Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.levelblue.com/llms.txt

Use this file to discover all available pages before exploring further.

If the pre-defined roles Project: Viewer and Pub/Sub: Pub/Sub Subscriber are too broad for your use, or are otherwise unsuitable for you, you can define a new role whose access is limited according to your needs.
Warning: At minimum, your service account role must be assigned each of the IAM policies required for your sensor operations. Review the Required IAM Policies table to see which functions depend on which IAM policies.
These permissions can be granted at the organization level; however, if your organization is very large you may experience performance issues. In this case (as long as you don’t need the sensor to monitor all projects), you can use either of the following approaches to avoid possible throttling:
This allows you to select which specific projects should be monitored by the sensor. This approach is not valid for any logging at the organization level, or any functionality dependent on organization level permissions will not be enabled.To grant the service account permission to monitor a project
Important: This process must be followed for every project the GCP Sensor will be monitoring.
  1. In the Google Cloud Console, go to your project.
  2. Go to the IAM & admin tab in the navigation pane and click IAM.
  3. Click Add.
  4. Enter the name of the service account whose permissions you are editing.
Note: The name of the service account takes the form of an email address and will look like <name-of-sensor-service-account>@<name-of-project>.iam.gserviceaccount.com.
  1. In the Role field, select the appropriate role for this service account.
  2. Click Save.
Note: To grant the service account permission to monitor the entire organization, use these same steps but begin by opening the organization instead of the project.
At the organization level, the GCP Sensor needs the specific IAM policies in the following table.Required IAM Policies at the Organization Level
IAM PolicyDescriptionDependency
logging.logEntries.listAllows the sensor to fetch log entries from StackdriverGoogle Cloud Audit Logs for Organizations

resourcemanager.organizations.get

Allows the sensor to get the details for a specific organization

Application Status

Cloud Audit Logs for organizations

At the project level, the GCP Sensor needs the specific IAM policies in the following table.Required IAM Policies at the Project Level
IAM PolicyDescriptionDependency
logging.logEntries.listAllows the sensor to fetch log entries from Stackdriver

Cloud Audit Logs for Projects

Firewall Logs for Projects

VPC Flow Logs for Projects

Stackdriver Agent Logs

resourcemanager.projects.list

Allows the sensor to access a list of the available projects

Application Status

Asset Inventory

Configuration Issues

Cloud Audit Logs for Projects

Firewall Logs for Projects

VPC Flow Logs for Projects

Stackdriver Agent Logs

resourcemanager.projects.getAllows the sensor to fetch the details for a specific project
deploymentmanager.deployments.createAllows the sensor to be created and deployedDeployment of a sensor
compute.firewalls.listAllows the sensor to list the existing firewall rulesConfiguration Issues
compute.firewalls.getAllows the sensor to get the details for a specific firewall ruleConfiguration Issues
compute.instances.listAllows the sensor to list the existing virtual machines

Asset Inventory

Configuration Issues

compute.instances.getAllows the sensor to get the details for a specific virtual machine

Asset Inventory

Configuration Issues

compute.zones.listAllows the sensor to list the available zones

Asset Inventory

Configuration Issues