops
• appstream:Describe*, appstream:List* - Amazon AppStream 2.0 application streaming
• workdocs:Describe*, workdocs:Get* - Amazon WorkDocs document collaboration
• workmail:Describe*, workmail:Get*, workmail:List* - Amazon WorkMail email service
• connect:Describe*, connect:Get*, connect:List* - Amazon Connect contact center
• chime:Get*, chime:List* - Amazon Chime communications service

Communication and Messaging

• pinpoint:Get*, pinpoint:List* - Amazon Pinpoint customer engagement
• ses:Describe*, ses:Get*, ses:List* - Amazon SES email service configuration
• sns:Get*, sns:List* - Amazon SNS notification topics and subscriptions

Identity and Cognitive Services

• cognito-idp:Describe*, cognito-idp:Get*, cognito-idp:List* - Amazon Cognito user pools
• cognito-identity:Describe*, cognito-identity:Get*, cognito-identity:List* - Cognito identity pools

IoT and Edge Computing

• iot:Describe*, iot:Get*, iot:List* - AWS IoT device and rule configurations
• greengrass:Get*, greengrass:List* - AWS IoT Greengrass edge computing

Media Services

• mediaconvert:Describe*, mediaconvert:Get*, mediaconvert:List* - AWS Elemental MediaConvert
• mediastore:Describe*, mediastore:Get*, mediastore:List* - AWS Elemental MediaStore
• mediatailor:Describe*, mediatailor:Get*, mediatailor:List* - AWS Elemental MediaTailor

Developer Tools and Code Services

• codecommit:BatchDescribe*, codecommit:BatchGet*, codecommit:Describe*, codecommit:Get*, codecommit:GitPull, codecommit:List* - AWS CodeCommit repository access

Cost and Resource Management

• pricing:Describe*, pricing:Get*, pricing:List* - AWS Pricing API for cost information
• budgets:Describe*, budgets:View* - AWS Budgets cost and usage tracking
• ce:Describe*, ce:Get*, ce:List* - AWS Cost Explorer cost analysis
• cur:Describe*, cur:Get* - AWS Cost and Usage Reports
• tag:Get* - Resource tagging information
• resource-groups:Get*, resource-groups:List*, resource-groups:Search* - AWS Resource Groups

Support and Management

• support:Describe*, support:Get*, support:List* - AWS Support case and service information
• trustedadvisor:Describe*, trustedadvisor:Get*, trustedadvisor:List* - AWS Trusted Advisor recommendations
• health:Describe*, health:Get*, health:List* - AWS Health Dashboard service status
• wellarchitected:Get*, wellarchitected:List* - AWS Well-Architected Tool reviews
• servicecatalog:Describe*, servicecatalog:Get*, servicecatalog:List* - AWS Service Catalog products

AI and ML Services

• bedrock:Get*, bedrock:List*, bedrock:Describe* - Amazon Bedrock foundation models

CloudFormation

• cloudformation:EstimateTemplateCost - Estimating CloudFormation template costs
• cloudformation:ValidateTemplate - Validating CloudFormation template syntax

Security Considerations

⚠️ High-Risk Permissions: Many permissions use wildcard (*) access, granting full control over services. This provides maximum flexibility but requires careful monitoring and access control.

GCP - Integration Permission

Overview

This module creates a GCP Service Account with configurable IAM roles to facilitate AWS-to-GCP Workload Identity Federation. The module supports two permission modes:

1. Read-Only Access (readonly_access = true) - For monitoring, auditing, and discovery workloads
2. Admin Access (readonly_access = false) - For infrastructure provisioning and management workloads

Permission Modes

Read-Only Access Mode

• Resource discovery and inventory
• Monitoring and observability workloads
• Audit and compliance scanning
• Non-destructive operations
• Development and testing environments

Read/Write Mode

• Infrastructure provisioning and management
• GKE cluster creation and configuration
• Resource lifecycle management (create, update, delete)
• Production deployments
• Full infrastructure automation

Read-Only Roles

Core Project Access

roles/viewer

Purpose: Provides read-only access to all resources in the project

Permissions Include:

• List and describe all GCP resources
• View project metadata and configuration
• Read IAM policies (but not modify)
• Access monitoring metrics and logs
• View billing information

Use Cases:

• Overall project visibility and inventory
• Compliance auditing and reporting
• Resource discovery across all services
• Cost analysis and optimization

Compute Engine

roles/compute.viewer

Purpose: Read-only access to Compute Engine resources

Permissions Include:

• compute.instances.list - List all VM instances
• compute.instances.get - Get VM instance details
• compute.disks.list - List persistent disks
• compute.disks.get - Get disk configuration
• compute.images.list - List available images
• compute.snapshots.list - List disk snapshots
• compute.machineTypes.list - List available machine types
• compute.zones.list - List available zones
• compute.regions.list - List available regions

Use Cases:

• VM inventory and capacity planning
• Disk usage analysis and optimization
• Resource utilization monitoring
• Compliance scanning for compute resources

roles/compute.networkViewer

Purpose: Read-only access to networking resources

Permissions Include:

• compute.networks.list - List VPC networks
• compute.networks.get - Get network configuration
• compute.subnetworks.list - List subnets
• compute.subnetworks.get - Get subnet details
• compute.firewalls.list - List firewall rules
• compute.firewalls.get - Get firewall rule details
• compute.routes.list - List routes
• compute.addresses.list - List IP addresses
• compute.routers.list - List Cloud Routers
• compute.vpnGateways.list - List VPN gateways

Use Cases:

• Network topology visualization
• Security posture assessment
• Network connectivity troubleshooting
• IP address management and planning
• VPN and interconnect monitoring

Google Kubernetes Engine (GKE)

roles/container.clusterViewer

Purpose: Read-only access to GKE clusters

Permissions Include:

• container.clusters.list - List all GKE clusters
• container.clusters.get - Get cluster configuration
• container.clusters.getCredentials - Get cluster credentials for kubectl access
• container.operations.list - List cluster operations
• container.operations.get - Get operation details
• container.nodePools.list - List node pools
• container.nodePools.get - Get node pool configuration

Use Cases:

• GKE cluster inventory and discovery
• Cluster configuration auditing
• Node pool capacity planning
• Kubernetes version compliance checking
• Cluster health monitoring

Cloud Storage

roles/storage.objectViewer

Purpose: Read-only access to Cloud Storage objects

Permissions Include:

• storage.buckets.list - List storage buckets
• storage.buckets.get - Get bucket configuration
• storage.objects.list - List objects in buckets
• storage.objects.get - Download and read objects
• storage.objects.getIamPolicy - View object-level IAM policies

Use Cases:

• Storage inventory and capacity analysis
• Data location and compliance verification
• Backup and archive monitoring
• Storage cost optimization
• Configuration file retrieval

Cloud SQL

roles/cloudsql.viewer

Purpose: Read-only access to Cloud SQL instances

Permissions Include:

• cloudsql.instances.list - List database instances
• cloudsql.instances.get - Get instance configuration
• cloudsql.databases.list - List databases
• cloudsql.databases.get - Get database metadata
• cloudsql.backupRuns.list - List backup runs
• cloudsql.backupRuns.get - Get backup details

Use Cases:

• Database inventory and discovery
• Backup compliance verification
• Database configuration auditing
• High availability monitoring
• Capacity planning

Cloud KMS

roles/cloudkms.viewer

Purpose: Read-only access to encryption keys

Permissions Include:

• cloudkms.keyRings.list - List key rings
• cloudkms.keyRings.get - Get key ring details
• cloudkms.cryptoKeys.list - List encryption keys
• cloudkms.cryptoKeys.get - Get key configuration
• cloudkms.cryptoKeyVersions.list - List key versions
• cloudkms.cryptoKeyVersions.get - Get key version details

Use Cases:

• Encryption key inventory
• Key rotation compliance checking
• Security posture assessment
• Key usage auditing
• Compliance reporting (CMEK verification)

Cloud DNS

roles/dns.reader

Purpose: Read-only access to Cloud DNS

Permissions Include:

• dns.managedZones.list - List DNS zones
• dns.managedZones.get - Get zone configuration
• dns.resourceRecordSets.list - List DNS records
• dns.resourceRecordSets.get - Get record details
• dns.changes.list - List DNS changes
• dns.changes.get - Get change details

Use Cases:

• DNS configuration auditing
• Domain inventory management
• DNS record verification
• DNSSEC compliance checking
• Troubleshooting DNS issues

Secret Manager

roles/secretmanager.secretAccessor

Purpose: Access to read secret values

Permissions Include:

• secretmanager.secrets.list - List secrets
• secretmanager.secrets.get - Get secret metadata
• secretmanager.versions.list - List secret versions
• secretmanager.versions.access - Access secret values
• secretmanager.versions.get - Get version details

Use Cases:

• Retrieve configuration secrets
• Access application credentials
• Read service account keys
• Retrieve API keys and tokens
• Access database passwords

Security Note: This role grants access to sensitive data. Use with appropriate attribute conditions and audit logging.

Monitoring and Logging (Write Access)

roles/logging.logWriter

Purpose: Write logs to Cloud Logging

Permissions Include:

• logging.logEntries.create - Write log entries
• logging.logEntries.route - Route logs to sinks

Use Cases:

• Application logging from AWS workloads
• Audit trail generation
• Custom metric logging
• Error and exception reporting
• Operational telemetry

Note: This is a write permission included in read-only mode to enable observability.

roles/monitoring.metricWriter

Purpose: Write custom metrics to Cloud Monitoring

Permissions Include:

• monitoring.timeSeries.create - Write custom metrics
• monitoring.metricDescriptors.create - Create custom metric definitions
• monitoring.metricDescriptors.list - List metric descriptors

Use Cases:

• Custom application metrics
• Performance monitoring
• SLO/SLI tracking
• Business metrics reporting
• Health check reporting

Note: This is a write permission included in read-only mode to enable observability.

Admin Roles (admin_roles)

These roles are assigned when readonly_access = false. They provide full administrative capabilities for infrastructure management.

IAM and Resource Management

roles/resourcemanager.projectIamAdmin

Purpose: Full control over project-level IAM policies

Permissions Include:

• resourcemanager.projects.getIamPolicy - Get project IAM policy
• resourcemanager.projects.setIamPolicy - Modify project IAM policy
• resourcemanager.projects.get - Get project details
• Complete IAM policy management

Use Cases:

• Grant and revoke IAM permissions
• Service account permission management
• Workload Identity configuration
• Access control automation
• Security policy implementation

Security Note: This is a highly privileged role. Use with strict attribute conditions in production.

roles/iam.serviceAccountAdmin

Purpose: Full control over service accounts

Permissions Include:

• iam.serviceAccounts.create - Create new service accounts
• iam.serviceAccounts.delete - Delete service accounts
• iam.serviceAccounts.update - Modify service accounts
• iam.serviceAccounts.get - Get service account details
• iam.serviceAccounts.list - List service accounts
• iam.serviceAccounts.setIamPolicy - Set service account IAM policy
• iam.serviceAccounts.getIamPolicy - Get service account IAM policy

Use Cases:

• Service account lifecycle management
• Automated service account provisioning
• Service account permission delegation
• Identity federation setup
• Application identity management

roles/iam.serviceAccountKeyAdmin

Purpose: Manage service account keys

Permissions Include:

• iam.serviceAccountKeys.create - Create service account keys
• iam.serviceAccountKeys.delete - Delete service account keys
• iam.serviceAccountKeys.get - Get key metadata
• iam.serviceAccountKeys.list - List keys for service accounts

Use Cases:

• Service account key rotation
• Key lifecycle management
• Security remediation (key deletion)
• Legacy application key provisioning

Security Note: Best practice is to use Workload Identity Federation instead of keys.

roles/iam.serviceAccountUser

Purpose: Impersonate and act as service accounts

Permissions Include:

• iam.serviceAccounts.actAs - Use service account to deploy resources
• iam.serviceAccounts.get - Get service account details
• iam.serviceAccounts.getAccessToken - Get short-lived tokens

Use Cases:

• Deploy resources as a service account
• Cloud Run service deployment
• Cloud Functions deployment
• Compute Engine instance creation with service accounts
• GKE workload identity binding

roles/iam.serviceAccountTokenCreator

Purpose: Create OAuth2 access tokens and OpenID Connect ID tokens for service accounts

Permissions Include:

• iam.serviceAccounts.getAccessToken - Generate access tokens
• iam.serviceAccounts.getOpenIdToken - Generate OIDC tokens
• iam.serviceAccounts.implicitDelegation - Token delegation

Use Cases:

• Programmatic authentication
• Service-to-service authentication
• API access token generation
• OIDC token creation for third-party services

roles/iam.workloadIdentityPoolAdmin

Purpose: Full control over Workload Identity Pools

Permissions Include:

• iam.workloadIdentityPools.create - Create identity pools
• iam.workloadIdentityPools.delete - Delete identity pools
• iam.workloadIdentityPools.update - Modify identity pools
• iam.workloadIdentityPools.get - Get pool configuration
• iam.workloadIdentityPoolProviders.create - Create providers
• iam.workloadIdentityPoolProviders.delete - Delete providers
• iam.workloadIdentityPoolProviders.update - Modify providers

Use Cases:

• Workload Identity Federation setup
• Multi-cloud authentication configuration
• Identity provider management
• Federation policy updates

roles/iam.workloadIdentityPoolViewer

Purpose: Read-only access to Workload Identity Pools

Permissions Include:

• iam.workloadIdentityPools.get - Get pool details
• iam.workloadIdentityPools.list - List identity pools
• iam.workloadIdentityPoolProviders.get - Get provider details
• iam.workloadIdentityPoolProviders.list - List providers

Use Cases:

• Federation configuration auditing
• Identity pool inventory
• Configuration verification
• Troubleshooting federation issues

Compute and Networking

roles/compute.admin

Purpose: Full control over Compute Engine resources

Permissions Include:

• All roles/compute.viewer permissions
• compute.instances.create - Create VM instances
• compute.instances.delete - Delete VM instances
• compute.instances.start - Start VM instances
• compute.instances.stop - Stop VM instances
• compute.instances.reset - Reset VM instances
• compute.instances.setMetadata - Set instance metadata
• compute.instances.setServiceAccount - Assign service accounts
• compute.disks.create - Create persistent disks
• compute.disks.delete - Delete persistent disks
• compute.disks.resize - Resize disks
• compute.images.create - Create custom images
• compute.images.delete - Delete images
• compute.snapshots.create - Create disk snapshots
• compute.snapshots.delete - Delete snapshots

Use Cases:

• VM lifecycle management
• Auto-scaling implementations
• Infrastructure provisioning
• Disaster recovery operations
• Capacity management

roles/compute.networkAdmin

Purpose: Full control over networking resources

Permissions Include:

• All roles/compute.networkViewer permissions
• compute.networks.create - Create VPC networks
• compute.networks.delete - Delete VPC networks
• compute.networks.update - Modify VPC networks
• compute.subnetworks.create - Create subnets
• compute.subnetworks.delete - Delete subnets
• compute.subnetworks.update - Modify subnets
• compute.firewalls.create - Create firewall rules
• compute.firewalls.delete - Delete firewall rules
• compute.firewalls.update - Modify firewall rules
• compute.routes.create - Create routes
• compute.routes.delete - Delete routes
• compute.addresses.create - Reserve IP addresses
• compute.addresses.delete - Release IP addresses
• compute.routers.create - Create Cloud Routers
• compute.vpnGateways.create - Create VPN gateways

Use Cases:

• VPC network provisioning
• Network topology management
• Firewall rule automation
• IP address management
• VPN and interconnect configuration
• Network security policy implementation

Service Usage

roles/serviceusage.serviceUsageAdmin

Purpose: Enable and disable GCP APIs

Permissions Include:

• serviceusage.services.enable - Enable APIs
• serviceusage.services.disable - Disable APIs
• serviceusage.services.get - Get API status
• serviceusage.services.list - List available APIs

Use Cases:

• Automated API enablement during provisioning
• Service quota management
• API usage optimization
• Cost control (disabling unused APIs)

Google Kubernetes Engine (GKE)

roles/container.admin

Purpose: Full control over GKE clusters

Permissions Include:

• All roles/container.clusterViewer permissions
• container.clusters.create - Create GKE clusters
• container.clusters.delete - Delete GKE clusters
• container.clusters.update - Modify cluster configuration
• container.clusters.upgrade - Upgrade cluster versions
• container.nodePools.create - Create node pools
• container.nodePools.delete - Delete node pools
• container.nodePools.update - Modify node pools
• container.operations.get - Get operation status
• Full Kubernetes API access via cluster credentials

Use Cases:

• GKE cluster lifecycle management
• Cluster version upgrades
• Node pool scaling and management
• Cluster configuration updates
• Infrastructure as Code for Kubernetes
• Production cluster operations

Security Note: This role grants full control over Kubernetes clusters. Combine with attribute conditions for production use.

Cloud Storage

roles/storage.admin

Purpose: Full control over Cloud Storage

Permissions Include:

• All roles/storage.objectViewer permissions
• storage.buckets.create - Create storage buckets
• storage.buckets.delete - Delete storage buckets
• storage.buckets.update - Modify bucket configuration
• storage.buckets.setIamPolicy - Set bucket IAM policies
• storage.objects.create - Upload objects
• storage.objects.delete - Delete objects
• storage.objects.update - Modify object metadata
• storage.objects.setIamPolicy - Set object-level IAM policies
• Complete lifecycle policy management
• Complete bucket policy management

Use Cases:

• Bucket lifecycle management
• Object storage for applications
• Terraform state storage
• Backup and archive management
• Data lake implementation
• Static website hosting

Cloud SQL

roles/cloudsql.admin

Purpose: Full control over Cloud SQL instances

Permissions Include:

• All roles/cloudsql.viewer permissions
• cloudsql.instances.create - Create database instances
• cloudsql.instances.delete - Delete database instances
• cloudsql.instances.update - Modify instance configuration
• cloudsql.instances.restart - Restart instances
• cloudsql.databases.create - Create databases
• cloudsql.databases.delete - Delete databases
• cloudsql.databases.update - Modify databases
• cloudsql.users.create - Create database users
• cloudsql.users.delete - Delete database users
• cloudsql.backupRuns.create - Create backups
• cloudsql.backupRuns.delete - Delete backups
• Complete failover configuration

Use Cases:

• Database provisioning and deprovisioning
• High availability configuration
• Backup and recovery operations
• Database scaling and optimization
• User and access management

Cloud KMS

roles/cloudkms.admin

Purpose: Full control over encryption keys

Permissions Include:

• All roles/cloudkms.viewer permissions
• cloudkms.keyRings.create - Create key rings
• cloudkms.cryptoKeys.create - Create encryption keys
• cloudkms.cryptoKeys.update - Modify key configuration
• cloudkms.cryptoKeyVersions.create - Create key versions
• cloudkms.cryptoKeyVersions.destroy - Destroy key versions
• cloudkms.cryptoKeys.setIamPolicy - Set key access policies
• Key rotation management
• CMEK configuration

Use Cases:

• Encryption key lifecycle management
• Customer-managed encryption key (CMEK) setup
• Key rotation automation
• Encryption policy implementation
• Compliance requirements (data encryption at rest)
• etcd encryption for GKE

Security Note: KMS admin access is highly sensitive. Enable audit logging and use attribute conditions.

Cloud DNS

roles/dns.admin

Purpose: Full control over Cloud DNS

Permissions Include:

• All roles/dns.reader permissions
• dns.managedZones.create - Create DNS zones
• dns.managedZones.delete - Delete DNS zones
• dns.managedZones.update - Modify zone configuration
• dns.resourceRecordSets.create - Create DNS records
• dns.resourceRecordSets.delete - Delete DNS records
• dns.resourceRecordSets.update - Modify DNS records
• dns.changes.create - Create change requests
• DNSSEC configuration

Use Cases:

• DNS zone provisioning
• DNS record automation
• Domain management
• Service discovery configuration
• Load balancer DNS integration
• Certificate validation (DNS-01 challenge)

Binary Authorization

roles/binaryauthorization.attestorsAdmin

Purpose: Manage Binary Authorization attestors

Permissions Include:

• binaryauthorization.attestors.create - Create attestors
• binaryauthorization.attestors.delete - Delete attestors
• binaryauthorization.attestors.update - Modify attestors
• binaryauthorization.attestors.get - Get attestor details
• binaryauthorization.attestors.list - List attestors
• binaryauthorization.attestors.verifyImageAttested - Verify attestations

Use Cases:

• Container image security policy enforcement
• Continuous verification of container images
• Supply chain security implementation
• Attestation-based deployment controls

roles/binaryauthorization.policyAdmin

Purpose: Manage Binary Authorization policies

Permissions Include:

• binaryauthorization.policy.get - Get policy configuration
• binaryauthorization.policy.update - Modify security policies
• binaryauthorization.policy.getIamPolicy - Get IAM policy
• binaryauthorization.policy.setIamPolicy - Set IAM policy

Use Cases:

• Security policy configuration
• Deployment restrictions based on attestations
• Compliance enforcement for container deployments
• Vulnerability scanning requirements

Secret Manager

roles/secretmanager.admin

Purpose: Full control over secrets

Permissions Include:

• All roles/secretmanager.secretAccessor permissions
• secretmanager.secrets.create - Create secrets
• secretmanager.secrets.delete - Delete secrets
• secretmanager.secrets.update - Modify secret metadata
• secretmanager.versions.add - Add new secret versions
• secretmanager.versions.destroy - Destroy secret versions
• secretmanager.versions.disable - Disable secret versions
• secretmanager.versions.enable - Enable secret versions
• secretmanager.secrets.setIamPolicy - Set secret access policies

Use Cases:

• Secret lifecycle management
• Credential rotation automation
• Secret provisioning for applications
• Sensitive configuration management
• Integration with GKE Secret Manager add-on

Security Note: This role grants full control over secrets. Use with audit logging and strict access controls.

Monitoring and Logging

roles/logging.logWriter

Purpose: Write logs to Cloud Logging (included in both modes)

See Read-Only Roles section above for details.

roles/monitoring.metricWriter

Purpose: Write custom metrics to Cloud Monitoring (included in both modes)

See Read-Only Roles section above for details.

Custom IAM Bindings

The module supports custom IAM bindings via the custom_iam_bindings variable for fine-grained resource-level permissions.

Example: Conditional Access

custom_iam_bindings = [
  {
    resource = "projects/my-project"
    role     = "roles/storage.objectViewer"
    members  = ["serviceAccount:example@project.iam.gserviceaccount.com"]
    condition = {
      title       = "Business hours access"
      description = "Only allow access during business hours"
      expression  = "request.time.getHours() >= 9 && request.time.getHours() <= 17"
    }
  }
]

Use Cases:

• Time-based access restrictions
• Resource-specific permissions
• Temporary access grants
• Compliance-driven access controls

Security Best Practices

1. Principle of Least Privilege

• Start with read-only access and add permissions as needed
• Use readonly_access = true for non-production environments
• Document why each permission is required

2. Attribute Conditions

Use attribute conditions to restrict federation based on AWS identity attributes:

attribute_condition = "attribute.aws_role.startsWith('Production-') && attribute.aws_account == '123456789012'"

Examples:

• Restrict by AWS role name
• Restrict by AWS account ID
• Restrict by time of day
• Combine multiple conditions

3. Audit Logging

Always enable audit logging in production:

enable_audit_logs = true

Monitors:

• Token generation requests
• Service account impersonation
• Permission usage
• Failed authentication attempts

4. Multi-Account Strategy

Use separate service accounts for different AWS accounts or security tiers:

# Production federation (read-only)
module "prod_federation" {
  aws_account_ids = ["123456789012"]
  readonly_access = true
}

# Development federation (admin access)
module "dev_federation" {
  aws_account_ids = ["123456789999"]
  readonly_access = false
}

5. Regular Access Reviews

• Quarterly review of assigned roles
• Remove unused or excessive permissions
• Update attribute conditions as requirements change
• Monitor audit logs for anomalous access patterns

6. Labels and Tagging

Use comprehensive labels for governance:

labels = {
  environment     = "production"
  team            = "platform"
  security_tier   = "high"
  compliance      = "sox-gdpr"
  cost_center     = "engineering"
}

Workload Identity Federation Permissions

The module itself requires permissions to create federation resources. The Terraform service account needs:

Required Terraform Permissions

roles/iam.workloadIdentityPoolAdmin:
  - Create and manage Workload Identity Pools
  - Configure identity providers (AWS)
  - Set attribute mappings and conditions

roles/iam.serviceAccountAdmin:
  - Create the federated service account
  - Configure service account IAM policies
  - Grant workloadIdentityUser role

roles/resourcemanager.projectIamAdmin:
  - Bind roles to the service account
  - Configure project-level IAM policies

Setup Script

# Create Terraform service account
gcloud iam service-accounts create terraform-federation \
    --display-name="Terraform Federation Service Account"

# Grant required permissions
for role in roles/iam.workloadIdentityPoolAdmin \
            roles/iam.serviceAccountAdmin \
            roles/resourcemanager.projectIamAdmin; do
  gcloud projects add-iam-policy-binding PROJECT_ID \
      --member="serviceAccount:terraform-federation@PROJECT_ID.iam.gserviceaccount.com" \
      --role="$role"
done

# Create and export credentials
gcloud iam service-accounts keys create terraform-sa-key.json \
    --iam-account=terraform-federation@PROJECT_ID.iam.gserviceaccount.com

export GOOGLE_CREDENTIALS=$(cat terraform-sa-key.json)

Monitoring and Alerting

Key Metrics to Monitor

1. Federation Token Requests

   • Monitor for unusual spikes in token generation
   • Alert on failed authentication attempts

2. Permission Usage

   • Track which permissions are actively used
   • Identify unused permissions for removal

3. Service Account Activity

   • Monitor API calls made by the federated service account
   • Alert on access to sensitive resources

4. Audit Log Patterns

   • Track changes to IAM policies
   • Monitor modifications to the identity pool
   • Alert on workload identity pool disablement

Sample Alert Query

resource.type="iam_workload_identity_pool"
protoPayload.methodName="GenerateAccessToken"
severity="ERROR"

Compliance Considerations

SOX Compliance

• Enable comprehensive audit logging
• Implement proper access controls and reviews
• Maintain audit trails for all federation activities
• Regular compliance assessments

GDPR Compliance

• Ensure proper data handling in cross-cloud scenarios
• Implement data residency controls if required
• Maintain records of data processing activities
• Enable audit logging for data access

Industry Standards

• Follow NIST Cybersecurity Framework
• Implement CIS Controls for cloud security
• Regular security assessments and penetration testing
• Incident response procedures for federation issues

Troubleshooting

Permission Denied Errors

1. Verify Role Assignment

   gcloud projects get-iam-policy PROJECT_ID \
       --flatten="bindings[].members" \
       --filter="bindings.members:serviceAccount:SERVICE_ACCOUNT_EMAIL"
   

2. Check Attribute Conditions

   • Verify AWS role name matches attribute condition
   • Ensure AWS account ID is in the allowed list
   • Test attribute mapping with sample AWS identities

3. Review Audit Logs

   gcloud logging read "resource.type=iam_workload_identity_pool" \
       --limit 50 \
       --format json
   

Insufficient Permissions

If you encounter "insufficient permissions" errors:

1. Add required roles to readonly_roles or admin_roles in terraform.tfvars
2. Apply the Terraform changes to update service account permissions
3. Wait 60-120 seconds for IAM changes to propagate
4. Retry the operation

GCP Permissions References

• GCP IAM Roles Documentation
• Workload Identity Federation Guide
• Service Account Best Practices
• Audit Logging Documentation
• Security Best Practices