Projects (GCP)

Integrating a GCP Project with InsightCloudSec

This page walks through the steps required to add a single GCP account, also known as a project, into InsightCloudSec. Read more about Google Cloud Projects here.

In addition, we also support adding multiple GCP projects (aka organizations) to InsightCloudSec. Review the details of that setup on the Organizations (GCP) page.

Prerequisites

Before you get started you will want to make sure you have the following:

If you have questions or concerns, reach out to us through the Customer Support Portal.

Setup Your Project in the GCP Console

Role Creation

1. Within your GCP console navigate into the project you will be onboarding into InsightCloudSec.

Google Project IDGoogle Project ID

Google Project ID

2. Navigate to "IAM & Admin > Roles".

3. Click "Create Role" and name your role as desired, we recommend including ICS or InsightCloudSec for proper tracking.

4. Click "Add permissions", and using the filter field provided, select the following permissions:
- storage.buckets.get
- storage.buckets.getIAMPolicy
- bigquery.tables.get
- bigquery.tables.list
- cloudasset.assets.listResource
- cloudasset.assets.searchAllIamPolicies
- serviceusage.services.enable

🚧

Required Permissions

The cloudasset.assets.listResource and serviceusage.services.enable permissions are required for proper resource harvesting as InsightCloudSec expands the use of Cloud Asset Inventory.

5. Click "Add" to finalize the permissions.

6 Click "Create" to save the role.

Service Account Creation

1. Navigate to "IAM & Admin > Service Accounts".

2. Click "Create Service Account" and complete the service account details.

  • We recommend including ICS or InsightCloudSec for tracking

3 Click "Create and Continue".

4. Select the Custom role you created in the previous steps.

Select Your Custom RoleSelect Your Custom Role

Select Your Custom Role

5. Click to Add another role and select the Basic viewer (read-only) or editor (read/write) role.

Assigning Basic Roles to Service AccountAssigning Basic Roles to Service Account

Assigning Basic Roles to Service Account

6. Click "Done" to finalize the new role.

Generating a Service Account Key

1. Navigate into the newly created Service Account.

2. In the Keys section, select "Add Key".

3. Select "Create New Key".

Creating a new Service Account KeyCreating a new Service Account Key

Creating a new Service Account Key

4. With Key Type as JSON, click "Create" to download the key.

❗️

Store this JSON file in a secure place; it contains the only copy of the key.

Enabling GCP APIs

We recommend that you enable the APIs listed under Recommended APIs in order to gain visibility and access to those GCP services.

🚧

Required APIs

The Cloud Asset API and Service Usage API must be enabled with appropriate permissions for visibility into the project's enabled API services and certain resource harvesting. The Cloud Policy Analyzer API needs to be enabled in each project added to InsightCloudSec so Service Accounts can be properly harvested.

If the project has all recommended APIs, you can skip to the next step in the onboarding process.

1. Navigate to the APIs & Services > Dashboard to view currently enabled APIs.

2. The Dashboard will allow you to see the currently enabled APIs and usage metrics.

Currently enabled APIsCurrently enabled APIs

Currently enabled APIs

3. To Enable an API select "ENABLE APIS AND SERVICES" at the top of the page.

Enable APIs and ServicesEnable APIs and Services

Enable APIs and Services

4. Search for the name of the API to enable and click the corresponding API service in the results.

5. Review the description and consider reading the GCP documentation regarding the API. Click "ENABLE" to enable the API in the project.

Search for API serviceSearch for API service

Search for API service

Enable API serviceEnable API service

Enable API service

6. Repeat steps 3-5 for enabling additional APIs.

Once the above steps are completed, you can move on to adding the project into InsightCloudSec.

Onboarding A GCP Project into InsightCloudSec

1. Go to your InsightCloudSec account. Navigate to the Clouds Listing Page "Cloud --> Clouds". Click on "Add Cloud" in the upper right.

Add a CloudAdd a Cloud

Add a Cloud

2. Enter Cloud Information:

  • Select "Google Cloud Platform" as the cloud type.
  • Name your cloud account.
  • Provide your project ID.
    • This can be found in the Service Account key previously downloaded or the home page within the GCP console.
  • Enter the JSON from the credentials you created and saved earlier.
  • Optional: Enter an admin Email if you want to manage IAM and the Google Cloud Directory.
  • Optional: Select a harvesting strategy to use for this project other than the default.

3. Select "Add Cloud".

4. Complete the optional validation step for permissions.

📘

Validation

InsightCloudSec includes the ability to optionally validate permissions after adding a new cloud account. To review those steps, visit the instructions provided under Cloud Account Setup.

5. Add any Badges you would like to this particular cloud account. This can be performed at any point later on.

6. InsightCloudSec will begin harvesting immediately and the data should start to surface after five minutes or so, depending upon the size of your cloud account.

  • You can also confirm that your cloud account is added by returning to the Clouds main page, selecting the "Listing" tab, and confirming that your newly added cloud account is listed.

Did this page help you?