Onboarding or migrating a Chronicle instance

Chronicle links to a customer-supplied Google Cloud project to integrate more closely with Google Cloud services, such as Identity and Access Management, Cloud Monitoring, and Cloud Audit Logs. Customers can use IAM and workforce identity federation to authenticate using their existing identity provider.

The following documents guide you through the process to onboard a new Chronicle instance or migrate an existing Chronicle instance.

Required roles

The following sections describe the permissions you need for each phase of the onboarding process, mentioned in the previous section.

Configure a Google Cloud project for Chronicle

To complete the steps in Configure a Google Cloud project for Chronicle, you need the following IAM permissions.

If you have the Project Creator (resourcemanager.projects.create permission at the organization level, then no additional permissions are required to create a project and enable the Chronicle API.

If you do not have this permission, you need the following permissions at the project level:

Configure a third-party identity provider Chronicle

To complete the steps in Configure a third-party identity provider for Chronicle, you need the following IAM permissions.

IAM Workforce Pool Admin (roles/iam.workforcePoolAdmin) permission at either the project level or organization level.

Use the following command as an example to set the roles/iam.workforcePoolAdmin role:
```
gcloud organizations add-iam-policy-binding ORGANIZATION_ID \
--member "user:USER_EMAIL" \
--role roles/iam.workforcePoolAdmin
```
Replace the following:
- ORGANIZATION_ID: the numeric organization ID.
- USER_EMAIL: the admin user's email.
Project Editor permissions to the Chronicle-bound project you created previously.

Link a Chronicle instance to Google Cloud services

To complete the steps in Link Chronicle to Google Cloud services, you need the same permissions defined in the Configure a Google Cloud project for Chronicle section.