# Minimum IAM Role ### How to Create a Role for Hava (Google Cloud Platform) This guide explains how to create a **minimal-permission custom IAM role** in Google Cloud for securely importing your resources into **Hava**. \ The role provides read-only access across supported services, enough for Hava to map your environment without granting modification rights. *** ### Step 1: Create the Policy File Create a new JSON or YAML file named `resource_importer_role.yaml` (you can also use `.json`). Paste the following: ```yaml title: "Resource Importer Role" description: "Custom role for importing GCP resources" stage: "GA" includedPermissions: - compute.instances.get - compute.instances.list - compute.disks.get - compute.disks.list - compute.diskTypes.get - compute.diskTypes.list - compute.networks.get - compute.networks.list - compute.subnetworks.get - compute.subnetworks.list - compute.firewalls.get - compute.firewalls.list - compute.routes.get - compute.routes.list - compute.routers.get - compute.routers.list - compute.addresses.get - compute.addresses.list - compute.globalAddresses.get - compute.globalAddresses.list - compute.forwardingRules.get - compute.forwardingRules.list - compute.globalForwardingRules.get - compute.globalForwardingRules.list - compute.backendServices.get - compute.backendServices.list - compute.regionBackendServices.get - compute.regionBackendServices.list - compute.backendBuckets.get - compute.backendBuckets.list - compute.healthChecks.get - compute.healthChecks.list - compute.regionHealthChecks.get - compute.regionHealthChecks.list - compute.httpHealthChecks.get - compute.httpHealthChecks.list - compute.httpsHealthChecks.get - compute.httpsHealthChecks.list - compute.instanceGroups.get - compute.instanceGroups.list - compute.instanceGroupManagers.get - compute.instanceGroupManagers.list - compute.autoscalers.get - compute.autoscalers.list - compute.urlMaps.get - compute.urlMaps.list - compute.regionUrlMaps.get - compute.regionUrlMaps.list - compute.targetPools.get - compute.targetPools.list - compute.targetInstances.get - compute.targetInstances.list - compute.targetHttpProxies.get - compute.targetHttpProxies.list - compute.targetHttpsProxies.get - compute.targetHttpsProxies.list - compute.targetGrpcProxies.get - compute.targetGrpcProxies.list - compute.targetTcpProxies.get - compute.targetTcpProxies.list - compute.targetSslProxies.get - compute.targetSslProxies.list - compute.regionTargetHttpProxies.get - compute.regionTargetHttpProxies.list - compute.regionTargetHttpsProxies.get - compute.regionTargetHttpsProxies.list - compute.sslCertificates.get - compute.sslCertificates.list - compute.regionSslCertificates.get - compute.regionSslCertificates.list - compute.sslPolicies.get - compute.sslPolicies.list - compute.vpnGateways.get - compute.vpnGateways.list - compute.targetVpnGateways.get - compute.targetVpnGateways.list - compute.vpnTunnels.get - compute.vpnTunnels.list - compute.externalVpnGateways.get - compute.externalVpnGateways.list - compute.interconnects.get - compute.interconnects.list - compute.interconnectAttachments.get - compute.interconnectAttachments.list - compute.networkEndpointGroups.get - compute.networkEndpointGroups.list - compute.globalNetworkEndpointGroups.get - compute.globalNetworkEndpointGroups.list - compute.regionNetworkEndpointGroups.get - compute.regionNetworkEndpointGroups.list - compute.securityPolicies.get - compute.securityPolicies.list - compute.packetMirrorings.get - compute.packetMirrorings.list - compute.serviceAttachments.get - compute.serviceAttachments.list - compute.nodeGroups.get - compute.nodeGroups.list - container.clusters.get - container.clusters.list - storage.buckets.get - storage.buckets.list - cloudsql.instances.get - cloudsql.instances.list - pubsub.topics.get - pubsub.topics.list - pubsub.subscriptions.get - pubsub.subscriptions.list - run.services.get - run.services.list - run.routes.get - run.routes.list - run.configurations.get - run.configurations.list - run.domainmappings.get - run.domainmappings.list - run.jobs.get - run.jobs.list - dns.managedZones.get - dns.managedZones.list - redis.instances.get - redis.instances.list - resourcemanager.projects.get - compute.regionHealthCheckServices.list - compute.regionNotificationEndpoints.list - resourcemanager.projects.getIamPolicy - compute.regions.list - compute.zones.list ``` Save the file in your working directory. *** ### Step 2: Create the Custom Role in GCP You can create the role **at the project or organization level**. #### Option A — Create at the Project Level Run: ```bash gcloud iam roles create resourceImporter \ --project=YOUR_PROJECT_ID \ --file=resource_importer_role.yaml ``` #### Option B — Create at the Organization Level If you want the same role available across all projects: ```bash gcloud iam roles create resourceImporter \ --organization=YOUR_ORG_ID \ --file=resource_importer_role.yaml ``` This creates a reusable, read-only “Resource Importer” role. *** ### Step 3: Assign the Role to Your Hava Service Account Replace the placeholders and run: ```bash gcloud projects add-iam-policy-binding YOUR_PROJECT_ID \ --member="serviceAccount:hava-import-service-account@YOUR_PROJECT_ID.iam.gserviceaccount.com" \ --role="projects/YOUR_PROJECT_ID/roles/resourceImporter" ``` Or if you created it at the org level: ```bash gcloud organizations add-iam-policy-binding YOUR_ORG_ID \ --member="serviceAccount:hava-import-service-account@YOUR_PROJECT_ID.iam.gserviceaccount.com" \ --role="organizations/YOUR_ORG_ID/roles/resourceImporter" ``` *** ### Step 4: Enable Required APIs Hava can only import resources from APIs that are **enabled**.\ At minimum, enable these services: ```bash gcloud services enable \ compute.googleapis.com \ sqladmin.googleapis.com \ storage.googleapis.com \ pubsub.googleapis.com \ run.googleapis.com \ dns.googleapis.com \ redis.googleapis.com \ container.googleapis.com \ cloudresourcemanager.googleapis.com ``` *** ### Step 5: Connect to Hava Once the service account is ready and the APIs are enabled: 1. Download the service account key (JSON). 2. In **Hava → Integrations → Google Cloud**, upload the key. 3. Hava will automatically begin mapping your resources.