1. Billing Data & BigQuery Analysis
Processing the billing export, and BigQuery-specific optimization.
| Permission | Specific Actions Used | Reasoning / Functionality Enabled |
| roles/bigquery.jobUser | bigquery.jobs.create | Allows Wiv to run queries against your GCP Billing Export tables to generate cost reports. |
| roles/bigquery.dataViewer |
| Grants read-only access to the specific datasets containing your billing exports. |
| roles/bigquery.resourceViewer |
| Allows Wiv to see the schema and metadata of datasets without reading the content (essential for mapping table structures). |
| roles/recommender.bigQueryCapacityCommitmentsViewer | recommender.bigqueryCapacityCommitmentsInsights.list | Specifically checks for unused BigQuery slots or opportunities to purchase committed slots for savings. |
2. Core Compute & Optimization Engine
These permissions are critical for primary Compute Engine recommendations (Rightsizing, Idle VMs, Snapshots, etc.).
| Permission | Specific Actions Used | Reasoning / Functionality Enabled |
| roles/compute.viewer |
| Required to list all VMs, Disks, and Snapshots to detect idle resources and unattached disks. |
| roles/monitoring.viewer |
| Allows Wiv to read CPU, RAM, and Disk IO metrics. Without this, we cannot determine if a machine is "Idle" or "Oversized." |
| roles/recommender.computeViewer |
| Allows Wiv to retrieve Google’s native compute suggestions to validate our own models. |
| roles/recommender.viewer |
| Allows Wiv to retrieve Google’s native suggestions across various categories. |
3. GKE & Kubernetes Optimization
These roles specifically power the Container and Cluster analysis features.
| Permission | Specific Actions Used | Reasoning / Functionality Enabled |
| roles/container.viewer |
| Required to view GKE clusters, node pools, and pod configurations for rightsizing. |
| roles/gkebackup.viewer |
| Allows analysis of GKE backup configurations to identify storage waste or policy gaps. |
4. Database & Storage Optimization
Permissions required for analyzing managed databases.
| Permission | Specific Actions Used | Reasoning / Functionality Enabled |
| roles/cloudsql.viewer |
| Required to view CloudSQL instance configuration and status (enables Idle Google CloudSQL detection). |
| roles/redis.viewer | redis.instances.list | Identifies Redis instances that are provisioned but unused or over-provisioned (Cost Visibility). |
| roles/spanner.viewer |
| Provides detailed visibility into Spanner instance node counts and configuration for cost allocation. |
5. Resource Inventory & Network Visibility
These permissions allow us mapping "Ghost" costs—resources that appear on the bill but are hard to locate without specific viewer roles.
| Permission | Specific Actions Used | Reasoning / Functionality Enabled |
| roles/cloudasset.viewer | cloudasset.assets.searchAllResources | Allows Wiv to map every asset in the organization to a project (The "Safety Net" for cost allocation). |
| roles/compute.networkViewer |
| Provides ability to analyze VPCs, Interconnects, and Egress paths for network cost optimization. |
| roles/logging.viewer | logging.logEntries.list | Read-only access to Cloud Audit Logs used to validate recent resource activity and prevent false idle recommendations. |
6. Serverless, PaaS & Security Posture
While your current primary list focuses on Compute/GKE, these permissions are required for comprehensive cost observability. If a client spends money on Cloud Run or Dataflow, Wiv needs these to visualize and attribute those costs correctly.
| Permission | Specific Actions Used | Reasoning / Functionality Enabled |
| roles/run.viewer | run.services.list | Inventory of Cloud Run services to map serverless spend to specific teams/projects. |
| roles/cloudfunctions.viewer | cloudfunctions.functions.list | Inventory of Cloud Functions to detect high-frequency invocations driving up costs. |
| roles/pubsub.viewer |
| Visibility into unattached subscriptions or massive message backlogs causing storage costs. |
| roles/dataflow.viewer | dataflow.jobs.list | Analysis of Dataflow jobs (which can be notoriously expensive if stalled or looping). |
| roles/cloudbuild.builds.viewer | cloudbuild.builds.list | Visibility into build history to identify expensive, long-running, or frequent build pipelines. |
| roles/artifactregistry.reader | artifactregistry.repositories.list | Analyzing stored container images (e.g., identifying old/untagged images taking up storage space). |
| roles/iam.securityReviewer |
| Identifies over-privileged identities or unused Service Accounts (targets for "Shadow IT" cost cleanup). |
| roles/securitycenter.viewer | securitycenter.findings.list | Visibility into Security Command Center findings that may influence resource termination decisions. |
| roles/cloudkms.viewer | cloudkms.cryptoKeys.list | Visibility into KMS keys (identifying expensive active keys that are no longer encrypting data). |
Summary
Wiv requests Viewer-only permissions. We do not request permissions to modify, delete, or deploy resources. The roles requested allow us to:
- Read Metrics: To mathematically prove a resource is idle or oversized (Monitoring/Compute/Container roles).
- Process Billing: To aggregate your spend data securely (BigQuery roles).
- Map Inventory: To ensure every line item on your invoice corresponds to a visible resource (Cloud Asset/PaaS roles).
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article