Create Custom Role in GCP

Instructions on creating a custom role in GCP to allow Aikido manage snapshots and Cloud Storage objects.

In order to properly scan snapshots, Aikido needs to be able to list, create and delete snapshots as well as Cloud Storage objects. The default GCP roles to perform these actions usually involve some sort of "admin" like role, which is too permissive. We therefore recommend to create a custom role. Use the steps below to create a role with minimal permissions to perform the necessary tasks.

Using Cloud Shell

Open the Cloud Shell in the GCP console. Enter and execute the following command:

gcloud iam roles create aikidoSecurityVmScannerRole \
  --project=[YOUR PROJECT ID] \
  --title="Aikido Security VM Scanner Role" \
  --description="Permissions required for Aikido VM snapshot scanning" \
  --stage=GA \
  --permissions=\
compute.instances.list,\
compute.instanceGroups.get,\
compute.instanceGroups.list,\
compute.disks.createSnapshot,\
compute.disks.get,\
compute.snapshots.create,\
compute.snapshots.delete,\
compute.snapshots.get,\
compute.snapshots.list,\
compute.snapshots.setLabels,\
compute.globalOperations.get,\
compute.zoneOperations.get,\
cloudbuild.builds.create,\
cloudbuild.builds.get,\
storage.objects.create,\
storage.objects.delete,\
storage.objects.get,\
storage.objects.list,\
iam.serviceAccounts.actAs

Last updated

Was this helpful?