GCP permissions

Permissions North.Cloud requires from your AWS account.

GCP IAM Permissions & Deployment

North requires carefully scoped GCP permissions so our application can access billing and usage data required by our ML engine to provide automated FinOps recommendations. We purposefully limit all permissions to the minimum necessary for your financial analysis and do not request access to your workloads or sensitive application data.

GCP uses Workload Identity Federation and BigQuery dataset sharing to provide secure, fine-grained access to only your billing data—no North service account keys required.

What North CAN NOT do

  • Read sensitive data from your workloads or databases

  • View or edit network rules and security groups

  • Create, modify, stop, or terminate any compute instances or other machines

  • Change, copy, or export any development, test, or production data

  • Access any data outside of the billing dataset you explicitly share

  • Modify your GCP resources or configurations

The following sections explain the IAM permissions required and why each permission group is needed.

Permission Groups Explained

1. Baseline (Default) – Read-Only Billing Data via BigQuery

Purpose: These permissions allow North to read GCP billing, usage, and cost details from your BigQuery billing export. These are required for all FinOps analysis and recommendations.

Key Roles Explained:

  • roles/bigquery.dataViewer (BigQuery Data Viewer): Allows North to read data from tables in your billing dataset. Enables querying cost and usage tables for cost analysis.

    • Read-only: No permission to change, delete, or export data.

    • No access to data outside the shared dataset.

  • roles/bigquery.metadataViewer (BigQuery Metadata Viewer): Allows North to view metadata (like table structure and schema) about your billing dataset, and list billing export tables.

    • Read-only: Cannot modify table metadata or datasets.

    • Cannot see metadata for datasets you do not share.

How Access Works:

North uses GCP Workload Identity Federation to securely assume access to the shared dataset, without requiring service account keys.

To grant North access, you assign both roles above to the workload identity principal provided by North during onboarding. This principal follows a standard, auditable format and ensures that only North’s authorized system can access your shared data.

Minimum Required Role for sharing billing dataset: To share your billing dataset, you need the BigQuery Data Owner (roles/bigquery.dataOwner) role in your account.

Security Model

Workload Identity Federation:

  • No service account keys required. Credentials are time-limited, rotated, and cannot be reused.

  • North can only access the specific dataset you share, and only with roles you choose.

  • Access is logged in GCP Cloud Audit Logs, providing full traceability.

  • The principal includes an attribute (attribute.aws_role/NorthGCPReadOnlyRole) to ensure only North’s authorized systems can assume the role.

Data Isolation:

  • North only has access to the billing dataset you explicitly share

  • Access is always read-only—North cannot modify or delete your data

  • North cannot access any other projects, datasets, or resources

PreviousAWS permisionsNextSecurity

Last updated

Was this helpful?