This page walks through the steps required to add a single GCP account, also known as a project, into InsightCloudSec. Read more about Google Cloud Projects here.
In addition, we also support adding multiple GCP projects (aka organizations) to InsightCloudSec. Review the details of that setup on the Organizations (GCP) page.
Otherwise, refer to the steps below to get set up.
Before you get started you will want to make sure you have the following:
- A functioning InsightCloudSec Installation with the appropriate admin permissions
- The appropriate permissions to access the resources you will need from Google
If you have questions or concerns, reach out to us at [email protected].
1. To access the API Manager, log in to the GCP console. Verify that you have selected the organization and the project you wish to add to InsightCloudSec.
Note the Project ID; you will need this when adding the cloud account to InsightCloudSec.
2. To access the APIs & Services dashboard, select API & Services from the left navigation and click "Dashboard".
3. Enable APIs — Once you have selected Dashboard, you will see a list of APIs that are currently enabled.
- We recommend that you enable the APIs listed under Recommended APIs in order to gain visibility and access to those GCP services. Review GCP Supported Services for a full list.
Cloud Asset Inventory - Required Permissions
Note that the Cloud Asset API must be enabled with appropriate permissions for GCP's Cloud Asset Inventory to function properly. Reach out to your CSM or [email protected] if you require any assistance in configuring this required API.
If you do not have all of the recommended APIs enabled, select "Enable APIs and Services". Otherwise, skip to step 6.
4. In the Google API Library, enter the name of the missing API in the search box. Select the searched for API. (The example below shows just one match; multiple API matches may be shown in card format.)
5. You will see a description of the API. Once you have reviewed the information, select "Enable." Repeat the process until you have added all of the missing APIs.
6. Once you have verified your enabled APIs, you will need to create an additional custom role to ensure appropriate access. Go to "Roles --> Create Role --> Add Permissions".
- Utilizing the Filter field, select the following permissions:
- Click "Add".
- Update the role's Title, Description, ID, and Role launch stage, then click "Create". We recommend a name and ID that includes
InsightCloudSecso it's easier to find later.
7. Click on Credentials on the navigation menu (from the API Services Dashboard).
8. Click on the "Create credentials" button and select "Service account" from the drop-down menu.
Note: this navigates to the IAM & Admin section of the Google Cloud Platform Dashboard.
9. Complete the "Service account details" as follows, click "Create" when you're finished.
- Service account name - the name you want to provide for the service account
- ID - the service account ID
- Service account description - a description of the account's purpose
10. Under Service Account permissions click on "Select a role".
- Select either "Project-->Viewer" to give InsightCloudSec the scope to view all cloud resources, or select "Project -->Editor" to allow InsightCloudSec to view and act upon all cloud resources.
- Select the custom role you created in Step #6 (e.g. InsightCloudSecStorage).
- Add any conditions (optional), if desired.
11. Click Continue to save your role selection.
12. To finish the process to "Create Service Account", click "Create Key".
- Select JSON as your key type. (This allows InsightCloudSec to call APIs programmatically.)
- If you want to configure the "Grant users access to this service account (optional)", consult with your local administrator to confirm details, or reach out to support-insigh[email protected] with questions.
13. Click "Done" to complete this process and confirm that your Service Account Key has been created. You should see a confirmation message with the name of your JSON key. (This also automatically downloads the key.)
Store this JSON in a secure place; the JSON contains the only copy of the keys.
1. Go to your InsightCloudSec account. Navigate to the Clouds Listing Page "Cloud --> Clouds". Click on "Add Cloud" in the upper right.
2. Enter Cloud Information:
- Select "Google Cloud Platform" in the Select Technology dropbox.
- Name your cloud account.
- Provide your project ID from Setup on Google Console Step 1.
- Enter the JSON from the credentials you created and saved earlier.
- Enter an admin Email if you want to manage IAM and the Google Cloud Directory.
- Optionally, select a harvesting strategy to use for this project.
3. Complete the optional validation step for permissions.
Both AWS and GCP include the ability to optionally validate permissions before adding a new cloud account. To review those steps, visit the instructions provided under Cloud Account Setup.
4. Add any Badges you would like to this particular cloud account. Badges provide a way to assign additional metadata about resources within the InsightCloudSec platform. They are key/value pairs which can be used for filtering and identifying resources from parent cloud account.
5. Select "Add Cloud".
6. Confirm the addition of your GCP cloud account. You should see a notification that indicates you have successfully added a cloud account.
- InsightCloudSec will begin harvesting immediately and the data should start to surface after five minutes or so, depending upon the size of your cloud account.
- You can also confirm that your cloud account is added by returning to the Clouds main page, selecting the "Listing" tab, and confirming that your newly added cloud account is listed.
Updated 15 days ago