Organizations (GCP)

Integrating a GCP Organization with InsightCloudSec


New Onboarding Process for Connecting Cloud Accounts for GCP

The following content is for our legacy onboarding process for connecting a cloud account. Beginning with our 23.4.11 release InsightCloudSec includes a new onboarding workflow - documentation on that workflow is available on the new GCP - Onboarding page.

If you are have issues or need support related to onboarding reach out to your CSM or contact us through the Customer Support Portal with any questions.

You can add multiple GCP projects within an organization structure seamlessly into InsightCloudSec using the Organizations feature. This allows automatic onboarding of all associated projects (including any new projects added after initial onboarding) into InsightCloudSec and badging of project level labels and organization/folder structure.

InsightCloudSec performs this onboarding and harvesting through the use of a GCP Service Account. This Service Account will be defined within a project with organization level permissions to allow for digesting the organization structure of projects and folders. After processing the organization structure and onboarding the desired projects, it will reach out to each project's API services for gathering resource information into InsightCloudSec.

Note: this page and the functionality detailed here refer to the cloud provider-specific organizational onboarding capability for GCP, which is managed under "Clouds --> Organizations". This functionality should not be confused with the InsightCloudSec-specific Organizations capability that allows for multi-tenant functionality available under "System Administration --> Organizations".


Before you get started you will want to make sure you have the following:

  • A functioning InsightCloudSec Installation
  • An InsightCloudSec Domain Admin within InsightCloudSec to work with GCP Organizations
  • Appropriate permissions in GCP to create service accounts, roles, and enable APIs. You must have the appropriate level of access in GCP to create Service Accounts within a project, and access to create and apply Roles at the organization level
  • Check out our documentation about Auto Badging (GCP) for additional details

You will need to be a Domain Admin within InsightCloudSec to work with Organizations.

If you have questions or concerns, reach out to us through the Customer Support Portal.


Important Note About APIs

For successful onboarding, the Cloud Resource Manager API, Cloud Asset API, Policy Analyzer API, and Service Usage API are required to be enabled in the project containing the Service Account that will be provisioned.

Due to the current GCP harvesting structure in InsightCloudSec, API services will need to be enabled in each project (including the project containing the Service Account) for proper harvesting. See our list of Recommended APIs.

Steps for Adding GCP Organizations (GCP Console)

The following sections involve resource creation/modification within the GCP console.

Service Account Creation

Service accounts can only be created within a project, so choose the project, or consider creating a new project for the service account for InsightCloudSec to reside in. The following steps will take place within that project.

1. Navigate into "IAM & Admin > Service Account".

2. Click "Create Service Account" and complete the service account details.

  • We recommend including ICS or InsightCloudSec here for tracking purposes.

GCP - Create Service Account

4. Click "Done" to create the Service Account.


Save this email!

The Service Account email from the "Details" tab is used for later steps, so we recommend saving this information to a safe place or leaving this page open and continuing in another tab.

Generating a Service Account Key

1. Navigate into the newly created Service Account.

  • Copy the associated email and save for use in a later step.

2. In the Keys section, select "ADD KEY".

3. Select "Create New Key".


Creating a new Service Account Key

4. With Key Type as JSON, click "Create" to download the key.


Store this JSON file in a secure place; it contains the only copy of the key.

Role Creation and Assignment (Organization-level Change)


Organization-level Change

This change must be performed at the organization level!

Navigate into the Organization using the project selection dropdown and select the appropriate Domain in the listing.


GCP - Select Domain

Custom Role Creation

1. Navigate into "IAM & Admin > Roles".

2. Click "Create Role".

3. Name your role and give it a description.

  • We recommend including InsightCloudSec or ICS in the name and description

4. Click add permissions, and using the filter field provided, select the following permissions:
- storage.buckets.get
- storage.buckets.getIamPolicy
- bigquery.tables.get
- bigquery.tables.list
- cloudasset.assets.listResource
- cloudasset.assets.searchAllIamPolicies


Required Permissions

The cloudasset.assets.listResource and permissions are required for proper resource harvesting as InsightCloudSec expands the use of Cloud Asset Inventory.

5. Click "Create" to save the new Role.


GCP - Add Permissions

Assigning Roles to Service Account (Organization-level Change)


Organization-level Change

This change must be performed at the organization level!

1. Navigate to "IAM & Admin--> IAM" and click "Add".


Add roles to Service Account

2. Paste in the Service Account Email (taken from the Service Account details page) into the "New principals" field.

3. Add the below Roles to this Service Account. All 5 of the below roles are needed to properly harvest resource data in InsightCloudSec.
- Resource Manager -> Organization Viewer (Organization Administrator if you're setting up write permissions)
- Resource Manager -> Folder Viewer
- IAM -> Security Reviewer
- Basic -> Viewer (Editor to allow InsightCloudSec to have write permissions into GCP)
- Custom -> Custom InsightCloudSec Role created in previous steps

4. Click "Save".


GCP - Service Account

Setup in InsightCloudSec

Follow the steps below to add the GCP organization into InsightCloudSec.

1. Navigate to the "Cloud --> Clouds" page.

2. Click the "Organizations" tab, then click "Add Organizations".


Adding an Organization

3. Select "GCP" from the "Cloud Type" drop-down menu.


Adding a new GCP Organization

4. Provide a nickname for the Organization. This creates a system Badge containing the nickname that can be searched or referenced throughout InsightCloudSec.

5. Paste in the JSON credentials from the Service Account Key you created on the GCP console above.

6. Enabled "Email Delegation (Optional)" - Enter an admin Email if you want to manage IAM and the Google Cloud Directory.


Enabling Email Delegation

Providing an email within the Email Delegation field enables InsightCloudSec to collect GCP Directory (IAM) data that will be populated under both:

The email you provide must belong to a super-admin within your target GCP service account in order to transmit this data. For more details check out the page on GCP Directory Support.

7. Enter project skip prefixes (if desired) to specify which projects you would like to skip or exclude from onboarding for the organization.

8. Select your desired Organization options as follows:

  • Auto-Sync Projects - is enabled by default and allows InsightCloudSec to auto-sync with Projects in your Organization. Note: if you deselect this option you will have to manually add your projects under this organization.
  • Auto-Remove Deleted Accounts - is enabled by default. To prevent InsightCloudSec from removing accounts that are deleted from GCP uncheck this box.
  • Auto Badge Projects - is enabled by default and allows InsightCloudSec to auto-badge your projects.
  • Enable API Auto-Enablement - select to automatically enable required APIs for each project. Review the Cloud Account Detail Page for additional details on this feature.
  • Limit import scope - select and provide Parent Folder ID(s) to only include the given folder(s) and anything underneath it.


Import Scope Changes

To change the import scope to a different folder, or to remove the scope entirely navigate to "Clouds --> Organizations". Select the pencil next to the name of the Organization you want to modify. You will need to input the JSON credentials again in order to make this change.

9. Click "Add" to start the onboarding process

Your Organization will now be listed within the Organizations section. Initially, the listing will show '0' accounts. Projects, resource data, and compliance data will be processed and begin to show up and reflect within the tool after the initial harvesters and processors complete.**