User Guide
Release Notes

Check Google Cloud Permissions

MethodSyntax

GET

{{BaseURL}}/api/v1/providers/google_cloud/{{ID}}:checkpolicy

Description

Validates that the service account used for a Google provider integration has the required permissions. Rather than checking a specific policy, Veza will verify the total permissions granted to the service account used for extraction.

Query parameters:

NameTypeReq.Description

id

string

Y

A valid Google provider id

Example request

curl -X GET 'https://{{BaseURL}}/api/v1/providers/google_cloud/{{ID}}:checkpolicy' \
-H 'authorization: Bearer {{token}}'

Replace the values in brackets with the appropriate values:

  • BaseURL = Your Veza Domain

  • ID = Can be found from your Veza Integration > Data Sources dashboard.

  • Token = your Veza API Key. To call the API, you will need to include an API key in the authorization header of your request.

Example response

The response will indicate when an update is required, and the missing permissions:

  • current_permissions: permissions that are currently assigned to the Veza service principal.

  • required_permissions: full list of required permissions for discovering supported services and entities in Google Cloud.

  • required_actions: permissions required by the integration, but not assigned to the Veza service principal. You should update the integration role to include the missing permissions.

  • overprivileged_actions: permissions assigned to the integration that are not required, and can safely be removed.

{
  "requires_update": true,
  "google_cloud_customer_id": "{id}",
  "current_permissions": [],
  "required_permissions": [
    "bigquery.datasets.get",
    "bigquery.datasets.getIamPolicy",
    "bigquery.tables.get",
    "bigquery.tables.getIamPolicy",
    "bigquery.tables.list",
    "cloudkms.cryptoKeyVersions.get",
    "cloudkms.cryptoKeyVersions.list",
    "cloudkms.cryptoKeys.get",
    "cloudkms.cryptoKeys.getIamPolicy",
    "cloudkms.cryptoKeys.list",
    "cloudkms.keyRings.get",
    "cloudkms.keyRings.getIamPolicy",
    "cloudkms.keyRings.list",
    "cloudkms.locations.get",
    "cloudkms.locations.list",
    "compute.instances.list",
    "compute.instances.getIamPolicy",
    "compute.networks.list",
    "compute.regions.list",
    "compute.subnetworks.getIamPolicy",
    "compute.subnetworks.list",
    "compute.zones.list",
    "iam.roles.get",
    "iam.roles.list",
    "iam.serviceAccounts.list",
    "resourcemanager.folders.getIamPolicy",
    "resourcemanager.folders.list",
    "resourcemanager.organizations.get",
    "resourcemanager.organizations.getIamPolicy",
    "resourcemanager.projects.get",
    "resourcemanager.projects.getIamPolicy",
    "resourcemanager.projects.list",
    "resourcemanager.tagKeys.get",
    "resourcemanager.tagKeys.list",
    "resourcemanager.tagValues.get",
    "resourcemanager.tagValues.list",
    "serviceusage.services.list",
    "storage.buckets.getIamPolicy",
    "storage.buckets.list"
  ],
  "required_actions": [
    "bigquery.tables.get",
    "compute.instances.getIamPolicy",
    "resourcemanager.folders.list",
    "resourcemanager.projects.get",
    "resourcemanager.tagValues.get",
    "iam.roles.get",
    "storage.buckets.getIamPolicy",
    "cloudkms.locations.get",
    "cloudkms.locations.list",
    "compute.regions.list",
    "compute.subnetworks.list",
    "resourcemanager.organizations.get",
    "resourcemanager.tagKeys.list",
    "cloudkms.keyRings.getIamPolicy",
    "resourcemanager.organizations.getIamPolicy",
    "storage.buckets.list",
    "resourcemanager.tagKeys.get",
    "resourcemanager.folders.getIamPolicy",
    "resourcemanager.tagValues.list",
    "resourcemanager.projects.list",
    "cloudkms.keyRings.list",
    "compute.networks.list",
    "bigquery.tables.list",
    "cloudkms.cryptoKeys.getIamPolicy",
    "bigquery.datasets.getIamPolicy",
    "resourcemanager.projects.getIamPolicy",
    "serviceusage.services.list",
    "cloudkms.keyRings.get",
    "iam.serviceAccounts.list",
    "bigquery.tables.getIamPolicy",
    "bigquery.datasets.get",
    "iam.roles.list",
    "cloudkms.cryptoKeyVersions.list",
    "compute.zones.list",
    "cloudkms.cryptoKeys.get",
    "cloudkms.cryptoKeys.list",
    "compute.instances.list",
    "cloudkms.cryptoKeyVersions.get",
    "compute.subnetworks.getIamPolicy"
  ],
  "overprivileged_actions": []
}
PreviousGoogle CloudNextNotes & Supported Entities

Last updated