Skip to main content

Onboarding a Google Cloud Platform (GCP) Project

Cloud accounts in the Google Cloud Platform (GCP) are referred to as projects. They can be grouped together in entities called organizations.

You can integrate a single cloud account (or a project), or a group of accounts (an organization).

Setting up GravityZone Cloud Security in a GCP project can only be done manually.

To start integrating a GCP project, follow these steps:

  1. Under Scan Configuration, select Add a Google Cloud Project.

    CSPM_select_GCP_412812_en.png
  2. Open a new browser tab or window and log in to your Google Cloud Console.

  3. Navigate to IAM Admin > Service Accounts and select the project to onboard.

  4. Click on + Create Service Account.

    CSPM_GCP_project_integration_A1_412767_en.png

    The Create service account window is displayed.

  5. Fill in the information for the new account:

    • Under Service account name, type in a descriptive name, such as GravityZone Cloud Security

    • (Optional) Edit the Service account ID. This is automatically generated based on the account name you previously entered.

    • Type in a clear description for the service account under Service account description, such as GravityZone API Access.

  6. Click Create and continue.

    CSPM_GCP_project_integration_B1_412767_en.png

    The Grant this service account access to project section is expanded.

  7. Follow these steps to add a role:

    1. Click Select a role.

    2. Click the Type to filter text box at the top of the window.

    3. Type in the name of the role.

    4. Select the role from the results below.

      CSPM_GCP_project_integration_C1_412767_en.png
    5. Click + Add another role.

    Repeat these steps for all of the roles:

    • Security Reviewer

    • Compute Network Viewer

    • BigQuery Metadata Viewer

    • Binary Authorization Policy Viewer

    • Activity Analysis Viewer

  8. Click Continue.

    CSPM_GCP_project_integration_1_412767_en.png

    The Grant users access to this service account section is expanded.

  9. Click Done.

    The Service accounts page is displayed.

  10. Click on the Filter on the top of the table and type in the name of the previously created account.

  11. Click the button under the Actions column and select Manage keys.

    CSPM_GCP_project_integration_F1_412767_en.png

    The Keys tab is displayed.

  12. Click on Add Key > Create New Key.

    CSPM_GCP_project_integration_2_412767_en.png
  13. Under Key type, make sure JSON is selected and click Create.

    CSPM_GCP_project_integration_3_412767_en.png

    A .JSON file is downloaded to your computer.

  14. Enable the APIs necessary for GravityZone Cloud Security to work. Select a method to enable the APIs:

  15. Go back to the Scan Configuration browser page.

  16. Copy and paste the contents of the JSON file into the API Credentials field.

  17. Click on Add account.

Asset inventory onboarding

Enabling GravityZone Cloud Security to scan Google Workspace Identities provides you a more accurate representation of your cloud environment, by providing access to identity related metadata.

Tip

Once enabled, the benefits will apply to the information available in the Identities page, along with the Identities with access tab in the Resource Details panel from the Resources page.

To enable the workspace, you need admin permissions on the workspace account.

Enable GravityZone Cloud Security to scan Google Workspace Identities for a new Google Cloud Platform (GCP) account

To enable GravityZone Cloud Security to scan Google Workspace Identities for a new GCP account, follow the steps listed here and after that process is completed, continue with the below:

  1. Open a new browser tab or window and log in to admin.google.com.

  2. Navigate to Account > Admin Roles.

  3. Click Create New Role.

    CSPM_IAM_GCP_create_new_role_462777_en.png
  4. Under Name, type in a descriptive name, such as GravityZone Cloud Security.

  5. Click Continue.

  6. Scroll down to Admin API privileges, check the following checkboxes:

    • Users > Read

    • Groups > Read

      CSPM_IAM_GCP_admin_API_462777_en.png
  7. Click Continue.

    You will see 2 privileges selected.

    CSPM_IAM_GCP_create_role_462777_en.png
  8. Click Create role.

  9. Click Assign service accounts.

    CSPM_IAM_GCP_assign_service_accounts_462777_en.png
  10. Enter the email of the previously created account.

  11. Click Add.

    CSPM_IAM_GCP_assign_service_accounts_add_button_462777_en.png
  12. Click Assign Role.

    CSPM_IAM_GCP_assign_role_button_462777_en.png

    The role is added with the permissions selected previously.

    CSPM_IAM_GCP_service_account_list_462777_en.png
  13. Navigate to Scan Configuration page, select the account and click the Edit icon to view the Account details > API Credentials.

Note

Once the Asset Inventory is enabled, it also applies to all other projects and organizations inside the same Google workplace.

If you have an additional workspace, you need to enable this option again for one of its Projects or Organizations.

Enable GravityZone Cloud Security to scan Google Workspace Identities for an existing Google Cloud Platform (GCP) account

To enable GravityZone Cloud Security to scan Google Workspace Identities for an existing GCP account, you need to follow the exact same steps as for a new account. The only difference is that you need to obtain the email of the previously created account.

To find the email of the previously created account, refer to the steps bellow:

  1. Navigate to Scan Configuration page, select the account and click the Edit icon.

  2. From the Account Details panel, copy the Account Name details.

    CSPM_IAM_GCP_service_account_name_details_462777_en.png
  3. Open a new browser tab or window and log in to your Google Cloud Console.

  4. Navigate to IAM & Admin and click Search a project.

    CSPM_IAM_GCP_select_project_462777_en.png
  5. In the Search projects and folders field, type in or paste the info copied at step 2.

    CSPM_IAM_GCP_search_project_462777_en.png
  6. Once the project is selected, navigate to Service Accounts page and search for the API Credentials. You can copy the API Credentials from the Account Details panel (step 2).

    CSPM_IAM_GCP_API_credentials_462777_en.png
  7. Click the service account corresponding to the API Credentials.

  8. From the Service account details page, you can then copy the email address which you can use to complete the enabling process.

    CSPM_IAM_GCP_email_address_462777_en.png