HomePricingSelf-hosted docsAPI docsLogin

Minimum IAM Role

How to Create a Role for Hava (Google Cloud Platform)

This guide explains how to create a minimal-permission custom IAM role in Google Cloud for securely importing your resources into Hava.

The role provides read-only access across supported services, enough for Hava to map your environment without granting modification rights.

Step 1: Create the Policy File

Create a new JSON or YAML file named resource_importer_role.yaml (you can also use .json).

Paste the following:

title: "Resource Importer Role"
description: "Custom role for importing GCP resources"
stage: "GA"
includedPermissions:
- compute.instances.get
- compute.instances.list
- compute.disks.get
- compute.disks.list
- compute.diskTypes.get
- compute.diskTypes.list
- compute.networks.get
- compute.networks.list
- compute.subnetworks.get
- compute.subnetworks.list
- compute.firewalls.get
- compute.firewalls.list
- compute.routes.get
- compute.routes.list
- compute.routers.get
- compute.routers.list
- compute.addresses.get
- compute.addresses.list
- compute.globalAddresses.get
- compute.globalAddresses.list
- compute.forwardingRules.get
- compute.forwardingRules.list
- compute.globalForwardingRules.get
- compute.globalForwardingRules.list
- compute.backendServices.get
- compute.backendServices.list
- compute.regionBackendServices.get
- compute.regionBackendServices.list
- compute.backendBuckets.get
- compute.backendBuckets.list
- compute.healthChecks.get
- compute.healthChecks.list
- compute.regionHealthChecks.get
- compute.regionHealthChecks.list
- compute.httpHealthChecks.get
- compute.httpHealthChecks.list
- compute.httpsHealthChecks.get
- compute.httpsHealthChecks.list
- compute.instanceGroups.get
- compute.instanceGroups.list
- compute.instanceGroupManagers.get
- compute.instanceGroupManagers.list
- compute.autoscalers.get
- compute.autoscalers.list
- compute.urlMaps.get
- compute.urlMaps.list
- compute.regionUrlMaps.get
- compute.regionUrlMaps.list
- compute.targetPools.get
- compute.targetPools.list
- compute.targetInstances.get
- compute.targetInstances.list
- compute.targetHttpProxies.get
- compute.targetHttpProxies.list
- compute.targetHttpsProxies.get
- compute.targetHttpsProxies.list
- compute.targetGrpcProxies.get
- compute.targetGrpcProxies.list
- compute.targetTcpProxies.get
- compute.targetTcpProxies.list
- compute.targetSslProxies.get
- compute.targetSslProxies.list
- compute.regionTargetHttpProxies.get
- compute.regionTargetHttpProxies.list
- compute.regionTargetHttpsProxies.get
- compute.regionTargetHttpsProxies.list
- compute.sslCertificates.get
- compute.sslCertificates.list
- compute.regionSslCertificates.get
- compute.regionSslCertificates.list
- compute.sslPolicies.get
- compute.sslPolicies.list
- compute.vpnGateways.get
- compute.vpnGateways.list
- compute.targetVpnGateways.get
- compute.targetVpnGateways.list
- compute.vpnTunnels.get
- compute.vpnTunnels.list
- compute.externalVpnGateways.get
- compute.externalVpnGateways.list
- compute.interconnects.get
- compute.interconnects.list
- compute.interconnectAttachments.get
- compute.interconnectAttachments.list
- compute.networkEndpointGroups.get
- compute.networkEndpointGroups.list
- compute.globalNetworkEndpointGroups.get
- compute.globalNetworkEndpointGroups.list
- compute.regionNetworkEndpointGroups.get
- compute.regionNetworkEndpointGroups.list
- compute.securityPolicies.get
- compute.securityPolicies.list
- compute.packetMirrorings.get
- compute.packetMirrorings.list
- compute.serviceAttachments.get
- compute.serviceAttachments.list
- compute.nodeGroups.get
- compute.nodeGroups.list
- container.clusters.get
- container.clusters.list
- storage.buckets.get
- storage.buckets.list
- cloudsql.instances.get
- cloudsql.instances.list
- pubsub.topics.get
- pubsub.topics.list
- pubsub.subscriptions.get
- pubsub.subscriptions.list
- run.services.get
- run.services.list
- run.routes.get
- run.routes.list
- run.configurations.get
- run.configurations.list
- run.domainmappings.get
- run.domainmappings.list
- run.jobs.get
- run.jobs.list
- dns.managedZones.get
- dns.managedZones.list
- redis.instances.get
- redis.instances.list
- resourcemanager.projects.get
- compute.regionHealthCheckServices.list
- compute.regionNotificationEndpoints.list
- resourcemanager.projects.getIamPolicy
- compute.regions.list
- compute.zones.list

Save the file in your working directory.

Step 2: Create the Custom Role in GCP

You can create the role at the project or organization level.

Option A — Create at the Project Level

Run:

gcloud iam roles create resourceImporter \
  --project=YOUR_PROJECT_ID \
  --file=resource_importer_role.yaml

Option B — Create at the Organization Level

If you want the same role available across all projects:

gcloud iam roles create resourceImporter \
  --organization=YOUR_ORG_ID \
  --file=resource_importer_role.yaml

This creates a reusable, read-only “Resource Importer” role.

Step 3: Assign the Role to Your Hava Service Account

Replace the placeholders and run:

gcloud projects add-iam-policy-binding YOUR_PROJECT_ID \
  --member="serviceAccount:hava-import-service-account@YOUR_PROJECT_ID.iam.gserviceaccount.com" \
  --role="projects/YOUR_PROJECT_ID/roles/resourceImporter"

Or if you created it at the org level:

gcloud organizations add-iam-policy-binding YOUR_ORG_ID \
  --member="serviceAccount:hava-import-service-account@YOUR_PROJECT_ID.iam.gserviceaccount.com" \
  --role="organizations/YOUR_ORG_ID/roles/resourceImporter"

Step 4: Enable Required APIs

Hava can only import resources from APIs that are enabled. At minimum, enable these services:

gcloud services enable \
  compute.googleapis.com \
  sqladmin.googleapis.com \
  storage.googleapis.com \
  pubsub.googleapis.com \
  run.googleapis.com \
  dns.googleapis.com \
  redis.googleapis.com \
  container.googleapis.com \
  cloudresourcemanager.googleapis.com

Step 5: Connect to Hava

Once the service account is ready and the APIs are enabled:

  1. Download the service account key (JSON).

  2. In Hava → Integrations → Google Cloud, upload the key.

  3. Hava will automatically begin mapping your resources.

PreviousService AccountNextImport Multiple Projects

Last updated

Was this helpful?