This page walks through the steps required to add a single GCP account, also known as a project, into InsightCloudSec. Read more about Google Cloud Projects here.
In addition, we also support adding multiple GCP projects (aka organizations) to InsightCloudSec. Review the details of that setup on the Organizations (GCP) page.
Before you get started you will want to make sure you have the following:
- A functioning InsightCloudSec Installation
- An InsightCloudSec user with ability to add clouds (Basic user with Add cloud permission or Domain/Organization administrator)
- Appropriate permissions in GCP to create service accounts, roles, and enable APIs
- Check out our documentation about Auto Badging (GCP) for additional details
If you have questions or concerns, reach out to us through the Customer Support Portal.
1. Within your GCP console navigate into the project you will be onboarding into InsightCloudSec.
2. Navigate to "IAM & Admin > Roles".
3. Click "Create Role" and name your role as desired, we recommend including
InsightCloudSec for proper tracking.
4. Click "Add permissions", and using the filter field provided, select the following permissions:
serviceusage.services.enablepermissions are required for proper resource harvesting as InsightCloudSec expands the use of Cloud Asset Inventory.
5. Click "Add" to finalize the permissions.
6 Click "Create" to save the role.
1. Navigate to "IAM & Admin > Service Accounts".
2. Click "Create Service Account" and complete the service account details.
- We recommend including
3 Click "Create and Continue".
4. Select the Custom role you created in the previous steps.
5. Click to Add another role and select the Basic viewer (read-only) or editor (read/write) role.
6. Click "Done" to finalize the new role.
1. Navigate into the newly created Service Account.
2. In the Keys section, select "Add Key".
3. Select "Create New Key".
4. With Key Type as JSON, click "Create" to download the key.
Store this JSON file in a secure place; it contains the only copy of the key.
We recommend that you enable the APIs listed under Recommended APIs in order to gain visibility and access to those GCP services.
- Review GCP Supported Services for a full list.
The Cloud Asset API and Service Usage API must be enabled with appropriate permissions for visibility into the project's enabled API services and certain resource harvesting. The Cloud Policy Analyzer API needs to be enabled in each project added to InsightCloudSec so Service Accounts can be properly harvested.
If the project has all recommended APIs, you can skip to the next step in the onboarding process.
1. Navigate to the APIs & Services > Dashboard to view currently enabled APIs.
2. The Dashboard will allow you to see the currently enabled APIs and usage metrics.
3. To Enable an API select "ENABLE APIS AND SERVICES" at the top of the page.
4. Search for the name of the API to enable and click the corresponding API service in the results.
5. Review the description and consider reading the GCP documentation regarding the API. Click "ENABLE" to enable the API in the project.
6. Repeat steps 3-5 for enabling additional APIs.
Once the above steps are completed, you can move on to adding the project into InsightCloudSec.
1. Go to your InsightCloudSec account. Navigate to the Clouds Listing Page "Cloud --> Clouds". Click on "Add Cloud" in the upper right.
2. Enter Cloud Information:
- Select "Google Cloud Platform" as the cloud type.
- Name your cloud account.
- Provide your project ID.
- This can be found in the Service Account key previously downloaded or the home page within the GCP console.
- Enter the JSON from the credentials you created and saved earlier.
- Optional: Enter an admin Email if you want to manage IAM and the Google Cloud Directory.
- Optional: Select a harvesting strategy to use for this project other than the default.
3. Select "Add Cloud".
4. Complete the optional validation step for permissions.
InsightCloudSec includes the ability to optionally validate permissions after adding a new cloud account. To review those steps, visit the instructions provided under Cloud Account Setup.
5. Add any Badges you would like to this particular cloud account. This can be performed at any point later on.
6. InsightCloudSec will begin harvesting immediately and the data should start to surface after five minutes or so, depending upon the size of your cloud account.
- You can also confirm that your cloud account is added by returning to the Clouds main page, selecting the "Listing" tab, and confirming that your newly added cloud account is listed.
Updated about 1 month ago