GCP IAM Roles

This document explains the details of the service accountes created by the CloudFormation template used in the previous section.

The CloudFormation template creates the following accounts:

• ciscomcd-controller service account - This account is used by the Multicloud Defense Controller to access your GCP project to create resources (Multicloud Defense Gateway), load balancers for gateways, and read information about the VPCs, subnets, security grroup tags, and more. See Create a GCP Controller Service Account for more information.

• ciscomcd-firewall service account - This account is assigned to the Multicloud Defense Gateway (compute VM instances). The account provides access to the secret manager (private keys for TLS decryption) and storage. Also, the gateways many need permissions to send logs from Multicloud Defense Gatewayto the GCP logging instance (if configured by the user). See Create a GCP Firewall Service Account for more information.