This page describes the Identity and Access Management (IAM) roles and permissions needed for running Firewall Insights.
You can grant users or service accounts permissions or a predefined role, or you can create a custom role that uses permissions that you specify. The following table describes the IAM predefined roles and their associated permissions.
For more information, see the IAM permissions reference.
Description | Role | Permissions (methods) |
---|---|---|
View firewalls and their details |
Grant one of the following roles:
|
compute.firewalls.list |
Only view insights | Grant one of the following roles:
|
projects.locations.insightTypes.insights.list |
View insights metrics | Grant one of the following roles:
|
monitoring.timeSeries.list |
View and modify insights | Grant the Firewall Recommender Admin role (roles/recommender.firewallAdmin )
|
For more information about project roles and permissions, see the following:
- Identity and Access Management documentation
- Compute Engine API documentation
- Cloud Monitoring API documentation
Get required roles and permissions
To get the permissions that you need to enable APIs and features, ask your administrator to grant you the following IAM roles on your project:
-
Service Usage Admin (
roles/serviceusage.serviceUsageAdmin
) -
Firewall Recommender Admin (
roles/recommender.firewallAdmin
)
For more information about granting roles, see Manage access to projects, folders, and organizations.
These predefined roles contain the permissions required to enable APIs and features. To see the exact permissions that are required, expand the Required permissions section:
Required permissions
The following permissions are required to enable APIs and features:
-
Enable APIs:
serviceusage.services.enable
-
Enable shadowed rule or overly permissive rule insights:
recommender.computeFirewallInsightTypeConfigs.update
You might also be able to get these permissions with custom roles or other predefined roles.
Select a project
Before you complete any prerequisites or take any other actions with Firewall Insights, we recommend that you create or select a Google Cloud project. Use the following steps:
In the Google Cloud console, go to the Project selector page.
Select or create a Google Cloud project.
Make sure that billing is enabled for your Google Cloud project.
What's next
- To complete the setup tasks, see Enable APIs and features.