Organizations (GCP)

Integrating a GCP Organization with InsightCloudSec

You can add multiple GCP projects within an organization structure seamlessly into InsightCloudSec using the Organizations feature. This allows automatic onboarding of all associated projects (including any new projects added after initial onboarding) into InsightCloudSec and badging of project level labels and organization/folder structure.

InsightCloudSec performs this onboarding and harvesting through the use of a GCP Service Account. This Service Account will be defined within a project with organization level permissions to allow for digesting the organization structure of projects and folders. After processing the organization structure and onboarding the desired projects, it will reach out to each project's API services for gathering resource information into InsightCloudSec.

Note: this page and the functionality detailed here refer to the cloud provider-specific organizational onboarding capability for GCP, which is managed under "Clouds --> Organizations". This functionality should not be confused with the InsightCloudSec-specific Organizations capability that allows for multi-tenant functionality available under "System Administration --> Organizations".

Prerequisites

Before you get started you will want to make sure you have the following:

  • A functioning InsightCloudSec Installation
  • An InsightCloudSec Domain Admin within InsightCloudSec to work with GCP Organizations
  • Appropriate permissions in GCP to create service accounts, roles, and enable APIs. You must have the appropriate level of access in GCP to create Service Accounts within a project, and access to create and apply Roles at the organization level
  • Check out our documentation about Auto Badging (GCP) for additional details

You will need to be a Domain Admin within InsightCloudSec to work with Organizations.

If you have questions or concerns, reach out to us through the Customer Support Portal.

🚧

Important Note About APIs

For successful onboarding, the Cloud Resource Manager API, Cloud Asset API, Cloud Policy Analyzer API, and Service Usage API are required to be enabled in the project containing the Service Account that will be provisioned.

Due to the current GCP harvesting structure in InsightCloudSec, API services will need to be enabled in each project (including the project containing the Service Account) for proper harvesting. See our list of Recommended APIs.

Steps for Adding GCP Organizations (GCP Console)

The following sections involve resource creation/modification within the GCP console.

Service Account Creation

Service accounts can only be created within a project, so choose the project, or consider creating a new project for the service account for InsightCloudSec to reside in. The following steps will take place within that project.

1. Navigate into "IAM & Admin > Service Account".

2. Click "Create Service Account" and complete the service account details.

  • We recommend including ICS or InsightCloudSec here for tracking purposes.
GCP - Create Service AccountGCP - Create Service Account

GCP - Create Service Account

4. Click "Done" to create the Service Account.

Generating a Service Account Key

1. Navigate into the newly created Service Account.

  • Copy the associated email and save for use in a later step.

2. In the Keys section, select "ADD KEY".

3. Select "Create New Key".

Creating a new Service Account KeyCreating a new Service Account Key

Creating a new Service Account Key

4. With Key Type as JSON, click "Create" to download the key.

❗️

Store this JSON file in a secure place; it contains the only copy of the key.

Role Creation and Assignment

The following steps take place at the Organization level. Navigate into the Organization using the project selection dropdown and select the appropriate Domain in the listing.

GCP - Select DomainGCP - Select Domain

GCP - Select Domain

Custom Role Creation

1. Navigate into "IAM & Admin > Roles".

2. Click "Create Role".

3. Name your role and give it a description.

  • We recommend including InsightCloudSec or ICS in the name and description

4. Click add permissions, and using the filter field provided, select the following permissions:
- storage.buckets.get
- storage.buckets.getIAMPolicy
- bigquery.tables.get
- bigquery.tables.list
- cloudasset.assets.listResource
- cloudasset.assets.searchAllIamPolicies
- serviceusage.services.enable

🚧

Required Permissions

The cloudasset.assets.listResource and serviceusage.services.enable permissions are required for proper resource harvesting as InsightCloudSec expands the use of Cloud Asset Inventory.

5. Click "Create" to save the new Role.

GCP - Add PermissionsGCP - Add Permissions

GCP - Add Permissions

Assigning Roles to Service Account

1. Navigate to "IAM & Admin--> IAM" and click "Add".

Add roles to Service AccountAdd roles to Service Account

Add roles to Service Account

2. Paste in the Service Account Email (taken from the Service Account details page) into the "New principals" field.

3. Add the below Roles to this Service Account. All 5 of the below roles are needed to properly harvest resource data in InsightCloudSec.
- Resource Manager -> Organization Viewer (Organization Administrator if you're setting up write permissions)
- Resource Manager -> Folder Viewer
- IAM -> Security Reviewer
- Basic -> Viewer (Editor to allow InsightCloudSec to have write permissions into GCP)
- Custom -> Custom InsightCloudSec Role created in previous steps

4. Click "Save".

GCP - Service AccountGCP - Service Account

GCP - Service Account

Setup in InsightCloudSec

Follow the steps below to onboard the GCP organization into InsightCloudSec. These take place within the InsightCloudSec UI.

1. Navigate to the "Cloud --> Clouds" page.

2. Click the "Organizations" tab, then click "Add Organizations".

Adding an OrganizationAdding an Organization

Adding an Organization

3. Select "GCP" from the "Cloud Type" drop-down menu.

4. Provide a nickname for the Organization. This creates a system Badge containing the nickname that can be searched or referenced throughout InsightCloudSec.

5. Paste in the JSON credentials from the Service Account Key you created on the GCP console above.

6. Select your desired Organization options as follows:

  • The "Auto-Sync Projects" checkbox is enabled by default and allows InsightCloudSec to auto-sync with Projects in your Organization. Note: if you deselect this option you will have to manually add your projects under this organization.
  • The "Auto-Remove Deleted Accounts" checkbox is enabled by default. If you want to prevent InsightCloudSec from removing accounts that are deleted from GCP you will need to uncheck this box.
  • The "Auto Badge Projects" is enabled by default and allows InsightCloudSec to auto-badge your projects.
  • The "Auto-Enable API Auto-Enablement" to automatically enable required APIs for each project. Review Clouds Overview Page for more information on this option.
  • Select the "Limit import scope" checkbox and provide Parent Folder ID(s) to only include the given folder(s) and anything underneath it.

📘

Import Scope Changes

To change the import scope to a different folder, or to remove the scope entirely navigate to "Clouds --> Organizations". Select the pencil next to the name of the Organization you want to modify. You will need to input the JSON credentials again in order to make this change.

8. Click "Add" to start the onboarding process

Your Organization will now be listed within the Organizations section. Initially, the listing will show '0' accounts. Projects, resource data, and compliance data will be processed and begin to show up and reflect within the tool after the initial harvesters and processors complete.**


Did this page help you?