Noros follows the principle of least privilege. We request only the minimum permissions necessary to provide cost visibility and optimization insights for your Google Cloud environment.
Noros cannot:
Read sensitive workload data
Edit network rules or firewall configurations
Create, stop, or terminate instances
Change, copy, or delete your data
Access data outside of the shared billing dataset
Modify any GCP resources
Noros requires two read-only BigQuery roles on your shared billing dataset:
roles/bigquery.dataViewer
Read tables and data from the billing dataset
roles/bigquery.metadataViewer
View dataset and table metadata, list tables
The user setting up the integration needs the BigQuery Data Owner role to share the billing dataset with Noros.
Noros uses Workload Identity Federation to access your GCP data — a keyless authentication method that eliminates the security risks associated with long-lived service account keys.
With Workload Identity Federation:
No service account keys — No static credentials to manage, rotate, or risk leaking
Time-limited credentials — Access tokens are automatically rotated and short-lived
Attribute-based security — Access is scoped to specific conditions and identities
Noros can only access the specific BigQuery dataset you share during onboarding. It has:
No access to other projects in your organization
No access to other datasets in the same project
Read-only access to the shared billing dataset only
All permissions are clearly scoped and documented. If you have specific compliance or security requirements, contact support@noros.ai to discuss customized access configurations.
Last updated