Appendix D: Least-privilege permissions used by HYCU for Google Cloud

To perform data protection tasks, HYCU for Google Cloud uses the permissions that you granted to the Google Account or Google Service Account or the HMSA in Google Cloud. If the needs of your data protection environment require you to create a custom role, you can use the HYCU for Google Cloud role template with a predefined set of least-privilege permissions to grant the required permissions to the created role.

Using a role template with a predefined set of permissions

Prerequisite

Your account has the iam.roles.create permission. If you are a project or organization owner, you have this permission by default. If you are not an owner, you must have either the Organization Role Administrator or the IAM Role Administrator role assigned.

Procedure

Download the HYCU for Google Cloud service role template that contains the role definitions. The template is available at the following location:

https://storage.googleapis.com/hycu-public/custom-role/hycu_service_role.yaml
Create the role and grant it the following permissions by running the following command:
```
gcloud iam roles create <RoleID> --project=<ProjectID> --file=<RoleDefinitionFilePath>
```
In this command, <RoleID> is the name of the role (for example hycuRole), <ProjectID> is the name of your project, and <RoleDefinitionFilePath> is the path to the location of the downloaded template that contains the custom role definition.

For details on creating and managing custom roles, see Google Cloud documentation.

Permissions required by HYCU for Google Cloud

The following is a list of permissions required by HYCU for Google Cloud:

Service	Permissions
Google Compute Engine	compute.acceleratorTypes.get compute.addresses.create compute.addresses.createInternal compute.addresses.get compute.addresses.list compute.disks.create compute.disks.createSnapshot compute.disks.delete compute.disks.get compute.disks.list compute.disks.setLabels compute.disks.use compute.disks.useReadOnly compute.firewalls.get compute.firewalls.list compute.firewalls.update compute.globalOperations.get compute.images.getFromFamily compute.images.getIamPolicy compute.images.setIamPolicy compute.images.useReadOnly compute.instances.attachDisk compute.instances.create compute.instances.delete compute.instances.deleteAccessConfig compute.instances.detachDisk compute.instances.get compute.instances.getSerialPortOutput compute.instances.list compute.instances.setLabels compute.instances.setMachineType compute.instances.setMetadata compute.instances.setServiceAccount compute.instances.setTags compute.instances.start compute.instances.stop compute.instances.update compute.machineImages.useReadOnly compute.machineTypes.get compute.machineTypes.list compute.networks.get compute.networks.list compute.networks.updatePolicy compute.networks.use compute.networks.useExternalIp compute.projects.get compute.regionOperations.get compute.regions.get compute.regions.list compute.snapshots.create compute.snapshots.delete compute.snapshots.get compute.snapshots.list compute.snapshots.setLabels compute.snapshots.useReadOnly compute.subnetworks.get compute.subnetworks.list compute.subnetworks.use compute.subnetworks.useExternalIp compute.zoneOperations.get compute.zones.get compute.zones.list
Google Kubernetes Engine	container.clusterRoleBindings.list container.clusterRoles.list container.configMaps.list container.controllerRevisions.list container.cronJobs.list container.customResourceDefinitions.list container.daemonSets.list container.deployments.list container.endpoints.list container.jobs.list container.limitRanges.list container.networkPolicies.list container.podTemplates.list container.replicationControllers.list container.resourceQuotas.list container.roleBindings.list container.roles.list container.secrets.list container.statefulSets.list container.thirdPartyObjects.list resourcemanager.projects.get
Google Cloud Storage	storage.buckets.create storage.buckets.createTagBinding storage.buckets.delete storage.buckets.get storage.buckets.getIamPolicy storage.buckets.list storage.buckets.listTagBindings storage.buckets.setIamPolicy storage.buckets.update storage.objects.create storage.objects.delete storage.objects.get storage.objects.getIamPolicy storage.objects.list storage.objects.setIamPolicy storage.objects.update

Service

Permissions

Google Compute Engine

compute.acceleratorTypes.get

compute.addresses.create

compute.addresses.createInternal

compute.addresses.get

compute.addresses.list

compute.disks.create

compute.disks.createSnapshot

compute.disks.delete

compute.disks.get

compute.disks.list

compute.disks.setLabels

compute.disks.use

compute.disks.useReadOnly

compute.firewalls.get

compute.firewalls.list

compute.firewalls.update

compute.globalOperations.get

compute.images.getFromFamily

compute.images.getIamPolicy

compute.images.setIamPolicy

compute.images.useReadOnly

compute.instances.attachDisk

compute.instances.create

compute.instances.delete

compute.instances.deleteAccessConfig

compute.instances.detachDisk

compute.instances.get

compute.instances.getSerialPortOutput

compute.instances.list

compute.instances.setLabels

compute.instances.setMachineType

compute.instances.setMetadata

compute.instances.setServiceAccount

compute.instances.setTags

compute.instances.start

compute.instances.stop

compute.instances.update

compute.machineImages.useReadOnly

compute.machineTypes.get

compute.machineTypes.list

compute.networks.get

compute.networks.list

compute.networks.updatePolicy

compute.networks.use

compute.networks.useExternalIp

compute.projects.get

compute.regionOperations.get

compute.regions.get

compute.regions.list

compute.snapshots.create

compute.snapshots.delete

compute.snapshots.get

compute.snapshots.list

compute.snapshots.setLabels

compute.snapshots.useReadOnly

compute.subnetworks.get

compute.subnetworks.list

compute.subnetworks.use

compute.subnetworks.useExternalIp

compute.zoneOperations.get

compute.zones.get

compute.zones.list

Google Kubernetes Engine

container.clusterRoleBindings.list

container.clusterRoles.list

container.configMaps.list

container.controllerRevisions.list

container.cronJobs.list

container.customResourceDefinitions.list

container.daemonSets.list

container.deployments.list

container.endpoints.list

container.jobs.list

container.limitRanges.list

container.networkPolicies.list

container.podTemplates.list

container.replicationControllers.list

container.resourceQuotas.list

container.roleBindings.list

container.roles.list

container.secrets.list

container.statefulSets.list

container.thirdPartyObjects.list

resourcemanager.projects.get

Google Cloud Storage

storage.buckets.create

storage.buckets.createTagBinding

storage.buckets.delete

storage.buckets.get

storage.buckets.getIamPolicy

storage.buckets.list

storage.buckets.listTagBindings

storage.buckets.setIamPolicy

storage.buckets.update

storage.objects.create

storage.objects.delete

storage.objects.get

storage.objects.getIamPolicy

storage.objects.list

storage.objects.setIamPolicy

storage.objects.update