Lucidity AutoScaler Permissions Overview
Lucidity's AutoScaler operates on an agent-based architecture. A lightweight agent deployed on each host instance is responsible for monitoring storage metrics and relaying them back to the Lucidity storage service. The storage service, based on these utilization metrics, determines when to perform scaling operations and communicates these back to the agent. All direct interactions with the cloud provider, such as attaching and detaching volumes, are managed by the Lucidity storage service.
Role scope and Binding scope
Lucidity creates two custom IAM roles in GCP, each with a different scope and binding level:
Role 1: lucidity.autoscaler
Created at: Organization level
Bound at: Project scope
Contains the core compute, logging, monitoring, osconfig, and service usage permissions required for AutoScaler operations within a specific GCP project.
Role 2: lucidity.autoscaler.iam
Created at: Organization level
Bound at: Organization scope
Contains IAM and resource manager permissions that require org-level access, such as
iam.roles.get,resourcemanager.organizations.getIamPolicy, andresourcemanager.folders.get. These are needed to verify role assignments and traverse the resource hierarchy at the organization level.
Note: Both roles are created at the organization level, but their bindings differ:
lucidity.autoscaleris bound at the project level, whilelucidity.autoscaler.iamis bound at the organization level.
For the Lucidity AutoScaler, we would need the following permissions:
# | Permission Name | Description |
|---|---|---|
1 | compute.disks.create | To grant permission to create new managed disks. Essential for expanding disk capacity dynamically. |
2 | compute.disks.delete | To allow deletion of managed disks. Required for cleaning up detached disks after scaling operations. |
3 | compute.disks.get | To provide access to retrieve details about managed disks (e.g., size, disk tier). |
4 | compute.disks.list | To enable listing all managed disks within a project. |
5 | compute.disks.setLabels | To allow setting or updating labels on managed disks for tagging and organization. |
6 | compute.disks.use | To grant permission to use a disk. Needed for attach/detach/delete, also supporting resizing and snapshotting. |
7 | compute.instances.attachDisk | To enable attaching an existing managed disk to a VM instance. |
8 | compute.instances.detachDisk | To allow detaching a managed disk from a VM instance. |
9 | compute.instances.get | To provide access to retrieve metadata about VM instances (e.g., size, type, IDs). |
10 | compute.instances.list | To enable listing all VM instances within a project. |
11 | compute.instances.setLabels | To allow setting or updating labels on VM instances for tagging and organization. |
12 | compute.instances.setMetadata | To grant permission to set or update VM instance metadata. Useful for AutoScaler agent configuration. |
13 | compute.instances.update | To provide permission to update VM instance properties. |
14 | compute.zoneOperations.get | To provide permission for async operation call management to the cloud. |
15 | iam.serviceAccounts.actAs | GCP attaches a service account to every VM by default. This permission is required to impersonate that service account while performing tasks such as agent installation and disk attachment. |
16 | logging.logEntries.create | To allow creating log entries. Used by the Lucidity agent to send logs and metrics during agent installation. |
17 | logging.logEntries.list | To grant permission to list log entries. Used during agent installation to check and verify the agent installation status. |
18 | logging.privateLogEntries.list | To allow listing private log entries. |
19 | monitoring.timeSeries.list | To enable listing time series data from Cloud Monitoring. Fundamental for performance metric collection. |
20 | monitoring.metricDescriptors.create | To grant permission to create custom metric descriptors in Cloud Monitoring. |
21 | osconfig.osPolicyAssignments.create | To allow the creation of OS Policy Assignments for deploying and configuring the AutoScaler agent. |
22 | osconfig.osPolicyAssignments.delete | To grant permission to delete OS Policy Assignments for cleanup after agent installation completion. |
23 | osconfig.osPolicyAssignments.get | To enable retrieving details about existing OS Policy Assignments. |
24 | osconfig.osPolicyAssignments.list | To allow listing all OS Policy Assignments within a project. |
25 | osconfig.osPolicyAssignments.searchPolicies | To provide permission to search for OS policies. |
26 | osconfig.osPolicyAssignments.update | To grant permission to update existing OS Policy Assignments. |
27 | resourcemanager.projects.get | To allow retrieval of details about a specific GCP project for Account Linking. |
28 | servicemanagement.services.bind | To allow binding services, required for configuring connections between services. |
29 | serviceusage.services.disable | To allow disabling services for cleanup after enabling it for AutoScaler agent installation, majorly osconfig Service. |
30 | serviceusage.services.enable | To grant permission to enable services like Osconfig service, which is used in installation of AutoScaler agent. |
31 | serviceusage.services.get | To enable retrieval of details about a specific service. and check if required services are active for usage like compute api, osconfig api. |
32 | serviceusage.services.list | To grant permission to list all services available to a project. and check if required services are active for usage like compute api, osconfig api. |
33 | serviceusage.services.use | To provide permission to use enabled GCP services mentioned above. |
34 | serviceusage.quotas.get | Needed to check resource quotas before scaling to avoid failures. |
35 | resourcemanager.projects.getIamPolicy | Required to verify service account permissions. |
36 | compute.disks.createSnapshot | To allow creating a snapshot of a persistent disk, capturing its current state for backup or replication purposes. |
37 | compute.globalOperations.get | To allow retrieving the status and details of a global operation, such as long-running tasks across the project. |
38 | compute.snapshots.create | To allow creating new snapshots of persistent disks within the project. |
39 | compute.snapshots.delete | To allow deleting existing snapshots from the project. |
40 | compute.snapshots.list | To allow listing all snapshots in the project. |
41 | compute.snapshots.setLabels | To allow adding or updating labels (key-value pairs) on existing snapshots for organization or filtering purposes. |
42 | iam.roles.get | To retrieve details of IAM roles, used for verifying role assignments and permissions. Required to verify that the correct roles and permissions are assigned to the Lucidity service account. |
43 | resourcemanager.organizations.getIamPolicy | To retrieve the IAM policy of an organization, required for verifying service account permissions at the org level. Required to verify service account permissions and role bindings at the organization level. |
44 | resourcemanager.folders.get | To retrieve details of a specific folder in the resource hierarchy. Used to identify and access resources organized within folders during account linking. |