Google policies required by Buddy
This is the list of policies that need to be checked in order to make Buddy work properly with Google Cloud services.
Google Cloud Storage
Listing buckets:
storage.buckets.list
Deployment:
storage.objects.liststorage.objects.createstorage.objects.updatestorage.objects.delete
Google CDN Invalidate
Listing urlMaps:
compute.urlMaps.list
Invalidation:
compute.urlMaps.invalidateCache
Google Function Deploy
Listing functions:
cloudfunctions.functions.list
Deployment:
cloudfunctions.functions.getcloudfunctions.functions.sourceCodeSetiam.serviceAccounts.actAscloudfunctions.functions.updatecloudfunctions.operations.get
Google Function Invoke
Listing functions:
cloudfunctions.functions.list
Triggering functions:
cloudfunctions.functions.call
Google Cloud Run Deploy
Cloud Run API is required. In the Service account permissions panel, set the status of the Cloud Run Admin role to ENABLED. Cloud Run Admin Role must be added to the member.
Required policies:
run.services.createrun.services.updateiam.serviceAccounts.actAs
Google App Deploy
App Engine Admin API and Cloud Build API are required.
Required policies:
appengine.applications.getappengine.instances.getappengine.instances.listappengine.operations.getappengine.operations.listappengine.services.getappengine.services.listappengine.versions.createappengine.versions.deleteappengine.versions.getappengine.versions.listappengine.versions.updatecloudbuild.builds.createcloudbuild.builds.getcloudbuild.builds.listcloudbuild.builds.updateiam.serviceAccounts.actAsresourcemanager.projects.getstorage.objects.createstorage.objects.deletestorage.objects.getstorage.objects.liststorage.objects.update
Google Kubernetes Engine actions
Listing zone and clusters:
container.clusters.getcontainer.clusters.list
Kubernetes CLI/Helm
container.pods.listcontainer.pods.portForward
Kubernetes Run Job
container.clusters.getcontainer.clusters.listcontainer.pods.getcontainer.pods.listcontainer.pods.getLogscontainer.jobs.createcontainer.jobs.deletecontainer.jobs.get
Kubernetes Run Pod
container.clusters.getcontainer.clusters.listcontainer.pods.getcontainer.pods.listcontainer.pods.getLogscontainer.pods.deletecontainer.pods.create
Kubernetes Apply
container.clusters.getcontainer.clusters.listcontainer.deployments.getcontainer.deployments.listcontainer.deployments.createcontainer.deployments.updatecontainer.configMaps.listcontainer.endpoints.listcontainer.persistentVolumeClaims.listcontainer.pods.listcontainer.replicationControllers.listcontainer.secrets.listcontainer.services.listcontainer.jobs.listcontainer.cronJobs.listcontainer.ingresses.listcontainer.daemonSets.listcontainer.replicaSets.listcontainer.statefulSets.listcontainer.namespaces.listcontainer.namespaces.delete
Kubernetes Set Image
container.clusters.getcontainer.clusters.listcontainer.deployments.getcontainer.deployments.listcontainer.deployments.update
Actions that use Google Container Registry
Container Registry API is required.
Policies required for pulling an image:
storage.objects.getstorage.objects.getIamPolicystorage.objects.list
Policies required for pushing an image:
pubsub.topics.publishstorage.buckets.createstorage.buckets.getstorage.objects.createstorage.objects.getstorage.objects.getIamPolicystorage.objects.liststorage.objects.update