GCP Permissions
To enable CloudYali to access and analyze your Google Cloud resources, you must grant specific permissions to the service account or user that will be used for integration.
Required GCP Permissions
Below is a list of the main permissions needed for CloudYali functionality:
Cost Management Permissions
| Permission | Scope | Description |
|---|---|---|
| bigquery.datasets.create | Project | Create BigQuery datasets for billing export and recommendations. |
| bigquery.tables.create | Project | Create tables in BigQuery datasets. |
| bigquery.tables.get | Project | Read tables in BigQuery datasets. |
| bigquery.jobs.create | Project | Run queries on BigQuery datasets. |
| bigquery.dataViewer | Project | View data in BigQuery datasets. |
| recommender.resources.export | Organization | Allows you to export recommendations to BigQuery. (Required at the organization level corresponding to the export setup) |
Resource Inventory & Organization Detection Permissions
The following permissions are required for GCP Resource Inventory and organization-wide project discovery:
| Permission | Scope | Description |
|---|---|---|
| cloudasset.assets.listResource | Organization/Project | List all resources in the specified scope. |
| cloudasset.assets.searchAllResources | Organization/Project | Search for resources across the organization or project. |
| resourcemanager.projects.get | Organization | Read project metadata for organization detection. |
| resourcemanager.projects.list | Organization | List all projects in the organization. |
| resourcemanager.folders.get | Organization | Traverse folder hierarchy. |
| resourcemanager.folders.list | Organization | List folders in the organization. |
The cloudasset.* permissions are included in the predefined Cloud Asset Viewer role (roles/cloudasset.viewer).
The resourcemanager.* permissions are included in the predefined Browser role (roles/browser).
For organization-wide cost and inventory collection, these roles must be granted at the organization level, not just at the project level. This allows CloudYali to discover all projects and resources across your entire organization.
Note: These permissions should be assigned to the service account used by CloudYali for GCP integration.
Related Documentation
For AWS permissions, see AWS Permissions.