1. Billing Data & BigQuery Analysis
Processing the billing export, and BigQuery-specific optimization.| Permission | Specific Actions Used | Reasoning / Functionality Enabled |
|---|---|---|
roles/bigquery.jobUser | bigquery.jobs.create | Allows Wiv to run queries against your GCP Billing Export tables to generate cost reports. |
roles/bigquery.dataViewer | bigquery.tables.getData, bigquery.tables.list | Grants read-only access to the specific datasets containing your billing exports. |
roles/bigquery.resourceViewer | bigquery.datasets.get, bigquery.tables.get | Allows Wiv to see the schema and metadata of datasets without reading the content (essential for mapping table structures). |
roles/recommender.bigQueryCapacityCommitmentsViewer | recommender.bigqueryCapacityCommitmentsInsights.list | Specifically checks for unused BigQuery slots or opportunities to purchase committed slots for savings. |
2. Core Compute & Optimization Engine
These permissions are critical for primary Compute Engine recommendations (Rightsizing, Idle VMs, Snapshots, etc.).| Permission | Specific Actions Used | Reasoning / Functionality Enabled |
|---|---|---|
roles/compute.viewer | compute.instances.list, compute.disks.list, compute.snapshots.list | Required to list all VMs, Disks, and Snapshots to detect idle resources and unattached disks. |
roles/monitoring.viewer | monitoring.timeSeries.list, monitoring.metricDescriptors.list | Allows Wiv to read CPU, RAM, and Disk IO metrics. Without this, we cannot determine if a machine is “Idle” or “Oversized.” |
roles/recommender.computeViewer | recommender.computeInstanceIdleResourceRecommendations.list, recommender.computeInstanceMachineTypeRecommendations.list | Allows Wiv to retrieve Google’s native compute suggestions to validate our own models. |
roles/recommender.viewer | recommender.locations.list, recommender.locations.get | Allows Wiv to retrieve Google’s native suggestions across various categories. |
3. GKE & Kubernetes Optimization
These roles specifically power the Container and Cluster analysis features.| Permission | Specific Actions Used | Reasoning / Functionality Enabled |
|---|---|---|
roles/container.viewer | container.clusters.list, container.nodes.list, container.pods.list | Required to view GKE clusters, node pools, and pod configurations for rightsizing. |
roles/gkebackup.viewer | gkebackup.backupPlans.list, gkebackup.backups.list | Allows analysis of GKE backup configurations to identify storage waste or policy gaps. |
4. Database & Storage Optimization
Permissions required for analyzing managed databases.| Permission | Specific Actions Used | Reasoning / Functionality Enabled |
|---|---|---|
roles/cloudsql.viewer | cloudsql.instances.list, cloudsql.instances.get | Required to view CloudSQL instance configuration and status (enables Idle Google CloudSQL detection). |
roles/redis.viewer | redis.instances.list | Identifies Redis instances that are provisioned but unused or over-provisioned (Cost Visibility). |
roles/spanner.viewer | spanner.instances.list, spanner.databases.list | Provides detailed visibility into Spanner instance node counts and configuration for cost allocation. |
5. Resource Inventory & Network Visibility
These permissions allow us mapping “Ghost” costs—resources that appear on the bill but are hard to locate without specific viewer roles.| Permission | Specific Actions Used | Reasoning / Functionality Enabled |
|---|---|---|
roles/cloudasset.viewer | cloudasset.assets.searchAllResources | Allows Wiv to map every asset in the organization to a project (The “Safety Net” for cost allocation). |
roles/compute.networkViewer | compute.networks.list, compute.subnetworks.list | Provides ability to analyze VPCs, Interconnects, and Egress paths for network cost optimization. |
roles/logging.viewer | logging.logEntries.list | Read-only access to Cloud Audit Logs used to validate recent resource activity and prevent false idle recommendations. |
6. Serverless, PaaS & Security Posture
While your current primary list focuses on Compute/GKE, these permissions are required for comprehensive cost observability. If a client spends money on Cloud Run or Dataflow, Wiv needs these to visualize and attribute those costs correctly.| Permission | Specific Actions Used | Reasoning / Functionality Enabled |
|---|---|---|
roles/run.viewer | run.services.list | Inventory of Cloud Run services to map serverless spend to specific teams/projects. |
roles/cloudfunctions.viewer | cloudfunctions.functions.list | Inventory of Cloud Functions to detect high-frequency invocations driving up costs. |
roles/pubsub.viewer | pubsub.subscriptions.list, pubsub.topics.list | Visibility into unattached subscriptions or massive message backlogs causing storage costs. |
roles/dataflow.viewer | dataflow.jobs.list | Analysis of Dataflow jobs (which can be notoriously expensive if stalled or looping). |
roles/cloudbuild.builds.viewer | cloudbuild.builds.list | Visibility into build history to identify expensive, long-running, or frequent build pipelines. |
roles/artifactregistry.reader | artifactregistry.repositories.list | Analyzing stored container images (e.g., identifying old/untagged images taking up storage space). |
roles/iam.securityReviewer | iam.serviceAccounts.list, iam.roles.list | Identifies over-privileged identities or unused Service Accounts (targets for “Shadow IT” cost cleanup). |
roles/securitycenter.viewer | securitycenter.findings.list | Visibility into Security Command Center findings that may influence resource termination decisions. |
roles/cloudkms.viewer | cloudkms.cryptoKeys.list | Visibility into KMS keys (identifying expensive active keys that are no longer encrypting data). |
Summary
Wiv requests Viewer-only permissions. We do not request permissions to modify, delete, or deploy resources. The roles requested allow us to:- Read Metrics: To mathematically prove a resource is idle or oversized (Monitoring/Compute/Container roles).
- Process Billing: To aggregate your spend data securely (BigQuery roles).
- Map Inventory: To ensure every line item on your invoice corresponds to a visible resource (Cloud Asset/PaaS roles).