GCP IAM Policies

Redpanda automatically assigns IAM policies to the Redpanda Cloud agent when it is deployed. The permissions grant the agent access to the BYOC cluster.

  • This page lists the IAM permissions Redpanda needs to create BYOC clusters. This does not pertain to BYOVPC clusters.

  • No IAM permissions are required for Redpanda Cloud users. IAM policies do not grant user access to a cluster; rather, they grant the deployed Redpanda agent access, so that brokers can communicate with the BYOC clusters.

GCP IAM policies

The Redpanda agent service account for GCP is granted the following roles/permissions to manage Redpanda cluster resources:

Role/Permission Description

compute.addresses.get

Allows a user to retrieve a specified address.

compute.autoscalers.get

Allows a user to retrieve a specified autoscaler.

compute.autoscalers.list

Allows a user to list autoscalers in a specified zone.

compute.firewalls.create

Allows a user to create firewall rules to control inbound and outbound traffic for GCP instances.

compute.firewalls.delete

Allows a user or service account to remove existing firewall rules from within a GCP project, modifying the network security configuration.

compute.firewalls.get

Allows a user to view the details and configuration of a specific firewall rule for GCP projects.

compute.firewalls.update

Allows a user to modify a specified firewall.

compute.globalOperations.get

Allows a user to retrieve information about a specific global operation in a GCP project.

compute.instanceGroupManagers.create

Allows a user to create a managed instance group.

compute.instanceGroupManagers.delete

Allows a user to delete a specified managed instance group.

compute.instanceGroupManagers.get

Allows a user or service account to retrieve details like the configuration, status, and properties of an instance group manager within GCP.

compute.instanceGroupManagers.update

Allows a user to modify a specified managed instance group.

compute.instanceGroups.create

Allows a user to create an instance group.

compute.instanceGroups.delete

Allows a user to delete a specified instance group.

compute.instanceGroups.get

Allows a user to retrieve a specified instance group.

compute.instanceGroups.update

Allows a user to modify a specified instance group.

compute.instances.create

Allows a user to create an instance.

compute.instances.delete

Allows a user to delete a specified instance.

compute.instances.get

Allows a user to retrieve a specified instance.

compute.instances.list

Allows a user to list instances contained within a specified zone.

compute.instances.reset

Allows a user to perform a reset on the specified instance.

compute.instances.setDeletionProtection

Allows a user to enable deletion protection on a specified instance.

compute.instances.update

Allows a user to modify a specified instance.

compute.instanceTemplates.create

Allows a user to create an instance template.

compute.instanceTemplates.delete

Allows a user to delete a specified instance template.

compute.instanceTemplates.get

Allows a user to retrieve a specified instance template.

compute.networks.create

Allows a user to create a network.

compute.networks.delete

Allows a user to delete a specified network.

compute.networks.get

Allows a user to retrieve a specified network.

compute.networks.getEffectiveFirewalls

Allows a user to retrieve the effective firewalls for a specified network.

compute.networks.update

Allows a user to modify a specified network.

compute.networks.updatePolicy

Allows a user to update the configuration of existing GCP network resources.

compute.projects.get

Allows a user or service account to retrieve information (such as project metadata, quotas, and configuration settings) about a specific GCP project.

compute.regions.get

Allows a user to retrieve a specified region.

compute.regions.list

Allows a user to retrieve a list of the available regions in a GCP project.

compute.routers.get

Allows a user to retrieve a specified router.

compute.subnetworks.get

Allows a user to retrieve a specified subnetwork.

compute.zoneOperations.get

Allows a user to retrieve a specified zone operation.

compute.zoneOperations.list

Allows a user to list zone operations.

compute.zones.get

Allows a user to retrieve a specified zone.

compute.zones.list

Allows a user to retrieve a list of the available zones in a GCP project.

dns.changes.create

Allows a user to create and update DNS resource record sets.

dns.changes.get

Allows a user to retrieve the information about an existing DNS change.

dns.changes.list

Allows a user to retrieve a list of changes to DNS resource record sets.

dns.managedZones.create

Allows a user to create a new managed zone. A DNS managed zone holds the Domain Name System (DNS) records for the same DNS name suffix.

dns.managedZones.delete

Allows a user or service account to delete managed zones within the Google Cloud DNS project.

dns.managedZones.get

Allows a user or service account to retrieve information about a specific DNS managed zone. This permission is used in the context of Google Cloud DNS, which is a scalable and reliable domain name system (DNS) service.

dns.managedZones.list

Allows a user or service account to list the managed zones within a Google Cloud DNS project.

dns.managedZones.update

Allows a user to update or modify the configuration of a managed DNS zone within a Google Cloud DNS project.

dns.projects.get

Allows a user to retrieve information about an existing GCP DNS project.

dns.resourceRecordSets.create

Allows a user to create resource record sets within a DNS zone.

dns.resourceRecordSets.delete

Allows a user to delete resource record sets within a DNS zone.

dns.resourceRecordSets.get

Allows a user or service account to retrieve information about resource record sets within a managed DNS zone.

dns.resourceRecordSets.list

Allows a user or service account to retrieve a list of resource record sets that are part of a particular DNS zone.

dns.resourceRecordSets.update

Allows a user or service account to make changes to the resource records in a DNS zone.

iam.roles.create

Allows a user to create a custom role for a GCP project or an organization.

iam.roles.delete

Allows a user to delete a custom role from a GCP project or an organization.

iam.roles.get

Allows a user to retrieve information about a specific role, including its permissions.

iam.roles.list

Allows a user to list predefined roles, or the custom roles for a project or an organization.

iam.roles.undelete

Allows a user to undelete a custom role from an organization or a project.

iam.roles.update

Allows a user to update an IAM custom role.

iam.serviceAccounts.actAs

Allows a service account to act as another service account or user within a GCP project. This permission is used to delegate authority to one service account to impersonate or perform actions on behalf of another service account or user.

iam.serviceAccounts.create

Allows a user to create a service account for a project.

iam.serviceAccounts.delete

Allows a user to delete a service account for a project.

iam.serviceAccounts.get

Allows a user or service account to retrieve metadata and configuration information about a particular service account within a project. This includes information such as the email address, display name, and IAM policies associated with the service account.

iam.serviceAccounts.getIamPolicy

Allows a user to retrieve the IAM policy for a service account.

iam.serviceAccounts.setIamPolicy

Allows a user to set the IAM policy for a service account.

iam.serviceAccounts.update

Allows a user to modify the service account for a project.

logging.logEntries.create

Allows user to write log entries.

resourcemanager.projects.get

Allows a user or service account to view project details, such as project ID, name, labels, and other project-level settings. This permission controls the ability to retrieve the metadata and configuration of a project in GCP using the Resource Manager API.

resourcemanager.projects.getIamPolicy

Allows a user or service account to retrieve the IAM access control policy for a specified project. Permission is denied if the policy or the resource does not exist.

resourcemanager.projects.setIamPolicy

Allows a user or service account to set the IAM access control policy for the specified project.

storage.buckets.get

Allows a user to retrieve metadata and configuration information about a specific bucket in Google Cloud Storage. Users with this permission can view details such as the bucket’s name, location, storage class, access control settings, and other attributes.

storage.buckets.getIamPolicy

Allows a user to retrieve the IAM policy for a bucket.

storage.buckets.setIamPolicy

Allows a user to set the IAM policy for a bucket.

Storage Object Admin

Grants full control of bucket objects. The Redpanda Agent Storage Admin grant is scoped to a single bucket.

Kubernetes Engine Admin

Full management of Kubernetes clusters and their Kubernetes API objects.