GCP-Access & Permissions

  • Updated on Mar 30, 2026
  • Published on Feb 9, 2026
  • 1 minute(s) read
Prev Next

Account Onboarding

For Lucidity to manage the disks attached to a GCP VM, we would need the following permissions.

  • compute.disks.create

  • compute.disks.delete

  • compute.disks.get

  • compute.disks.list

  • compute.disks.setLabels

  • compute.disks.use

  • compute.instances.attachDisk

  • compute.instances.detachDisk

  • compute.instances.get

  • compute.instances.list

  • compute.instances.setLabels

  • compute.instances.setMetadata

  • compute.instances.update

  • compute.zoneOperations.get

  • iam.serviceAccounts.actAs

  • logging.logEntries.create

  • logging.logEntries.list

  • logging.privateLogEntries.list

  • monitoring.timeSeries.list

  • resourcemanager.projects.get

  • monitoring.metricDescriptors.create,

  • osconfig.osPolicyAssignments.create,

  • osconfig.osPolicyAssignments.delete,

  • osconfig.osPolicyAssignments.get,

  • osconfig.osPolicyAssignments.list,

  • osconfig.osPolicyAssignments.update

  • osconfig.osPolicyAssignments.searchPolicies,

  • osconfig.osPolicyAssignmentReports.list,

  • servicemanagement.services.bind,

  • serviceusage.services.disable,

  • serviceusage.services.enable,

  • serviceusage.services.get,

  • serviceusage.services.list,

  • serviceusage.services.use,

  • serviceusage.quotas.get,

  • resourcemanager.projects.getIamPolicy,

  • iam.roles.get,

  • resourcemanager.organizations.getIamPolicy,

  • resourcemanager.folders.get

Note

Please make sure that the Compute Engine API is enabled in your GCP project. If it’s not already enabled, follow these steps:

  1. Go to the Enable APIs & Services page in the Google Cloud Console:

    https://console.cloud.google.com/flows/enableapi?apiid=compute.googleapis.com

  2. Select your project (if prompted) and click Enable.

Allow a few minutes for the change to propagate. Once the Compute Engine API is enabled, you can proceed with the instructions in this guide.

In GCP, we are working with role-based access controls, so we would need an IAM role with the above permissions to be associated with the below service account object used by our application.

The service account identifier used by our application is given as follows.

Service Account ID : lucidity-autoscaler@lucidity-main.iam.gserviceaccount.com

Typically, this needs Owner access to the projects(s) in question.

Method 1: Onboarding via Cloud Shell

  • Login to the GCP portal

  • Activate Cloud Shell from the top right section

Find the project ID for the GCP project.  You will need this project ID for the following commands.

Step 1: Create the IAM role

  • Run the following commands [Replace the ORGANIZATION-ID text with actual organization-id ]

gcloud iam roles create lucidity.autoscaler \
  --organization=ORGANIZATION-ID \
  --title="Lucidity Autoscaler" \
  --description="Role for granting access to Lucidity Autoscaler" \
  --stage=GA \
--permissions=compute.disks.create,compute.disks.delete,compute.disks.get,compute.disks.list,compute.disks.setLabels,compute.disks.use,compute.instances.attachDisk,compute.instances.detachDisk,compute.instances.get,compute.instances.list,compute.instances.setLabels,compute.instances.setMetadata,compute.instances.update,compute.zoneOperations.get,iam.serviceAccounts.actAs,logging.logEntries.create,logging.logEntries.list,logging.privateLogEntries.list,monitoring.timeSeries.list,resourcemanager.projects.get,monitoring.metricDescriptors.create,osconfig.osPolicyAssignments.create,osconfig.osPolicyAssignments.delete,osconfig.osPolicyAssignments.get,osconfig.osPolicyAssignments.list,osconfig.osPolicyAssignments.update,osconfig.osPolicyAssignments.searchPolicies,servicemanagement.services.bind,serviceusage.services.disable,serviceusage.services.enable,serviceusage.services.get,serviceusage.services.list,serviceusage.services.use,serviceusage.quotas.get,resourcemanager.projects.getIamPolicy
gcloud iam roles create lucidity.autoscaler.iam \
  --organization=ORGANIZATION-ID \
  --title="Lucidity Autoscaler IAM" \
  --description="Role for granting access to Lucidity Autoscaler" \
  --stage=GA \
--permissions=iam.roles.get,resourcemanager.organizations.getIamPolicy,resourcemanager.folders.get

Step 2: Grant above created role to the Lucidity Autoscaler service account

  • Run the following command [Replace the PROJECT-ID texts with actual project-id ]

gcloud projects add-iam-policy-binding PROJECT-ID \
  --member=serviceAccount:lucidity-autoscaler@lucidity-main.iam.gserviceaccount.com \
  --role=organizations/ORGANIZATION-ID/roles/lucidity.autoscaler
gcloud organizations add-iam-policy-binding ORGANIZATION-ID \
  --member=serviceAccount:lucidity-autoscaler@lucidity-main.iam.gserviceaccount.com \
  --role=organizations/ORGANIZATION-ID/roles/lucidity.autoscaler.iam

Step 3: Copy and share the Project ID, Project Name and Organization Name with the Lucidity team

Related articles