Skip to content

Commit 4eb05e4

Browse files
lokesh-vadlamudilokesh-vadlamudi
authored
chore: add missing permissions for gke and eks auditlogs preflight check (#1795)
* chore: add missing permissions for gke auditlog preflight check * chore: add missing permissions for EKS Audit log
1 parent 2956474 commit 4eb05e4

File tree

2 files changed

+29
-0
lines changed

2 files changed

+29
-0
lines changed

lwpreflight/aws/constants.go

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -913,6 +913,12 @@ var RequiredPermissionsForOrg = map[IntegrationType][]string{
913913
},
914914
EksAuditLog: {
915915
"ec2:DescribeRegions",
916+
"organizations:DescribeAccount",
917+
"organizations:DescribeOrganization",
918+
"organizations:ListAccounts",
919+
"organizations:ListAWSServiceAccessForOrganization",
920+
"organizations:ListOrganizationalUnitsForParent",
921+
"organizations:ListRoots",
916922
"s3:CreateBucket",
917923
"s3:DeleteBucket",
918924
"s3:ListBucket",

lwpreflight/gcp/constants.go

Lines changed: 23 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -153,12 +153,22 @@ var RequiredPermissions = map[IntegrationType][]string{
153153
"serviceusage.services.use",
154154
},
155155
GkeAuditLog: {
156+
"cloudscheduler.locations.list",
157+
"iam.roles.create",
158+
"iam.roles.delete",
159+
"iam.roles.get",
160+
"iam.roles.list",
161+
"iam.roles.undelete",
162+
"iam.roles.update",
156163
"iam.serviceAccountKeys.create",
157164
"iam.serviceAccountKeys.delete",
158165
"iam.serviceAccountKeys.get",
159166
"iam.serviceAccounts.create",
160167
"iam.serviceAccounts.delete",
161168
"iam.serviceAccounts.get",
169+
"iam.serviceAccounts.getIamPolicy",
170+
"iam.serviceAccounts.setIamPolicy",
171+
"iam.serviceAccounts.update",
162172
"logging.sinks.create",
163173
"logging.sinks.delete",
164174
"logging.sinks.get",
@@ -407,15 +417,26 @@ var RequiredPermissionsForOrg = map[IntegrationType][]string{
407417
"serviceusage.services.list",
408418
},
409419
GkeAuditLog: {
420+
"cloudscheduler.locations.list",
421+
"iam.roles.create",
422+
"iam.roles.delete",
423+
"iam.roles.get",
424+
"iam.roles.list",
425+
"iam.roles.undelete",
426+
"iam.roles.update",
410427
"iam.serviceAccountKeys.create",
411428
"iam.serviceAccountKeys.delete",
412429
"iam.serviceAccountKeys.get",
413430
"iam.serviceAccounts.create",
414431
"iam.serviceAccounts.delete",
415432
"iam.serviceAccounts.get",
433+
"iam.serviceAccounts.getIamPolicy",
434+
"iam.serviceAccounts.setIamPolicy",
435+
"iam.serviceAccounts.update",
416436
"logging.sinks.create",
417437
"logging.sinks.delete",
418438
"logging.sinks.get",
439+
"orgpolicy.policy.get",
419440
"pubsub.subscriptions.consume",
420441
"pubsub.subscriptions.create",
421442
"pubsub.subscriptions.delete",
@@ -433,6 +454,8 @@ var RequiredPermissionsForOrg = map[IntegrationType][]string{
433454
"pubsub.topics.publish",
434455
"pubsub.topics.setIamPolicy",
435456
"pubsub.topics.update",
457+
"resourcemanager.organizations.getIamPolicy",
458+
"resourcemanager.organizations.setIamPolicy",
436459
"resourcemanager.projects.get",
437460
"resourcemanager.projects.getIamPolicy",
438461
"resourcemanager.projects.setIamPolicy",

0 commit comments

Comments
 (0)