Google policies required by Buddy

This is the list of policies that need to be checked in order to make Buddy work properly with Google Cloud services.

Google Cloud Storage

Listing buckets:

storage.buckets.list

Deployment:

storage.objects.list
storage.objects.create
storage.objects.update
storage.objects.delete

Google CDN Invalidate

Listing urlMaps:

compute.urlMaps.list

Invalidation:

compute.urlMaps.invalidateCache

Google Function Deploy

Listing functions:

cloudfunctions.functions.list

Deployment:

cloudfunctions.functions.get
cloudfunctions.functions.sourceCodeSet
iam.serviceAccounts.actAs
cloudfunctions.functions.update
cloudfunctions.operations.get

Google Function Invoke

Listing functions:

cloudfunctions.functions.list

Triggering functions:

cloudfunctions.functions.call

Google Cloud Run Deploy

Cloud Run API is required. In the Service account permissions panel, set the status of the Cloud Run Admin role to ENABLED. Cloud Run Admin Role must be added to the member.

Required policies:

run.services.create
run.services.update
iam.serviceAccounts.actAs

Google App Deploy

App Engine Admin API and Cloud Build API are required.

Required policies:

appengine.applications.get
appengine.instances.get
appengine.instances.list
appengine.operations.get
appengine.operations.list
appengine.services.get
appengine.services.list
appengine.versions.create
appengine.versions.delete
appengine.versions.get
appengine.versions.list
appengine.versions.update
cloudbuild.builds.create
cloudbuild.builds.get
cloudbuild.builds.list
cloudbuild.builds.update
iam.serviceAccounts.actAs
resourcemanager.projects.get
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list
storage.objects.update

Google Kubernetes Engine actions

Listing zone and clusters:

container.clusters.get
container.clusters.list

Kubernetes CLI/Helm

container.pods.list
container.pods.portForward

Kubernetes Run Job

container.clusters.get
container.clusters.list
container.pods.get
container.pods.list
container.pods.getLogs
container.jobs.create
container.jobs.delete
container.jobs.get

Kubernetes Run Pod

container.clusters.get
container.clusters.list
container.pods.get
container.pods.list
container.pods.getLogs
container.pods.delete
container.pods.create

Kubernetes Apply

container.clusters.get
container.clusters.list
container.deployments.get
container.deployments.list
container.deployments.create
container.deployments.update
container.configMaps.list
container.endpoints.list
container.persistentVolumeClaims.list
container.pods.list
container.replicationControllers.list
container.secrets.list
container.services.list
container.jobs.list
container.cronJobs.list
container.ingresses.list
container.daemonSets.list
container.replicaSets.list
container.statefulSets.list
container.namespaces.list
container.namespaces.delete

Kubernetes Set Image

container.clusters.get
container.clusters.list
container.deployments.get
container.deployments.list
container.deployments.update

Actions that use Google Container Registry

Container Registry API is required.

Policies required for pulling an image:

storage.objects.get
storage.objects.getIamPolicy
storage.objects.list

Policies required for pushing an image:

pubsub.topics.publish
storage.buckets.create
storage.buckets.get
storage.objects.create
storage.objects.get
storage.objects.getIamPolicy
storage.objects.list
storage.objects.update