Resources

Documentation

Everything you need to get started, integrate, and get the most out of Topogy.

Create Custom Roles

In order to grant the appropriate permissions to the service account, you need to create 2 custom roles:

  • TopogyBigQueryJobsRole
  • TopogyReadOnlyRole

The TopogyReadOnlyRole should be created at the organization level while the TopogyBigQueryJobsRole should be created in the project you created for your BigQuery dataset.


TopogyBigQueryJobsRole

Creating the TopogyBigQueryJobsRole is a similar process to creating the TopogyReadOnlyRole, however, this role needs to be created in the Project where your BigQuery billing dataset resides. Given this role encompasses the entire project, we recommend having a dedicated project that only houses your BigQuery billing dataset (there is no way to assign the permissions we need at the dataset level).

  1. Navigate to IAM & Admin in the GCP console
  2. Ensure that the project you created (likely "Billing BigQuery" if you followed our directions) for your BigQuery billing dataset is selected in the org/project selector at the top
  3. Click on the "Roles" item in the left navigation
  4. Click the "+ Create role" button along the top

Configure the role

  1. Enter a Title: TopogyBigQueryJobsRole
  2. Enter an ID: TopogyBigQueryJobsRole
  3. Select "General Availability" from the dropdown for Role launch stage
  4. Click the "+ Add permissions" button
  5. Enter "bigquery.jobs." in the filter box
  6. Select the following permissions:
plaintext
bigquery.jobs.create
bigquery.jobs.get
bigquery.jobs.list
  1. Click the "Add" button

Add permissions

  1. Click the "Create" button to create the role

Create role


TopogyReadOnlyRole

The TopogyReadOnlyRole needs to be created at the Organization level. We provide 2 methods for creating the TopogyReadOnlyRole:

CLI Script

If you would like to bypass the tedium of assigning permissions to a custom role, you can use the create_topogy_readonly_role.sh bash script which leverages the Google Cloud SDK. The README provides instructions on how to use the simple bash script.

Manual Instructions

The following steps show how to create the role and assign the appropriate permissions. Adding permissions manually is a bit tedious - we recommend using the filters defined in the Filter Table to narrow the list so you can easily find the permissions you need to include in the TopogyReadOnlyRole. The basic process is as follows:

  1. Navigate to IAM & Admin in the GCP console
  2. Ensure that your organization is selected in the org/project selector at the top
  3. Click on the "Roles" item in the left navigation
  4. Click the "+ Create role" button along the top

Configure role settings

  1. Enter a Title: TopogyReadOnlyRole
  2. Enter an ID: TopogyReadOnlyRole
  3. Select "General Availability" from the dropdown for Role launch stage

Add permissions

  1. Click the "+ Add permissions" button
  2. Enter filter, such as "cloudasset.assets.exportCloudresourcemanager" in the filter box and then hit the enter button. If you do not hit the enter button, you may not see all the permissions available under the permission path. See Filter Table for list of filters and associated permissions.
  3. Select the corresponding permissions
  4. Click the "Add" button

Add permissions

  1. Click the "+ Add permissions" button again
  2. Enter a different filter, such as "cloudasset.assets.exportResource" and then hit the enter button (hitting enter ensures that all the permissions show up)
  3. Select the appropriate permissions
  4. Rinse and repeat until all permissions have been added to the TopogyReadOnlyRole (should be 20 total)
  5. Once all the permissions have been added, click the "Create" button to create the role

Create role


Filter Table

FilterPermission
cloudasset.assets.exportCloudresourcemanagercloudasset.assets.exportCloudresourcemanagerFolders
cloudasset.assets.exportCloudresourcemanagercloudasset.assets.exportCloudresourcemanagerOrganizations
cloudasset.assets.exportCloudresourcemanagercloudasset.assets.exportCloudresourcemanagerProjects
cloudasset.assets.exportResourcecloudasset.assets.exportResource
cloudasset.assets.listCloudresourcemanagercloudasset.assets.listCloudresourcemanagerFolders
cloudasset.assets.listCloudresourcemanagercloudasset.assets.listCloudresourcemanagerOrganizations
cloudasset.assets.listCloudresourcemanagercloudasset.assets.listCloudresourcemanagerProjects
cloudasset.assets.listResourcecloudasset.assets.listResource
cloudasset.assets.searchAllResourcescloudasset.assets.searchAllResources
compute.commitmentscompute.commitments.get
compute.commitmentscompute.commitments.list
compute.regions.listcompute.regions.list
monitoring.metricDescriptors.listmonitoring.metricDescriptors.list
monitoring.timeSeries.listmonitoring.timeSeries.list
resourcemanager.foldersresourcemanager.folders.get
resourcemanager.foldersresourcemanager.folders.list
resourcemanager.organizations.getresourcemanager.organizations.get
resourcemanager.projectsresourcemanager.projects.get
resourcemanager.projectsresourcemanager.projects.getIamPolicy
resourcemanager.projectsresourcemanager.projects.list

Permissions

Below is the list of permissions that the TopogyReadOnlyRole needs assigned

plaintext
cloudasset.assets.exportCloudresourcemanagerFolders
cloudasset.assets.exportCloudresourcemanagerOrganizations
cloudasset.assets.exportCloudresourcemanagerProjects
cloudasset.assets.exportResource
cloudasset.assets.listCloudresourcemanagerFolders
cloudasset.assets.listCloudresourcemanagerOrganizations
cloudasset.assets.listCloudresourcemanagerProjects
cloudasset.assets.listResource
cloudasset.assets.searchAllResources
compute.commitments.get
compute.commitments.list
compute.regions.list
monitoring.metricDescriptors.list
monitoring.timeSeries.list
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list

Next step: Assign roles to service account