# Check Google Cloud Permissions | Method | Syntax | | ------ | -------------------------------------------------------------- | | GET | `{{BaseURL}}/api/v1/providers/google_cloud/{{ID}}:checkpolicy` | #### Description Validates that the service account used for a [Google provider integration](/4yItIzMvkpAvMVFAamTf/integrations/integrations/google.md) has the required permissions. Rather than checking a specific policy, Veza will verify the total permissions granted to the service account used for extraction. Query parameters: | Name | Type | Req. | Description | | ---- | ------ | ---- | ----------------------------------------------------------------------------------------------------------------- | | id | string | Y | A valid Google [provider id](/4yItIzMvkpAvMVFAamTf/developers/api/management/providers.md#google-cloud-providers) | #### Example request ```bash curl -X GET 'https://{{BaseURL}}/api/v1/providers/google_cloud/{{ID}}:checkpolicy' \ -H 'authorization: Bearer {{token}}' ``` Replace the values in brackets with the appropriate values: * BaseURL = Your Veza Domain * ID = Can be found from your Veza Integration > Data Sources dashboard. * Token = your Veza API Key. To call the API, you will need to include an [API key](/4yItIzMvkpAvMVFAamTf/developers/api/authentication.md) in the authorization header of your request. #### Example response The response will indicate when an update is required, and the missing permissions: * `current_permissions`: permissions that are currently assigned to the Veza service principal. * `required_permissions`: full list of permissions used by the GCP integration across **all features**, including extraction, Lifecycle Management, and NHI secret management. * `required_actions`: permissions required by the integration, but not assigned to the Veza service principal. You should update the [integration role](/4yItIzMvkpAvMVFAamTf/integrations/integrations/google.md#create-an-organization-role) to include the missing permissions. * `overprivileged_actions`: permissions assigned to the integration that are not required, and can safely be removed. {% hint style="warning" %} **The `required_permissions` list includes write-level Secret Manager permissions** (such as `secretmanager.secrets.create`, `secretmanager.secrets.delete`, and `secretmanager.versions.access`) that Veza does not use. Any `secretmanager` write permissions flagged in `required_actions` can be safely omitted from the integration role. See [Permission requirements by feature](/4yItIzMvkpAvMVFAamTf/integrations/integrations/google.md#permission-requirements-by-feature). {% endhint %} > The permissions list in this example may change as new features are added to the Google Cloud integration. The actual API response will reflect the current requirements. ```json { "requires_update": true, "google_cloud_customer_id": "{id}", "current_permissions": [], "required_permissions": [ "bigquery.datasets.get", "bigquery.datasets.getIamPolicy", "bigquery.tables.get", "bigquery.tables.getIamPolicy", "bigquery.tables.list", "cloudkms.cryptoKeyVersions.get", "cloudkms.cryptoKeyVersions.list", "cloudkms.cryptoKeys.get", "cloudkms.cryptoKeys.getIamPolicy", "cloudkms.cryptoKeys.list", "cloudkms.keyRings.get", "cloudkms.keyRings.getIamPolicy", "cloudkms.keyRings.list", "cloudkms.locations.get", "cloudkms.locations.list", "cloudsql.databases.list", "cloudsql.instances.list", "cloudsql.users.list", "compute.instances.getIamPolicy", "compute.instances.list", "compute.networks.list", "compute.regions.list", "compute.subnetworks.getIamPolicy", "compute.subnetworks.list", "compute.zones.list", "container.clusters.list", "iam.roles.get", "iam.roles.list", "iam.serviceAccounts.list", "logging.logEntries.list", "resourcemanager.folders.getIamPolicy", "resourcemanager.folders.list", "resourcemanager.organizations.get", "resourcemanager.organizations.getIamPolicy", "resourcemanager.projects.get", "resourcemanager.projects.getIamPolicy", "resourcemanager.projects.list", "resourcemanager.tagKeys.get", "resourcemanager.tagKeys.list", "resourcemanager.tagValues.get", "resourcemanager.tagValues.list", "run.services.getIamPolicy", "run.services.list", "secretmanager.locations.get", "secretmanager.locations.list", "secretmanager.secrets.create", "secretmanager.secrets.createTagBinding", "secretmanager.secrets.delete", "secretmanager.secrets.deleteTagBinding", "secretmanager.secrets.get", "secretmanager.secrets.getIamPolicy", "secretmanager.secrets.list", "secretmanager.secrets.listEffectiveTags", "secretmanager.secrets.listTagBindings", "secretmanager.secrets.setIamPolicy", "secretmanager.secrets.update", "secretmanager.versions.access", "secretmanager.versions.add", "secretmanager.versions.destroy", "secretmanager.versions.disable", "secretmanager.versions.enable", "secretmanager.versions.get", "secretmanager.versions.list", "serviceusage.services.list", "storage.buckets.getIamPolicy", "storage.buckets.list" ], "required_actions": [ "logging.logEntries.list", "secretmanager.locations.get", "secretmanager.locations.list", "secretmanager.secrets.create", "secretmanager.secrets.createTagBinding", "secretmanager.secrets.delete", "secretmanager.secrets.deleteTagBinding", "secretmanager.secrets.get", "secretmanager.secrets.getIamPolicy", "secretmanager.secrets.list", "secretmanager.secrets.listEffectiveTags", "secretmanager.secrets.listTagBindings", "secretmanager.secrets.setIamPolicy", "secretmanager.secrets.update", "secretmanager.versions.access", "secretmanager.versions.add", "secretmanager.versions.destroy", "secretmanager.versions.disable", "secretmanager.versions.enable", "secretmanager.versions.get", "secretmanager.versions.list" ], "overprivileged_actions": [ "cloudkms.cryptoKeyVersions.viewPublicKey", "run.locations.list" ] } ``` > If you see `resourcemanager.resourceTagBindings.list` in `overprivileged_actions`, it is safe to remove this deprecated permission. It has been replaced by resource-specific permissions like `compute.instances.listTagBindings` and `storage.buckets.listTagBindings`. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.veza.com/4yItIzMvkpAvMVFAamTf/integrations/integrations/google/check-google-cloud-permissions.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.