Documentation
Everything you need to get started, integrate, and get the most out of Topogy.
Create Custom Roles
In order to grant the appropriate permissions to the service account, you need to create 2 custom roles:
- TopogyBigQueryJobsRole
- TopogyReadOnlyRole
The TopogyReadOnlyRole should be created at the organization level while the TopogyBigQueryJobsRole should be created in the project you created for your BigQuery dataset.
TopogyBigQueryJobsRole
Creating the TopogyBigQueryJobsRole is a similar process to creating the TopogyReadOnlyRole, however, this role needs to be created in the Project where your BigQuery billing dataset resides. Given this role encompasses the entire project, we recommend having a dedicated project that only houses your BigQuery billing dataset (there is no way to assign the permissions we need at the dataset level).
Navigate to IAM
- Navigate to IAM & Admin in the GCP console
- Ensure that the project you created (likely "Billing BigQuery" if you followed our directions) for your BigQuery billing dataset is selected in the org/project selector at the top
- Click on the "Roles" item in the left navigation
- Click the "+ Create role" button along the top
Configure the role
- Enter a Title: TopogyBigQueryJobsRole
- Enter an ID: TopogyBigQueryJobsRole
- Select "General Availability" from the dropdown for Role launch stage
- Click the "+ Add permissions" button
- Enter "bigquery.jobs." in the filter box
- Select the following permissions:
bigquery.jobs.create
bigquery.jobs.get
bigquery.jobs.list- Click the "Add" button

- Click the "Create" button to create the role

TopogyReadOnlyRole
The TopogyReadOnlyRole needs to be created at the Organization level. We provide 2 methods for creating the TopogyReadOnlyRole:
CLI Script
If you would like to bypass the tedium of assigning permissions to a custom role, you can use the create_topogy_readonly_role.sh bash script which leverages the Google Cloud SDK. The README provides instructions on how to use the simple bash script.
Manual Instructions
The following steps show how to create the role and assign the appropriate permissions. Adding permissions manually is a bit tedious - we recommend using the filters defined in the Filter Table to narrow the list so you can easily find the permissions you need to include in the TopogyReadOnlyRole. The basic process is as follows:
Navigate to IAM
- Navigate to IAM & Admin in the GCP console
- Ensure that your organization is selected in the org/project selector at the top
- Click on the "Roles" item in the left navigation
- Click the "+ Create role" button along the top
Configure role settings
- Enter a Title: TopogyReadOnlyRole
- Enter an ID: TopogyReadOnlyRole
- Select "General Availability" from the dropdown for Role launch stage
Add permissions
- Click the "+ Add permissions" button
- Enter filter, such as "cloudasset.assets.exportCloudresourcemanager" in the filter box and then hit the enter button. If you do not hit the enter button, you may not see all the permissions available under the permission path. See Filter Table for list of filters and associated permissions.
- Select the corresponding permissions
- Click the "Add" button

- Click the "+ Add permissions" button again
- Enter a different filter, such as "cloudasset.assets.exportResource" and then hit the enter button (hitting enter ensures that all the permissions show up)
- Select the appropriate permissions
- Rinse and repeat until all permissions have been added to the TopogyReadOnlyRole (should be 20 total)
- Once all the permissions have been added, click the "Create" button to create the role

Filter Table
| Filter | Permission |
|---|---|
| cloudasset.assets.exportCloudresourcemanager | cloudasset.assets.exportCloudresourcemanagerFolders |
| cloudasset.assets.exportCloudresourcemanager | cloudasset.assets.exportCloudresourcemanagerOrganizations |
| cloudasset.assets.exportCloudresourcemanager | cloudasset.assets.exportCloudresourcemanagerProjects |
| cloudasset.assets.exportResource | cloudasset.assets.exportResource |
| cloudasset.assets.listCloudresourcemanager | cloudasset.assets.listCloudresourcemanagerFolders |
| cloudasset.assets.listCloudresourcemanager | cloudasset.assets.listCloudresourcemanagerOrganizations |
| cloudasset.assets.listCloudresourcemanager | cloudasset.assets.listCloudresourcemanagerProjects |
| cloudasset.assets.listResource | cloudasset.assets.listResource |
| cloudasset.assets.searchAllResources | cloudasset.assets.searchAllResources |
| compute.commitments | compute.commitments.get |
| compute.commitments | compute.commitments.list |
| compute.regions.list | compute.regions.list |
| monitoring.metricDescriptors.list | monitoring.metricDescriptors.list |
| monitoring.timeSeries.list | monitoring.timeSeries.list |
| resourcemanager.folders | resourcemanager.folders.get |
| resourcemanager.folders | resourcemanager.folders.list |
| resourcemanager.organizations.get | resourcemanager.organizations.get |
| resourcemanager.projects | resourcemanager.projects.get |
| resourcemanager.projects | resourcemanager.projects.getIamPolicy |
| resourcemanager.projects | resourcemanager.projects.list |
Permissions
Below is the list of permissions that the TopogyReadOnlyRole needs assigned
cloudasset.assets.exportCloudresourcemanagerFolders
cloudasset.assets.exportCloudresourcemanagerOrganizations
cloudasset.assets.exportCloudresourcemanagerProjects
cloudasset.assets.exportResource
cloudasset.assets.listCloudresourcemanagerFolders
cloudasset.assets.listCloudresourcemanagerOrganizations
cloudasset.assets.listCloudresourcemanagerProjects
cloudasset.assets.listResource
cloudasset.assets.searchAllResources
compute.commitments.get
compute.commitments.list
compute.regions.list
monitoring.metricDescriptors.list
monitoring.timeSeries.list
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.listNext step: Assign roles to service account