Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Google Cloud Platform Securitycenter Lacks Required Permissions #38

Open
spawar-apex opened this issue Oct 4, 2024 · 2 comments
Open

Google Cloud Platform Securitycenter Lacks Required Permissions #38

spawar-apex opened this issue Oct 4, 2024 · 2 comments

Comments

@spawar-apex
Copy link

Hi @iann0036 ,

We are encountering an error message stating that the permissions "securitycenter.chronicleassetexport.get" and "securitycenter.chronicleassetexport.update" are necessary, but these permissions are not listed or described in any roles.

We're experiencing difficulties accessing asset metadata information or exporting SCC findings. The following error message was displayed:

Ensure you possess the following permissions:

1. securitycenter.chronicleassetexport.get
2. securitycenter.chronicleassetexport.update

To obtain these permissions, please contact your organization administrator.

It appears that the Google Cloud IAM permissions required for enabling the Cloud asset export for Google SecOps (also known as Chronicle) are missing from the existing documentation, even in the IAM v1 reference: https://cloud.google.com/iam/docs/permissions-reference.

These permissions should be included under the roles/securitycenter.adminEditor.

After discussing with the support team, they indicated that the visibility of this permission in documentation would require a Feature Request.

I would like to suggest adding these two permissions, labeled as Undocumented.

Looking forward to hearing from you.

Thanks,
Swapnil Pawar
@spawar-apex
Copy link
Author

@iann0036 - Did you get a chance to review this?

@iann0036
Copy link
Owner

Hi @spawar-apex,

Sorry for the delayed response.

I just want to confirm my understanding. Are you saying that the 2 permissions listed exist in the roles/securitycenter.adminEditor, but are not shown in the API/Web Console response or just that certain actions undertaken using the role are insufficient?

If it's the latter, I don't think it'll be appropriate to adjust the role itself, however I can add those permissions as undocumented and required by an API action if we can determine what those might be (e.g. securitycenter.findings.list / securitycenter.assets.list) but I'd need to see the network requests that return the above permission errors. If you can inspect your network traffic as it occurs and get the (sanitized) request for me, I can look up what that maps to from a method perspective.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@iann0036 @spawar-apex