GCP Project onboarding Guide (Preview)
Onboarding Steps
Project based on-boarding helps to onboard single or multiple projects present within organization or without any Organization. In case you want to onboard multiple projects then provide CSPM service account access on multiple projects.
-
Enable APIs on the GCP project to ingest data related to GCP services to the CSPM product, APIs listed here needs to be enabled. In case required APIs are not enabled in GCP projects then CSPM will not be able to collect configuration data for respective services.
-
Create a service account and assign roles requires a service account with viewer roles for collecting the resource configuration data.
-
Add GCP Project includes adding GCP project information to the respective Cloud Account and waiting until the first data collection is complete.
To onboard GCP projects to CSPM involves below steps,
S. No | Step | Performed By | Portal |
---|---|---|---|
1 | Enable GCP APIs | GCP Admin | GCP Console |
2 | Create a service account and assign roles | GCP Admin | GCP Console |
3 | Add GCP Organization or Project to CSPM | CSPM Admin | CSPM Portal |
STEP 1: Enable APIs on the GCP project
To ingest data related to GCP services to the CSPM product, you must enable below APIs. In case required APIs are not enabled in GCP projects then CSPM will not be able to collect configuration data for respective services.
To enable the APIs on GCP project follow below steps
-
Login to GCP Console as project editor/owner role and open GCP Cloud shell.
-
Execute below command to enable APIs
gcloud services enable cloudresourcemanager.googleapis.com compute.googleapis.com sqladmin.googleapis.com storage-component.googleapis.com iam.googleapis.com logging.googleapis.com monitoring.googleapis.com bigquery.googleapis.com dns.googleapis.com cloudasset.googleapis.com serviceusage.googleapis.com
-
Open API and Services portal to verify API status
STEP 2: Create a service account and assign roles
GCP Project onboarding to CSPM, requires a service account with below viewer roles for collecting the resource configuration data.
Service account requires below roles on the GCP project,
Role | Type | Details |
---|---|---|
Project Viewer | Primitive | Read only access to resource metadata present in project |
Cloud Asset Viewer | Primitive | Read only access to cloud assets metadata |
Follow below steps to create and assign roles to the service account.
-
Login to GCP console with project editor/owner role.
-
Go to Service Accounts present in the IAM & Admin menu
-
Click on CREATE SERVICE ACCOUNT
-
Input service account name and description and click on CREATE to proceed
-
On Grant this service account access to project screen add the CSPM mentioned roles
-
Click on Select a Role and assign Project Viewer role
-
Click on ADD ANOTHER ROLE to add Cloud Asset Viewer role
-
Click on CONTINUE to save the role selections
-
Click on DONE on Grant user access to this service account to finish the service account creation.
-
Click on the service account created during the previous step and create a Keys.
- Select Key type as JSON and click on CREATE to create a service account key.
-
Service account key will get created and downloaded on your local machine.
- Store this JSON file in a secure location. This JSON file is used to perform onboarding in the CSPM.
Note: In case you want to onboard multiple projects on CSPM then enable APIs and provide required permissions to the service account created in the step 2.
Refer Annexure for providing service account access on multiple projects.
STEP 3: Add GCP Project
To onboard GCP project on the CSPM Portal, you need to perform below steps in CSPM portal.
-
Login to CSPM portal with license admin role
-
Activate the license by clicking on Activate License. This step needs to be performed only once after license provisioning from the CSPM team.
-
Select GCP connector type
-
Enter Cloud Account Name to identify the project and select Onboard Using as Project
-
Click on Upload button to upload service account credentials file created in step 2.
-
Select project from the Select Project dropdown and click on Add Account button to add project to CSPM
-
You will receive a confirmation that the GCP project has been added to CSPM
-
CSPM takes 5-10 minutes to collect and process the configuration data in the backend before it can be displayed on dashboards. Click on Go To Dashboard to see collected data.
-
Refer Annexure to check the Onboarding Health Status. It provides insights into the state of your cloud account onboarded in CSPM like completed pre-requisite permissions, configurations.