search

iann0036 / iam-dataset

A consolidated cloud IAM dataset
MIT License
232 stars 23 forks source link

Google Cloud Platform Securitycenter Lacks Required Permissions #38

Open spawar-apex opened 1 month ago

spawar-apex commented 1 month ago

Hi @iann0036 ,

We are encountering an error message stating that the permissions "securitycenter.chronicleassetexport.get" and "securitycenter.chronicleassetexport.update" are necessary, but these permissions are not listed or described in any roles.

We're experiencing difficulties accessing asset metadata information or exporting SCC findings. The following error message was displayed:

Ensure you possess the following permissions:

1. securitycenter.chronicleassetexport.get
2. securitycenter.chronicleassetexport.update

To obtain these permissions, please contact your organization administrator.

It appears that the Google Cloud IAM permissions required for enabling the Cloud asset export for Google SecOps (also known as Chronicle) are missing from the existing documentation, even in the IAM v1 reference: https://cloud.google.com/iam/docs/permissions-reference.

These permissions should be included under the roles/securitycenter.adminEditor.

After discussing with the support team, they indicated that the visibility of this permission in documentation would require a Feature Request.

I would like to suggest adding these two permissions, labeled as Undocumented.

Looking forward to hearing from you.

Thanks, Swapnil Pawar

spawar-apex commented 1 month ago

@iann0036 - Did you get a chance to review this?

iann0036 commented 1 month ago

Hi @spawar-apex,

Sorry for the delayed response.

I just want to confirm my understanding. Are you saying that the 2 permissions listed exist in the roles/securitycenter.adminEditor, but are not shown in the API/Web Console response or just that certain actions undertaken using the role are insufficient?

If it's the latter, I don't think it'll be appropriate to adjust the role itself, however I can add those permissions as undocumented and required by an API action if we can determine what those might be (e.g. securitycenter.findings.list / securitycenter.assets.list) but I'd need to see the network requests that return the above permission errors. If you can inspect your network traffic as it occurs and get the (sanitized) request for me, I can look up what that maps to from a method perspective.