Skip to main content

Hey Everyone,

I'm trying to figure out what the Chronicle Forwarder keys have access to. Specifically, do they only have the ability to send data to the Ingestion API, or do they also have any read permissions? What API endpoints can they actually use?

A bit of background: I'm working on a script for some ETL tasks. I've got one of the Chronicle Forwarder servers that I'm planning to use as my automation server. I want to see if I can use the same key file from the Forwarder to send data to the Ingestion API. (I'd prefer to use the ingestion API directly rather than having Chronicle Forwarder read from a file). This got me wondering about the broader question of what permissions these keys should or do have.

P.S. The keys I'm using are from about 3 years ago, so I'm not sure if anything has changed with the new Forwarder Management UI in terms of permissions.

You would most likely have to raise this with support (or your account manager) as the privileges for a service account API (for backstory APIs) key would probably only be inspectable by them.

Unless you created the service account and API key yourself and have the appropriate IAM permissions to get the IAM Policy attached.

You would most likely have to raise this with support (or your account manager) as the privileges for a service account API (for backstory APIs) key would probably only be inspectable by them.

Unless you created the service account and API key yourself and have the appropriate IAM permissions to get the IAM Policy attached.


I get what you are saying but we never changed the permissions. I'm asking for the default permissions. If I use the Forwarder Management UI what are the permissions that it gets? This should be one of those things that should be publicly documented of what the default permissions are.

I get what you are saying but we never changed the permissions. I'm asking for the default permissions. If I use the Forwarder Management UI what are the permissions that it gets? This should be one of those things that should be publicly documented of what the default permissions are.


I haven't found any documentation more specific than https://cloud.google.com/chronicle/docs/reference/ingestion-api#ingestion_api_reference

In any case, if the service account had more privileges than submitting unstructured or UDM events to the ingestion API it would be very surprising as that would violate the privilege of least privilege.

I previously tried (and failed) to use it for parser or feed management so it certainly doesn't have those privileges. 

I haven't found any documentation more specific than https://cloud.google.com/chronicle/docs/reference/ingestion-api#ingestion_api_reference

In any case, if the service account had more privileges than submitting unstructured or UDM events to the ingestion API it would be very surprising as that would violate the privilege of least privilege.

I previously tried (and failed) to use it for parser or feed management so it certainly doesn't have those privileges. 


haha sometimes you don't know till you ask! and that's why I'm asking!

Again I assume that they will have access to all the ingestion API's but I want to know what permissions these keys have.

Reply


Terms & ConditionsCookie settings
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.