IAM permission needed to view firewall policy inhe...

dave8t · 07-31-2022 07:57 AM

Hello!

Would anyone know what permissions I need to give someone to be able to see all the Firewall Policies their project inherits, to get rid of this "Sorry, the server was not able to fulfil your request." message on the Firewall page?

As per here - https://cloud.google.com/vpc/docs/firewall-policies#iam - I've tried various compute.networkViewer & compute.viewer options, which suggest they should work, but don't, and I don't want to start assigning admin roles etc

With the permissions below, the user gets the error above, but they can still see the inherited Firewall policy rules, when then going through the VPC Networks

dasalemi

The roles compute.viewer and compute.networkviewer allow users to view the firewall rules applied to the network or instance. If you wish to grant the user the access to view or use Compute Engine Firewall Policies associated with the organization or folders, you need to use the Predefined role Compute Organization Firewall Policy User.

dave8t

hello @dasalemi

Thanks for the reply, but as I mentioned in my post, while those two roles do allow the person to see the Firewall Policies in the VPC page (my 2nd screenshot), they don't appear to clear the error on the Firewall page (my first screenshot)

Both the screenshots are at the Project level, I don't want to give them access to the folder or org level.

Many thanks!

IAM permission needed to view firewall policy inheritance