# Required GCP Permissions

Noros follows the principle of least privilege. We request only the minimum permissions necessary to provide cost visibility and optimization insights for your Google Cloud environment.

### What Noros Cannot Do

Noros **cannot**:

* Read sensitive workload data
* Edit network rules or firewall configurations
* Create, stop, or terminate instances
* Change, copy, or delete your data
* Access data outside of the shared billing dataset
* Modify any GCP resources

### Required Permissions

Noros requires two read-only BigQuery roles on your shared billing dataset:

| Role                            | Purpose                                       |
| ------------------------------- | --------------------------------------------- |
| `roles/bigquery.dataViewer`     | Read tables and data from the billing dataset |
| `roles/bigquery.metadataViewer` | View dataset and table metadata, list tables  |

#### Minimum Required Role for Setup

The user setting up the integration needs the **BigQuery Data Owner** role to share the billing dataset with Noros.

### Workload Identity Federation

Noros uses **Workload Identity Federation** to access your GCP data — a keyless authentication method that eliminates the security risks associated with long-lived service account keys.

With Workload Identity Federation:

* **No service account keys** — No static credentials to manage, rotate, or risk leaking
* **Time-limited credentials** — Access tokens are automatically rotated and short-lived
* **Attribute-based security** — Access is scoped to specific conditions and identities

### Data Isolation

Noros can only access the specific BigQuery dataset you share during onboarding. It has:

* **No access** to other projects in your organization
* **No access** to other datasets in the same project
* **Read-only access** to the shared billing dataset only

### Transparency

All permissions are clearly scoped and documented. If you have specific compliance or security requirements, contact <support@noros.ai> to discuss customized access configurations.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.noros.ai/getting-started/permissions-required/required-gcp-permissions.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.