Required permissions in the GCP account

Copy current article URL Share via email

This article (PDF) Whole documentation (PDF)

The service account ID eset-cwpp-service-account (display name: ESET CWPP Service Account, email format: eset-cwpp-service-account@eset-cwpp-<hash>.iam.gserviceaccount.com) is created automatically during the GCP onboarding flow. It has read/management permissions across the customer's GCP organization or selected projects so CWP can discover and inspect cloud resource.

Role Assignments

IAM Role	Organization-Level	Project-Level	Purpose/Why it is needed
roles/resourcemanager.organizationViewer	Yes	No	Read-only view of the organization resource. Required to get organization metadata and hierarchy at organization scope.
roles/resourcemanager.folderViewer	Yes	No	Read-only view of folders inside the organization. Required to traverse the folder hierarchy when discovering projects across the whole organization.
roles/cloudasset.viewer	Yes	Yes	Read-only access to Cloud Asset Inventory. Required to list and discover all GCP resources (VMs, projects).
roles/compute.instanceAdmin.v1	Yes	Yes	Full control of Compute Engine instances. Required to: •list VM instances across all projects in the organization. •retrieve instance and machine type details for inventory. •add/remove the "cwpp-li-<hash>" label on a VM instance during the ESET Live Installer deployment—the label is used as the OS Policy Assignment instance filter to target the specific VM, and is removed after installation completes.
roles/logging.viewer	Yes	Yes	Read-only access to Cloud Logging (audit logs). Required to collect and read audit log entries.
roles/osconfig.osPolicyAssignmentAdmin	Yes	Yes	Create, update, and delete OS Policy Assignments. Required to deploy and manage OS Policy Assignments that orchestrate the ESET protection installation on VMs.
roles/osconfig.osPolicyAssignmentReportViewer	Yes	Yes	Read compliance reports for OS Policy Assignments. Required to check the compliance/status of deployed OS policies.
roles/osconfig.inventoryViewer	Yes	Yes	Read OS inventory data collected by VM Manager. Required to determine VMs OS (name, version), details and deployment readiness.

˄˅