Configuring IAM Permissions

Last Updated Oct 9, 2023

Required IAM permissions
Assign permissions using gcloud cli
Assign permissions using Terraform
Assign permissions using the GCP console

Before we can scan your infrastructure, our service account needs access to read limited metadata from your Google Cloud environment. You must grant us permissions via IAM and retain full control over what we can access and when.

The list of required permissions are:

compute.images.list
For reading metadata about your custom VM images.
compute.disks.list
Reading disk metadata helps us determine which images are in active use. We never have the ability to access disk or image contents.
compute.images.delete
Allows us to clean up unused images according to your rules.

Add permissions via gloud CLI

$ export PROJECT_ID="<your-project-id>"
$ export PRINCIPAL="serviceAccount:<unique email generated for you by DeclutterGCP>"

$ export ROLE_NAME="DeclutterGCP_Images"
$ export PERMISSIONS="compute.images.list,compute.disks.list,compute.images.delete"
//
// create a role containing the permissions we need
$ gcloud iam roles create "$ROLE_NAME" --project=$PROJECT_ID --title="$ROLE_NAME" \
  --permissions="$PERMISSIONS" --description="Used to analyse and recover custom VM image costs"
//
// grant the role to the DeclutterGCP service account
$ gcloud projects add-iam-policy-binding "$PROJECT_ID" \
  --member="$PRINCIPAL" --role="projects/$PROJECT_ID/roles/$ROLE_NAME"

Adding permissions via Terraform

locals {
  project          = "<replace-with-project-id>"
  declutter_member = "serviceAccount:<replace-with-email-supplied-by-us>"
}


resource "google_project_iam_custom_role" "decluttergcp_image_cleanup" {
  role_id     = "declutter.cleanup.images"
  permissions = [
    "compute.images.list",
    "compute.disks.list",
    "compute.images.delete",
  ]

  title       = "DeclutterGCP Custom Role"
  description = "These permissions are required to scan & delete custom VM images from Compute Engine"
}


resource "google_project_iam_member" "assign_decluttergcp_role" {
  role    = "projects/${local.project}/roles/${google_project_iam_custom_role.decluttergcp_image_cleanup.role_id}"
  member  = local.declutter_member
  project = local.project
}

Adding permissions via GCP console

Add a custom role

Open up the Google Cloud console and navigate to the IAM & Admin > Roles section. We're going to add a custom role containing only the few permissions we need.
Hit the create role button and fill in the title and description with something memorable and obvious - like DeclutterGCP.
Assign the relevant permissions. These are:
- compute.images.list
- compute.disks.list
- compute.images.delete
Hit 'Create' to save the role.

Assign the role to our service account

Now we should have a role with permissions limited to the ones we need and nothing more. Let's assign the role to the relevant service account.

Navigate to the IAM & Admin > IAM section of your Google Cloud project and press the 'Grant Access' button.
Paste the email address of the appropriate service account. Each account is specific to a user-account - yours will be revealed during the scan setup process.
Select the custom role we just created as part of the previous step and hit save.
Once your policy updates we should have the permissions we need and you can now begin your scan.