P0 App Documentation
Sign up for FreeSandbox
  • What Is P0?
    • πŸŽ›οΈIAM Dashboard
    • πŸ”ŽAccess Inventory
    • πŸͺ‘IAM Posture
    • ⏱️Just-In-Time Access
    • ♻️Service-Account Key Rotation
  • Getting Started
    • ⬇️Quick Start
    • 🎁Share P0 With Your Team
  • INVENTORY
    • πŸ—ΊοΈAccess Inventory
    • πŸ”¬Result Details
    • ❔Query Search
      • πŸ“–Search Reference
  • Posture
    • βš–οΈPosture Overview
  • Monitor Results
  • πŸ€”Finding Details
  • ORCHESTRATION
    • ⏰Just-in-time access
      • πŸ–οΈRequesting Access
        • πŸ‘‰For Another Party
      • 🏁Approving Access
        • Pre-approving Access
      • πŸ”€Request Routing
        • Google Cloud Filtering
        • AWS Filtering
  • Environments
    • ☁️Creating an Environment
    • πŸ““Environment Terminology
    • βš™οΈSettings
  • Integrations
    • πŸ“žNotifier integrations
      • πŸ’¬Slack
      • πŸ‘¬Microsoft Teams
      • πŸ“£Custom Notifier
    • πŸ”‘Resource integrations
      • ☁️Google Cloud
        • Requesting Access
        • Permissions Reference
          • Cloud Storage
          • Compute Engine
      • πŸ“¦AWS
        • Requesting Access
      • ☸️Kubernetes
        • Requesting Access
        • Advanced Requests
      • πŸ”‹PostgreSQL
        • Requesting Access
      • ❄️Snowflake
      • πŸ–₯️SSH
      • GitHub
        • Requesting Access
      • πŸ› οΈCustom Resource
    • πŸ‘₯Directory integrations
      • Microsoft Entra ID
        • Requesting Access
      • Google Workspace
      • Integrate P0 with Okta
    • βœ”οΈApproval integrations
      • πŸ””PagerDuty
    • πŸ”ŒSIEM Integrations
      • Splunk HEC Setup
  • P0 Management
    • 🎩Role-Based Access Control
Powered by GitBook
On this page
  • Read
  • Write
  • Admin
  • Create
  • SSH
  1. Integrations
  2. Resource integrations
  3. Google Cloud
  4. Permissions Reference

Compute Engine

PreviousCloud StorageNextAWS

Last updated 5 months ago

The following subsections list the Google identify and access management (IAM) permissions, granted via Compute Engine access shortcuts.

Use this information when .

Read

Read grants the following IAM permissions for the instance or zone:

          compute.instances.get
          compute.instances.list
          compute.instances.getEffectiveFirewalls
          compute.instances.getGuestAttributes
          compute.instances.getScreenshot
          compute.instances.getSerialPortOutput
          compute.instances.getShieldedInstanceIdentity
          compute.instances.getShieldedVmIdentity
          compute.instances.listEffectiveTags
          compute.instances.listReferrers
          compute.instances.listTagBindings

Write

Write grants the following IAM permissions for the instance or zone:

          compute.instances.addAccessConfig
          compute.instances.addMaintenancePolicies
          compute.instances.addResourcePolicies
          compute.instances.attachDisk
          compute.instances.createTagBinding
          compute.instances.delete
          compute.instances.deleteAccessConfig
          compute.instances.deleteTagBinding
          compute.instances.detachDisk
          compute.instances.get
          compute.instances.getEffectiveFirewalls
          compute.instances.getGuestAttributes
          compute.instances.getScreenshot
          compute.instances.getSerialPortOutput
          compute.instances.getShieldedInstanceIdentity
          compute.instances.getShieldedVmIdentity
          compute.instances.list
          compute.instances.listEffectiveTags
          compute.instances.listReferrers
          compute.instances.listTagBindings
          compute.instances.osLogin
          compute.instances.removeMaintenancePolicies
          compute.instances.removeResourcePolicies
          compute.instances.reset
          compute.instances.resume
          compute.instances.sendDiagnosticInterrupt
          compute.instances.setDeletionProtection
          compute.instances.setDiskAutoDelete
          compute.instances.setLabels
          compute.instances.setMachineResources
          compute.instances.setMachineType
          compute.instances.setMetadata
          compute.instances.setMinCpuPlatform
          compute.instances.setName
          compute.instances.setScheduling
          compute.instances.setServiceAccount
          compute.instances.setShieldedInstanceIntegrityPolicy
          compute.instances.setTags
          compute.instances.simulateMaintenanceEvent
          compute.instances.start
          compute.instances.startWithEncryptionKey
          compute.instances.stop
          compute.instances.suspend
          compute.instances.update
          compute.instances.updateAccessConfig
          compute.instances.updateDisplayDevice
          compute.instances.updateNetworkInterface
          compute.instances.updateSecurity
          compute.instances.updateShieldedInstanceConfig
          compute.instances.updateShieldedVmConfig
          compute.instances.use
          compute.instances.useReadOnly

Admin

Admin grants the compute.instanceAdmin predefined role for the instance or zone.

Create

Create grants the compute.instanceAdmin predefined role for both the instance / zone and the region.

SSH

SSH grants the following IAM permissions for the specified instance or zone:

          compute.disks.listEffectiveTags
          compute.disks.listTagBindings
          compute.images.listEffectiveTags
          compute.images.listTagBindings
          compute.instances.get
          compute.instances.listEffectiveTags
          compute.instances.setMetadata
          compute.instances.listTagBindings
          compute.instances.osLogin
          compute.projects.get
          compute.snapshots.listEffectiveTags
          compute.snapshots.listTagBindings

Grants iam.serviceAccountUser on the service account specified

πŸ”‘
☁️
requesting Google Cloud Access permissions