Skip to content

feat(gcp): grant table + topic getIamPolicy permissions#51

Merged
vik-nullify merged 2 commits into
mainfrom
feat/gcp-add-iam-policy-perms-pubsub-bigquery
May 19, 2026
Merged

feat(gcp): grant table + topic getIamPolicy permissions#51
vik-nullify merged 2 commits into
mainfrom
feat/gcp-add-iam-policy-perms-pubsub-bigquery

Conversation

@tim-thacker-nullify
Copy link
Copy Markdown
Member

@tim-thacker-nullify tim-thacker-nullify commented May 19, 2026

Claude

Summary

Adds two resource-level IAM read permissions to the GCP connector custom role to unblock new CSPM rules landing in nullify-platform PR #4777.

Permission Why it's needed What we deliberately do NOT grant
bigquery.tables.getIamPolicy Detect tables bound to allUsers / allAuthenticatedUsers and other table-level IAM misconfigurations. roles/bigquery.dataViewer (would also expose row data) — we want only the IAM surface.
pubsub.topics.getIamPolicy Detect topics bound to public principals. pubsub.topics.publish and subscriptions.consume — read-only IAM only.

Both grants are pure-read and consistent with the connector's metadata-only posture documented in main.tf.

Files

  • gcp-integration-setup/terraform/modules/nullify-gcp-integration/main.tf — adds 2 entries to custom_role_permissions_common with inline explanatory comments
  • gcp-integration-setup/docs/permissions.md — updates the customer-facing permission table to reflect the additions and the explicit rationale for not using roles/bigquery.dataViewer

Test plan

  • terraform fmt -recursive (no changes)
  • terraform validate — success
  • Apply on a dev tenant connector and confirm the custom role rev bumps to include the new permissions: gcloud iam roles describe nullifyCloudConnector --project=<dev-project>
  • Confirm nullify-platform PR #4777 scans succeed against the same dev tenant and produce the new gcp-bigquery-table-public and gcp-pubsub-no-public-access findings when seeded misconfigurations exist.

🤖 Generated with Claude Code

@tim-thacker-nullify @claude
feat(gcp): add table + topic getIamPolicy permissions to custom role
89df21d 
The nullify-platform CSPM pipeline added two new resource-level IAM
checks that the connector wasn't granting yet:

- **BigQuery table-level IAM** — `gcp-bigquery-table-public` and related
  rules need `bigquery.tables.getIamPolicy` to detect tables bound to
  `allUsers` / `allAuthenticatedUsers`. We can't grant
  `roles/bigquery.dataViewer` for this because it would also expose
  table row data; the per-permission grant gives us only the IAM
  surface.

- **Pub/Sub topic-level IAM** — `gcp-pubsub-no-public-access` needs
  `pubsub.topics.getIamPolicy`. The predefined `roles/pubsub.viewer`
  role already in the connector grants topic / subscription metadata
  listing but explicitly *not* IAM-policy reads.

Both are pure-read additions consistent with the connector's
metadata-only posture documented in main.tf. Updates docs/permissions.md
accordingly.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@tim-thacker-nullify tim-thacker-nullify added the minor Minor version updates (features) label May 19, 2026
@tim-thacker-nullify tim-thacker-nullify marked this pull request as ready for review May 19, 2026 02:29
@vik-nullify vik-nullify merged commit e4c2aa1 into main May 19, 2026
8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@vik-nullify vik-nullify vik-nullify approved these changes

Assignees

No one assigned

Labels

minor Minor version updates (features)

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@tim-thacker-nullify @vik-nullify