Projects (GCP)

Integrating a GCP Project with InsightCloudSec

This page walks through the steps required to add a single GCP account, also known as a project, into InsightCloudSec. Read more about Google Cloud Projects here.

In addition, we also support adding multiple GCP projects (aka organizations) to InsightCloudSec. Review the details of that setup on the Organizations (GCP) page.

Prerequisites

Before you get started you will want to make sure you have the following:

  • A functioning InsightCloudSec Installation
  • An InsightCloudSec user with ability to add clouds (Basic user with Add cloud permission or a Domain/Organization administrator)
  • Appropriate permissions in GCP to create service accounts, roles, and enable APIs
  • Check out our documentation about Auto Badging (GCP) for additional details

If you have questions or concerns, reach out to us through the Customer Support Portal.

🚧

Deleting GCP Projects

For customers that onboard GCP Projects individually (and not via GCP Organizations) any GCP projects deleted upstream/via the console, will be marked as invalid and harvesting will be paused. Customers will need to manually remove these projects from the tool.

Setup Your Project in the GCP Console

Role Creation

1. Within your GCP console navigate into the project you will be onboarding into InsightCloudSec.

13861386

Google Project ID

2. Navigate to "IAM & Admin > Roles".

3. Click "Create Role" and name your role as desired, we recommend including ICS or InsightCloudSec for proper tracking.

4. Click "Add permissions", and using the filter field provided, select the following permissions:
- storage.buckets.get
- storage.buckets.getIAMPolicy
- bigquery.tables.get
- bigquery.tables.list
- cloudasset.assets.listResource
- cloudasset.assets.searchAllIamPolicies
- serviceusage.services.enable

🚧

Required Permissions

The cloudasset.assets.listResource and serviceusage.services.enable permissions are required for proper resource harvesting as InsightCloudSec expands the use of Cloud Asset Inventory.

5. Click "Add" to finalize the permissions.

6 Click "Create" to save the role.

Service Account Creation

1. Navigate to "IAM & Admin > Service Accounts".

2. Click "Create Service Account" and complete the service account details.

  • We recommend including ICS or InsightCloudSec for tracking
570570

3 Click "Create and Continue".

4. Select the Custom role you created in the previous steps.

390390

Select Your Custom Role

5. Click to Add another role and select the Basic viewer (read-only) or editor (read/write) role.

396396

Assigning Basic Roles to Service Account

6. Click "Done" to finalize the new role.

575575

Generating a Service Account Key

1. Navigate into the newly created Service Account.

2. In the Keys section, select "Add Key".

3. Select "Create New Key".

621621

Creating a new Service Account Key

4. With Key Type as JSON, click "Create" to download the key.

❗️

Store this JSON file in a secure place; it contains the only copy of the key.

Enabling GCP APIs

We recommend that you review and enable the APIs listed under Recommended APIs in order to gain visibility and access to those GCP services.

🚧

Required APIs

The Cloud Asset API and Service Usage API must be enabled with appropriate permissions for visibility into the project's enabled API services and certain resource harvesting. The Cloud Policy Analyzer API needs to be enabled in each project added to InsightCloudSec so Service Accounts can be properly harvested.

If the project has all recommended APIs, you can skip to the next step in the onboarding process.

1. Navigate to the APIs & Services > Dashboard to view currently enabled APIs.

2. The Dashboard will allow you to see the currently enabled APIs and usage metrics.

12751275

Currently enabled APIs

3. To Enable an API select "ENABLE APIS AND SERVICES" at the top of the page.

485485

Enable APIs and Services

4. Search for the name of the API to enable and click the corresponding API service in the results.

5. Review the description and consider reading the GCP documentation regarding the API. Click "ENABLE" to enable the API in the project.

14811481

Search for API service

648648

Enable API service

6. Repeat steps 3-5 for enabling additional APIs.

Once the above steps are completed, you can move on to adding the project into InsightCloudSec.

Onboarding A GCP Project into InsightCloudSec

19141914

Add a Cloud

1. Go to your InsightCloudSec account. Navigate to the Clouds Listing Page "Cloud --> Clouds". Click on "Add Cloud" in the upper right.

2. Select "Google Cloud Platform" and complete the following details:

  • Nickname: Name your cloud account.
  • Project ID : Provide your project ID.
    • This can be found in the Service Account key previously downloaded or the home page within the GCP console.
  • API Credentials: Enter the JSON from the credentials you created and saved earlier.
  • Email Delegation(Optional): Enter an admin Email if you want to manage IAM and the Google Cloud Directory.
  • Harvesting Strategy (Optional): Select a harvesting strategy to use for this project other than the default.

📘

Enabling Email Delegation

Providing an email within the Email Delegation field enables InsightCloudSec to collect GCP Directory (IAM) data that will be populated under both:

The email you provide must belong to a super-admin within your target GCP service account in order to transmit this data. For more details check out the page on GCP Directory Support.

779779

Example form to Add a Cloud for GCP

3. Select "Add Cloud".

4. Complete the optional validation step for permissions.

  • Note: InsightCloudSec includes the ability to optionally validate permissions after adding a new cloud account.

5. Add any Badges you would like to this particular cloud account. This can be performed at any point later on.

  • InsightCloudSec also supports Auto Badging (GCP), so you may want to review those details.

6. InsightCloudSec will begin harvesting immediately and the data should start to surface after five minutes or so, depending upon the size of your cloud account.

  • You can also confirm that your cloud account is added by returning to the Clouds main page, selecting the "Listing" tab, and searching to confirm that your newly added cloud account is listed.