Get Started

Getting Started

Deploy

Onboard and Manage Accounts

Amazon Web Services (AWS)

Google Cloud Platform (GCP)

Microsoft Azure

Oracle Cloud Infrastructure (OCI)

Additional Providers

Collect and Integrate Data

Harvesting & Event-Driven Harvesting

Integrations

Understand Data

Visibility & Reporting

Inventory

Query Filters & Insights

Manage and Act on Data

Bots & Automation

Infrastructure as Code (IaC) Security

Cloud IAM Governance

Vulnerability Management

Workload Security

Manage System Settings

InsightCloudSec System Configuration

Developer Resources

APIs

Support

Onboard a GCP Account

After InsightCloudSec is successfully installed, you're ready to start harvesting data from your Accounts, which requires configuring Google Cloud Platform (GCP) to "talk" with InsightCloudSec securely. As your inventory grows and your cloud accounts are fully visible, you can then begin to leverage the rest of InsightCloudSec, including Insights, Bots, Layered Context, and more.

This page and the functionality detailed here refer to the provider-specific Accounts capability available under Cloud > Cloud Accounts. If you are looking to onboard an GCP Organization instead, see Onboard a GCP Organization.

Opening the Cloud Account Onboarding Interface

Before you can begin the onboarding process, you'll need to navigate to the Cloud Account Onboarding interface, which provides a different experience depending on the type of user you are:

User	Description	Experience
First-time User	InsightCloudSec is freshly deployed and this will be the first time a Cloud Service Provider (CSP) has been onboarded.	Platform Users: Onboarding wizard launched from Platform Home by clicking the InsightCloudSec tile. InsightCloudSec Only Users: The onboarding wizard appears automatically after logging in using your unique InsightCloudSec URL.
Returning User	InsightCloudSec has one or more CSPs already onboarded and you would like to add a new account.	Launched from within InsightCloudSec. Not a wizard.
Admin User	You can login to the cloud provider and have the appropriate access to grant InsightCloudSec access to your account(s).	As an admin, you will need to complete some specific tasks within your Cloud Service Provider's (CSP) console to generate details needed for onboarding that either you or a non-admin user can input to InsightCloudSec.
Non-Admin User	You can interact with InsightCloudSec and would like to onboard an account(s) but do not have the appropriate CSP access to grant InsightCloudSec access to your account(s).	You will need to copy and send a message to the admin asking them to complete specific tasks and provide you with the information you need to complete onboarding.

Onboarding a GCP Account

A couple methods for onboarding your GCP Accounts (projects in GCP's parlance) are available depending on whether you're a non-admin or admin user.

Resuming cloud onboarding to InsightCloudSec

If you close the interface before completing Account onboarding, you can resume onboarding from the page you were on last.

Non-Admin User Instructions

Ask an admin for required information

As a non-admin user, you need to copy and send a message to the admin asking them to complete specific tasks and provide you with the information needed to complete onboarding.

First-time Users

Login to InsightCloudSec using one of the methods below:
- In the Insight Platform, click InsightCloudSec to launch the onboarding wizard.
- Open a browser window to your unique InsightCloudSec URL and login. The onboarding wizard will appear automatically.
On the Welcome screen, review key features and capabilities, then click Onboard a Cloud Account.
On the Cloud Service Providers screen, select Google Cloud Platform.
Select No - Help me identify the details needed, then click Next.
Click the Copy button in the Google Cloud Platform Admin Instructions text box and share them with the admin.

Returning Users

Login to InsightCloudSec using one of the methods below:
- In the Insight Platform, click the InsightCloudSec tile.
- Open a browser window to your unique InsightCloudSec URL and login.
Navigate to Cloud > Cloud Accounts in the left-hand navigation menu.
Click the + Add Cloud button in the top right-hand corner.
Click the Google Cloud Platform button.
Click Don't have admin access? in the bottom right-hand corner of the window.
Click the Copy button in the Google Cloud Platform Admin Instructions text box and share them with the admin.

Connect the Account

When your admin has completed their steps and provided the information to you, you can now connect the Account.

First-time Users

Return to InsightCloudSec using one of the methods below:
- In the Insight Platform, click InsightCloudSec to launch the onboarding wizard.
- Open a browser window to your unique InsightCloudSec URL and login. The onboarding wizard will appear automatically.
The wizard should automatically return you to the Google Cloud Platform Admin Instructions page.
Enter the following information (provided by your admin):
1. Copy/paste the Nickname for the Account. This is a unique value that will be used to search Accounts across the system based on an identifiable label.
2. Copy/paste the API Credentials and Project ID.
3. Optionally, provide the Email Delegation.
Click Connect Account.

Returning Users

Login to InsightCloudSec using one of the methods below:
- In the Insight Platform, click the InsightCloudSec tile.
- Open a browser window to your unique InsightCloudSec URL and login.
Navigate to Cloud > Cloud Accounts in the left-hand navigation menu.
Click the + Add Cloud button in the top right-hand corner.
Click the Google Cloud Platform button.
Click Don't have admin access? in the bottom right-hand corner of the window.
Enter the following information (provided by your admin):
1. Copy/paste the Nickname for the Account. This is a unique value that will be used to search Accounts across the system based on an identifiable label.
2. Copy/paste the API Credentials and Project ID.
3. Optionally, provide the Email Delegation.
Click Connect Account.

Admin User Instructions

As an admin, you must prepare your Account for the connection with InsightCloudSec by creating a new service account & creating and assigning a custom role within GCP.

Providing details to a non-admin user?

If you are providing details to a non-admin user to onboard the Account, ensure that the credentials you share with the non-admin user will include the appropriate access and enable them to connect your GCP project with InsightCloudSec successfully. We recommend using a secure file sharing system to provide credentials to your non-admin user.

GCP Admin Onboarding Prerequisites

Domain Admin permissions within InsightCloudSec
Appropriate permissions in GCP to create service accounts, roles, and enable APIs within the desired project
- If enabling Email Delegation/Directory Support, you'll need GCP Super Admin privileges

InsightCloudSec offers some features that require additional permissions/roles within GCP. It is easiest to perform this configuration while onboarding an account/organization. Review the links below to determine which features you'd like to use and we'll provide a reminder to select the relevant options later.

Prepare GCP for Onboarding

To onboard a single project for GCP you need to complete one of the following set of instructions:

Recommended APIs

For successful onboarding, the Cloud Resource Manager API, Cloud Asset API, Policy Analyzer API, and Service Usage API are required to be enabled in the project containing the Service Account that will be provisioned. Due to the current GCP harvesting structure in InsightCloudSec, API services will need to be enabled in each project (including the project containing the Service Account) for proper harvesting. See our list of Recommended APIs.

Manual Onboarding using the GCP console

Multiple Browser Tabs/Windows Recommended

InsightCloudSec onboarding can proceed much more quickly and easily if you have both your InsightCloudSec instance and the GCP console open side-by-side in your preferred browser's windows/tabs.

Step 1: Create a Service Account

Login to your InsightCloudSec instance and open the Cloud Onboarding interface.
- First-time Users:
  1. On the Welcome screen, review key features and capabilities, then click Onboard a Cloud Account.
  2. On the Cloud Service Providers screen, select Google Cloud Platform.
  3. Select Yes - I have permissions to create service accounts, roles and enable APIs, then click Next.
  4. For your connection journey, click Manual Steps, then click Next.
- Returning Users:
  1. Navigate to Cloud > Cloud Accounts in the left navigation menu.
  2. Click the + Add Cloud button in the top right corner.
  3. Click the Google Cloud Platform button.
  4. For your connection journey, click Manual Steps.
In a separate browser tab or window, login as an Admin to the GCP Console for the project you want to harvest.

In the GCP Console:

Log in to your GCP account and select the project you want to onboard.
On the project's dashboard, copy and save the Project ID.
Go to IAM & Admin > Service Account, and click Create Service Account.
Complete the service account details. We recommend including ICS or InsightCloudSec in the details for tracking purposes.
Click Done.
Copy and save the Service Account ID for generating a key and for onboarding the account in InsightCloudSec.

Step 2: Generate a Service Account Key

In the GCP Console:

In the newly created Service Account, paste the Service Account ID into the filter input.
Click the email address link to view the details.
In the KEYS section, click ADD KEY.
Select Create New Key.
For the Key Type, select JSON, and then click Create to download the key.
Copy and save this JSON file in a secure place; it contains the only copy of the key, which is required for onboarding the account in InsightCloudSec.

In the InsightCloudSec Cloud Onboarding interface:

For 1. Authentication:
1. Copy/paste the entire JSON key file into the API Credentials field.
2. Copy/paste the project_id value from the JSON key file into the Project ID field.
3. Click Next.

Step 3: Create a custom role

In the GCP Console:

Go to IAM & Admin > Roles and click Create Role.
Enter a name and description for the role. We recommend including InsightCloudSec here for tracking purposes.
Click add permissions, and using the filter field provided, select the following permissions:
- bigquery.tables.get
- bigquery.tables.list
- cloudasset.assets.listResource
- cloudasset.assets.searchAllIamPolicies
- iam.serviceAccounts.disable
- serviceusage.services.enable
- storage.buckets.get
- storage.buckets.getIAMPolicy
Click Add to finalize the permissions.
Click Create to save the role.

Additional GCP-related InsightCloudSec Features

At this point in the process, it would be easiest to update the newly-created harvesting role with permissions for any additional GCP-related InsightCloudSec features.

Step 4: Assign Roles to the Service Account

In the GCP Console:

Go to IAM & Admin > IAM and on the View by Principals tab, click Grant Access.
In the New principals field, paste the Service Account Email (taken from the Service Account details page).
Add the following roles to the Service Account:
- Basic > Viewer (Editor to allow InsightCloudSec to have write permissions into GCP).
- Custom > Custom InsightCloudSec Role created in the previous section.
Click Save.

Step 5: (Recommended) Set up Directory Support and Email Delegation

This set of instructions is optional but recommended as it will allow InsightCloudSec to access user and group information such as last login, MFA settings, and more.

In the GCP Console:

Enable the Admin SDK API.
1. Search for Admin SDK API within the GCP Console.
2. Open the Marketplace entry for the API.
3. Click Enable.
Copy the Service Account Client ID.
1. Go to IAM & Admin > Service Accounts and select the newly configured service account.
2. In the Advanced Settings section, in the Domain-wide Delegation field, copy the Client ID for your Service account.
3. Under Client ID, click View Google Workspace Admin Console.
Validate and enable domain-wide delegation.
1. In the Google Workspace Admin Console, go to Security > Overview and expand API Controls.
2. In Domain-wide Delegation, click Manage Domain Wide Delegation.
3. Next you will either need to:
  - Search for and confirm that the Client ID you copied from your service account already exists.
  - Click Add new and add the Client ID to specify the service account you want to configure for Domain-wide delegation.
4. If the client ID existed already, verify the following scopes exist:
  - https://www.googleapis.com/auth/admin.directory.user
  - https://www.googleapis.com/auth/admin.directory.group
  - https://www.googleapis.com/auth/admin.directory.group.member Otherwise, the scopes above will have to be added.
Specify an email address for domain-wide delegation.
1. Go to Directory > Users.
2. Filter for Admin Role and select Super Admin to narrow the list of user accounts.
3. Identify the email for the account you want to use to specify for Domain-wide Delegation.
  - The email address provided must be from an appropriately configured GCP Super Admin from the correct Service Organization to ensure that the data can pass from the GCP Console to InsightCloudSec.
  - Save this email in a safe place, you will be using this address in the setup steps within InsightCloudSec.

In the InsightCloudSec Cloud Onboarding interface:

Skip 2. Roles by clicking Next.

Manual onboarding instructions complete!

After completing the preceding steps, you have completed the manual onboarding instructions for GCP. Jump to the Connect the Account in InsightCloudSec instructions.

Automated Onboarding using GCP Cloud Shell

Multiple Browser Tabs/Windows Recommended

InsightCloudSec onboarding can proceed much more quickly and easily if you have both your InsightCloudSec instance and the GCP console open side-by-side in your preferred browser's windows/tabs.

Step 1: Create a Service Account Automatically

Login to your InsightCloudSec instance and open the Cloud Onboarding interface.
- First-time Users:
  1. On the Welcome screen, review key features and capabilities, then click Onboard a Cloud Account.
  2. On the Cloud Service Providers screen, select Google Cloud Platform.
  3. Select Yes - I have permissions to create service accounts, roles and enable APIs, then click Next.
  4. For your connection journey, click Google Cloud Platform Script, then click Next.
- Returning Users:
  1. Navigate to Cloud > Cloud Accounts in the left navigation menu.
  2. Click the + Add Cloud button in the top right corner.
  3. Click the Google Cloud Platform button.
  4. For your connection journey, click Script.
In a separate browser tab or window, login as an Admin to the GCP Console for the project you want to harvest.

In the InsightCloudSec Cloud Onboarding interface:

Select Project.
Click Generate & Download Script.

In the GCP Console:

In the top bar, click Activate Cloud Shell. If this is your first time using the Cloud Shell, you'll be prompted to learn more about the shell and click Continue. Review the GCP documentation for more information.
Click More (vertical ellipsis), then click Upload and select the onboarding script from its downloaded location.
Optionally, provide an alternative destination directory. By default, the file will be uploaded to /home/<username>.
Click Upload.
Ensure you are logged into the Cloud Shell: gcloud auth login.
Run the script (python onboard.py) and follow the prompts to create everything needed to onboard the Account. If you uploaded the onboarding script to somewhere other than the default, you'll need to include the directory location with the command. If you're prompted to authorize the Cloud Shell using your credentials, click Authorize.
- Provide an GCP Service Account name (or press Enter to use the default).
- Provide an GCP Service Account display name (or press Enter to use the default).
- Optionally, provide a GCP Service Account description (or press Enter to use the default).
- Provide a JSON key filename (or press Enter to use the default).
- Provide a GCP Role ID (or press Enter to use the default).
- Optionally, provide a GCP Role description (or press Enter to use the default).
- The configuration is complete and the key will be saved in the current directory.
Additional GCP-related InsightCloudSec Features
At this point in the process, it would be easiest to update the newly-created harvesting role with permissions for any additional GCP-related InsightCloudSec features.
Click More (vertical ellipsis), then click Download.
Click the folder icon (Toggle File Browser) to open the file browser for the current directory. Expand the current directory in the browser.
Select the JSON key and click Download.
Open the downloaded JSON key file inside a browser tab/window or text editor.

In the InsightCloudSec Cloud Onboarding interface:

Copy/paste the entire JSON key file into the API Credentials field.
Copy/paste the project_id value from the JSON key file into the Project ID field.

Step 2: (Recommended) Set up Directory Support and Email Delegation

This set of instructions is optional but recommended as it will allow InsightCloudSec to access user and group information such as last login, MFA settings, and more.

In the GCP Console:

Enable the Admin SDK API.
1. Search for Admin SDK API within the GCP Console.
2. Open the Marketplace entry for the API.
3. Click Enable.
Copy the Service Account Client ID.
1. Go to IAM & Admin > Service Accounts and select the newly configured service account.
2. In the Advanced Settings section, in the Domain-wide Delegation field, copy the Client ID for your Service account.
3. Under Client ID, click View Google Workspace Admin Console.
Validate and enable domain-wide delegation.
1. In the Google Workspace Admin Console, go to Security > Overview and expand API Controls.
2. In Domain-wide Delegation, click Manage Domain Wide Delegation.
3. Next you will either need to:
  - Search for and confirm that the Client ID you copied from your service account already exists.
  - Click Add new and add the Client ID to specify the service account you want to configure for Domain-wide delegation.
4. If the client ID existed already, verify the following scopes exist:
  - https://www.googleapis.com/auth/admin.directory.user
  - https://www.googleapis.com/auth/admin.directory.group
  - https://www.googleapis.com/auth/admin.directory.group.member Otherwise, the scopes above will have to be added.
Specify an email address for domain-wide delegation.
1. Go to Directory > Users.
2. Filter for Admin Role and select Super Admin to narrow the list of user accounts.
3. Identify the email for the account you want to use to specify for Domain-wide Delegation.
  - The email address provided must be from an appropriately configured GCP Super Admin from the correct Service Organization to ensure that the data can pass from the GCP Console to InsightCloudSec.
  - Save this email in a safe place, you will be using this address in the setup steps within InsightCloudSec.

Automated onboarding instructions complete!

After completing the preceding steps, you have completed the automated onboarding instructions for GCP. Jump to the Connect the Account in InsightCloudSec instructions.

Connect the Account in InsightCloudSec

The GCP onboarding process is nearly complete; all that remains is to setup an account nickname & optional email delegation in InsightCloudSec and verify the account connection.

In the InsightCloudSec Cloud Onboarding interface:

Provide the Nickname for the Account. This is a unique value that will be used to search Accounts across the system based on an identifiable label.
If you performed the Email Delegation/Directory Support section above, provide the email address.
Click Connect Account.

Success! You onboarded an account

Congratulations on successfully onboarding an account!

InsightCloudSec will automatically detect if there are any missing permissions that could cause impaired visibility into your account.
For information about modifying an existing onboarded account, review the Cloud Account Setup & Management page.

Did this page help you?

Google Cloud Platform (GCP)

GCP Overview & Support

Google Cloud Platform (GCP)

Onboard a GCP Organization