Google Cloud Platform (GCP)
Follow these steps to set up a Read-Only Access Service Account on Google Cloud Platform (GCP).
Step 1: Log in to Google Cloud Console
Go to the Google Cloud Console.
Sign in with your administrator account.
Step 2: Create a Service Account
Navigate to IAM & Admin → Service Accounts.
Click Create Service Account.
Provide a Name (e.g.,
nebu-readonly).Click Create and Continue.
Step 3: Assign the Predefined Viewer Role
Viewer RoleUnder Grant this service account access to the project, click Add Role.
Search for the predefined role:
roles/viewer
Select the Viewer role and click Continue.
Step 4: Generate and Download a JSON Key
After creating the service account, go to the Keys tab.
Click Add Key → Create New Key.
Choose JSON format and download the file securely.
Step 5: Enable Required APIs
# Enable required APIs (Batch 1 - Core APIs)
gcloud services enable \
compute.googleapis.com \
storage-api.googleapis.com \
storage-component.googleapis.com \
sqladmin.googleapis.com \
container.googleapis.com \
cloudfunctions.googleapis.com \
run.googleapis.com \
pubsub.googleapis.com \
monitoring.googleapis.com \
logging.googleapis.com \
iam.googleapis.com \
cloudkms.googleapis.com \
dns.googleapis.com \
redis.googleapis.com \
secretmanager.googleapis.com \
cloudresourcemanager.googleapis.com \
bigquery.googleapis.com \
serviceusage.googleapis.com \
file.googleapis.com \
dataflow.googleapis.com \
--project=YOUR_PROJECT_ID
# Enable remaining APIs (Batch 2)
gcloud services enable \
binaryauthorization.googleapis.com \
--project=YOUR_PROJECT_IDStep 6: Create Custom Read-Only Storage Role
NEBU needs storage.buckets.getIamPolicy permission, which isn't included in roles/storage.objectViewer. We'll create a minimal custom role:
# Create custom read-only storage role
gcloud iam roles create nebuStorageReadOnly \
--project=YOUR_PROJECT_ID \
--title="NEBU Storage Read-Only Scanner" \
--description="Minimal read-only permissions for storage Compliance & Security" \
--permissions="storage.buckets.list,storage.buckets.get,storage.buckets.getIamPolicy,storage.objects.list,storage.objects.get"🛡️ Step 7: Apply Read-Only Permissions
# 1. Core Service Usage (CRITICAL - needed for all APIs)
gcloud projects add-iam-policy-binding YOUR_PROJECT_ID \
--member="serviceAccount:YOUR_SERVICE_ACCOUNT_EMAIL" \
--role="roles/serviceusage.serviceUsageConsumer"
# 2. Project-level viewer access (read-only)
gcloud projects add-iam-policy-binding YOUR_PROJECT_ID \
--member="serviceAccount:YOUR_SERVICE_ACCOUNT_EMAIL" \
--role="roles/viewer"
# 3. Custom read-only storage permissions
gcloud projects add-iam-policy-binding YOUR_PROJECT_ID \
--member="serviceAccount:YOUR_SERVICE_ACCOUNT_EMAIL" \
--role="projects/YOUR_PROJECT_ID/roles/nebuStorageReadOnly"
# 4. IAM security reviewer (read-only)
gcloud projects add-iam-policy-binding YOUR_PROJECT_ID \
--member="serviceAccount:YOUR_SERVICE_ACCOUNT_EMAIL" \
--role="roles/iam.securityReviewer"
# 5. Cloud SQL viewer (read-only)
gcloud projects add-iam-policy-binding YOUR_PROJECT_ID \
--member="serviceAccount:YOUR_SERVICE_ACCOUNT_EMAIL" \
--role="roles/cloudsql.viewer"
# 6. Compute Engine viewer (read-only)
gcloud projects add-iam-policy-binding YOUR_PROJECT_ID \
--member="serviceAccount:YOUR_SERVICE_ACCOUNT_EMAIL" \
--role="roles/compute.viewer"
# 7. GKE viewer (read-only)
gcloud projects add-iam-policy-binding YOUR_PROJECT_ID \
--member="serviceAccount:YOUR_SERVICE_ACCOUNT_EMAIL" \
--role="roles/container.viewer"
# 8. Cloud Functions viewer (read-only)
gcloud projects add-iam-policy-binding YOUR_PROJECT_ID \
--member="serviceAccount:YOUR_SERVICE_ACCOUNT_EMAIL" \
--role="roles/cloudfunctions.viewer"
# 9. Cloud Logging viewer (read-only)
gcloud projects add-iam-policy-binding YOUR_PROJECT_ID \
--member="serviceAccount:YOUR_SERVICE_ACCOUNT_EMAIL" \
--role="roles/logging.viewer"
# 10. Pub/Sub viewer (read-only)
gcloud projects add-iam-policy-binding YOUR_PROJECT_ID \
--member="serviceAccount:YOUR_SERVICE_ACCOUNT_EMAIL" \
--role="roles/pubsub.viewer"
# 11. KMS viewer (read-only)
gcloud projects add-iam-policy-binding YOUR_PROJECT_ID \
--member="serviceAccount:YOUR_SERVICE_ACCOUNT_EMAIL" \
--role="roles/cloudkms.viewer"
# 12. Secret Manager viewer (read-only)
gcloud projects add-iam-policy-binding YOUR_PROJECT_ID \
--member="serviceAccount:YOUR_SERVICE_ACCOUNT_EMAIL" \
--role="roles/secretmanager.viewer"
# 13. BigQuery metadata viewer (read-only)
gcloud projects add-iam-policy-binding YOUR_PROJECT_ID \
--member="serviceAccount:YOUR_SERVICE_ACCOUNT_EMAIL" \
--role="roles/bigquery.metadataViewer"
# 14. Cloud Run viewer (read-only)
gcloud projects add-iam-policy-binding YOUR_PROJECT_ID \
--member="serviceAccount:YOUR_SERVICE_ACCOUNT_EMAIL" \
--role="roles/run.viewer"
# 15. Cloud DNS reader (read-only)
gcloud projects add-iam-policy-binding YOUR_PROJECT_ID \
--member="serviceAccount:YOUR_SERVICE_ACCOUNT_EMAIL" \
--role="roles/dns.reader"
# 16. Monitoring viewer (read-only)
gcloud projects add-iam-policy-binding YOUR_PROJECT_ID \
--member="serviceAccount:YOUR_SERVICE_ACCOUNT_EMAIL" \
--role="roles/monitoring.viewer"
# 17. Binary Authorization reader (read-only)
gcloud projects add-iam-policy-binding YOUR_PROJECT_ID \
--member="serviceAccount:YOUR_SERVICE_ACCOUNT_EMAIL" \
--role="roles/binaryauthorization.attestorsViewer"
# 18. Cloud Filestore viewer (read-only)
gcloud projects add-iam-policy-binding YOUR_PROJECT_ID \
--member="serviceAccount:YOUR_SERVICE_ACCOUNT_EMAIL" \
--role="roles/file.viewer"
# 19. Cloud Dataflow viewer (read-only)
gcloud projects add-iam-policy-binding YOUR_PROJECT_ID \
--member="serviceAccount:YOUR_SERVICE_ACCOUNT_EMAIL" \
--role="roles/dataflow.viewer"
# 20. Memorystore Redis reader (read-only)
gcloud projects add-iam-policy-binding YOUR_PROJECT_ID \
--member="serviceAccount:YOUR_SERVICE_ACCOUNT_EMAIL" \
--role="roles/redis.viewer"Final Step: Use the JSON Key in NEBU Initialization
Use the values from the downloaded JSON key file in NEBU’s initialization process.
NEBU will securely use this key to analyze your cloud environment with read-only permissions.
Last updated