# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # https://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # This file contains the list of permissions required by the SAP Agent. # The IAM permissions used by each agent functionalities are listed here. # The permissions are grouped by functionality and then by entity type, which # can be a Project or a GCP Resource (Instance, Bucket, Snapshot, etc). --- features: - name: HANA_MONITORING permissionsList: - type: Project permissions: - monitoring.timeSeries.create - name: PROCESS_METRICS permissionsList: - type: Project permissions: - compute.nodeGroups.list - compute.nodeGroups.get - compute.instances.get - monitoring.timeSeries.create - name: CLOUD_LOGGING permissionsList: - type: Project permissions: - logging.logEntries.create - name: HOST_METRICS permissionsList: - type: Project permissions: - compute.instances.list - monitoring.metricDescriptors.get - monitoring.metricDescriptors.list - type: Instance permissions: - compute.instances.get - name: BACKINT permissionsList: - type: Project permissions: - storage.objects.list - storage.objects.create - type: Bucket permissions: - storage.objects.get - storage.objects.update - storage.objects.delete - name: BACKINT_MULTIPART permissionsList: - type: Bucket permissions: - storage.multipartUploads.create - storage.multipartUploads.abort - name: DISKBACKUP permissionsList: - type: Project permissions: - compute.disks.create - compute.disks.createSnapshot - compute.disks.get - compute.disks.setLabels - compute.disks.use - compute.globalOperations.get - compute.instances.attachDisk - compute.instances.detachDisk - compute.instances.get - compute.snapshots.create - compute.snapshots.get - compute.snapshots.setLabels - compute.snapshots.useReadOnly - compute.zoneOperations.get - name: DISKBACKUP_STRIPED permissionsList: - type: Project permissions: - compute.disks.addResourcePolicies - compute.disks.create - compute.disks.get - compute.disks.list - compute.disks.removeResourcePolicies - compute.disks.use - compute.disks.useReadOnly - compute.globalOperations.get - compute.instances.attachDisk - compute.instances.detachDisk - compute.instances.get - compute.instantSnapshotGroups.create - compute.instantSnapshotGroups.delete - compute.instantSnapshotGroups.get - compute.instantSnapshotGroups.list - compute.instantSnapshots.list - compute.instantSnapshots.useReadOnly - compute.resourcePolicies.create - compute.resourcePolicies.use - compute.resourcePolicies.useReadOnly - compute.snapshots.create - compute.snapshots.get - compute.snapshots.list - compute.snapshots.setLabels - compute.snapshots.useReadOnly - compute.zoneOperations.get - name: SAP_SYSTEM_DISCOVERY permissionsList: - type: Project permissions: - compute.addresses.get - compute.addresses.list - compute.disks.get - compute.forwardingRules.get - compute.forwardingRules.list - compute.globalAddresses.get - compute.globalAddresses.list - compute.healthChecks.get - compute.instanceGroups.get - compute.instances.get - compute.instances.list - compute.regionBackendServices.get - file.instances.get - file.instances.list - workloadmanager.insights.write - name: WORKLOAD_EVALUATION_METRICS permissionsList: - type: Project permissions: - compute.instances.get - compute.zoneOperations.list - compute.instances.get - compute.disks.list - monitoring.timeSeries.create - workloadmanager.insights.write - name: SECRET_MANAGER permissionsList: - type: Project permissions: - secretmanager.versions.access - name: AGENT_HEALTH_METRICS permissionsList: - type: Project permissions: - monitoring.timeSeries.create