# GCP service account permissions {% hint style="info" %} **📘The following steps are a prerequisite for adding Netography as a principal to the Pub/Sub subscription.** Before you can add Netography as a principal, you must first grant Netography's GCP identifier the initial permission GCP requires to certify Netography is an entity that can be granted access to any of your resources. **These steps do NOT grant Netography any permissions or access to any resources in your organization**. The following steps only enable you to grant Netography select and specific access to individual resources in the future after these steps have been completed. {% endhint %} {% hint style="warning" %} **🚧Organization Policy Administrator is needed to complete these steps.** Updating an organization policy requires the Organization Policy Administrator role `roles/orgpolicy.policyAdmin` {% endhint %} {% hint style="info" %} **📘Organizational policy requirement needed to complete these steps** `iam.disableServiceAccountKeyCreation`needs to be set to **Not enforced** at the organization or project level {% endhint %} 1. Go to the project picker, click the **All** tab, and select your **Organization**, instead of your project. ![](/files/RKi3vIW6zrgy521HgrW4) ![](/files/MwN9hMxW0quLZ9TTQQDy) 2. Go to the **Organization Policies** page ![](/files/aX8hBTgSXpGWoQoMgVXk) 3. Click Filter above the policies table, type Domain restricted sharing. ![](/files/KhHs0oCMNh5pZJt26PBj) 4. You should see 1 policy with ID `constraints/iam.allowedPolicyMemberDomains`. Click on **⋮** for the actions menu then **Edit Policy**. ![](/files/86L4a6dCzbeiLrGwUir7) 5. Choose **Override parent's policy** and select **Replace** for **Policy enforcement**. ![](/files/PEYUAbZC8jgREue6BhyN) 6. Add a new rule (or add a value to an existing rule) for the policy with **Policy values** set to **Custom** and **Policy type** set to **Allow**. 7. Add value `C04ddcbu8`for Netography. ![](/files/ibH9MQLFVbsN6spZnrik) {% hint style="success" %} **✅You're done!** {% endhint %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.fusion.vectra.ai/quick-start/quickstart-gcp/gcp-service-account-permissions.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.