Skip to main content

Onboarding a Google Cloud Platform (GCP) Organization

Cloud accounts in the Google Cloud Platform (GCP) are referred to as projects. They can be grouped together in entities called organizations.

You can integrate a single cloud account (or a project), or a group of accounts (an organization).

Prerequisites:

  • A GCP account within the organization assigned with the Organization Administrator and Organization Role Administrator roles.

  • An active Cloud Billing Account

Add a GCP Cloud Organization

  1. Under Scan Configuration, select Add projects from a Google Cloud Organization.

    CSPM_select_GCO_412812_en.png

  2. Open a new browser tab or window and login to the GCP console.

  3. Create a new project within the organization to ensure API limits for GravityZone Cloud Security are controlled separately from production workloads:

    1. Click the Select Project button on the upper left side of the page.

      The Select a project window is displayed.

    2. Click New project

      CSPM_GCO_create_project_452588_en.png

    3. Enter a unique project name and click Create.

      CSPM_GCP_project_organization_1_412767_en_copy.png

      You will be redirected to the project view.

  4. Click the menu button on the top left corner and select Billing.

    CSPM_GCP_project_organization_2_412767_en.png

    If a billing account has already been linked to the project, you should see the Billing Overview page.

    If that is not the case, follow these steps:

    1. Click Link a billing account.

      CSPM_GCP_project_organization_3_412767_en.png

    2. Select the billing account you would like to associate the project with from the dropdown menu and click on Set Account.

      6 - Billing account drop down box

  5. Go to the IAM & Admin page.

    CSPM_GCO_IAM_and_admin_452588_en.png

  6. Select Service Accounts from the menu on the right side of the page.

    The Service accounts page is displayed.

  7. Click + Create Service Account:

    CSPM_GCO_create_service_account_452588_en.png

    The Create service account window is displayed.

  8. Fill in the information for the new account:

    • Under Service account name type in a descriptive name, such as GravityZone Cloud Security

    • (Optional) Edit the Service account ID. This is automatically generated based on the account name you previously entered.

    • Type in a clear description for the service account under Service account description, such as GravityZone API Access.

  9. Click Create and continue.

    CSPM_GCP_project_integration_B1_412767_en.png

    The Grant this service account access to project section is expanded.

  10. Click Done.

    The Service accounts page is displayed.

  11. Write down the email address of the service account you just created in an accessible location:

    CSPM_GCO_copy_service_account_email_452588_en.png

  12. Click the address under the Email column.

    The Service account details page is displayed.

  13. Go to the Keys tab.

  14. Click on Add Key > Create New Key.

    CSPM_GCP_project_integration_2_412767_en.png

  15. Under Key type, make sure JSON is selected and click Create.

    CSPM_GCP_project_integration_3_412767_en.png

    A .JSON file is downloaded to your computer.

  16. Enable the APIs necessary for Enable the APIs necessary for Warden to work. to work:

    The Compute Engine and Cloud DNS APIs require you to have billing enabled on the projects you are onboarding.

    CSPM_AWS_integration_M_4_425527_en.png

  17. Click the project switcher on the upper left side of the page.

    The Select a resource window is displayed.

  18. Go to the All tab and select your organization.

    Note

    Organizations are marked with the CSPM_GCO_organization_icon_452588_en.png icon.

  19. Click the Roles from the menu on the right side of the page.

    The Roles page is displayed.

  20. Click + Create role.

    CSPM_GCO_organization_create_role_452588_en_copy.png

  21. Fill in the role information:

    • Under Title, type in a descriptive name, such as GravityZone Cloud Scanner.

    • (optional) Edit the Description field to make the role more easily identifiable.

    • Under ID, type in an easily identifiable string, such as GravityZoneCloudScanner.

      Note

      This ID is unique per organization.

  22. Click Add permissions:

    CSPM_GCO_role_permissions_452588_en.png

    The Add permissions window is displayed.

  23. Click the Filter field to search for the roles:

    CSPM_GCO_role_permissions_filter_452588_en.png

  24. Type in the permission name.

  25. Check the box next to the search result to select the permission:

    CSPM_GCO_role_permissions_select_452588_en.png

    Perform steps 23 - 25 for each of these permissions:

    • serviceusage.services.enable

    • serviceusage.services.get

    • serviceusage.services.list

    • compute.projects.get

  26. Click Add.

    The permissions are displayed under the Create role window

  27. Click Create:

    CSPM_GCO_role_create_452588_en.png

  28. Go to the IAM page.

    Tip

    Make sure your organization still appears in the selector on the upper left side of the page.

  29. Click Grant access.

    CSPM_GCO_grant_permission_452588_en_copy.png

    The Grant access page is displayed.

  30. Paste the email address from Step 11 under the Add principals section.

  31. Click Select a role. Select each of the following roles:

    • Resource Manager > Organization Viewer

    • Resource Manager > Folder Viewer

    • Billing > Billing Account Viewer

    • IAM > Security Reviewer

    • Compute Engine > Compute Network Viewer

    • BigQuery > BigQuery Metadata Viewer

    • Binary Authorization > Binary Authorization Policy Viewer

    • Other > Activity Analysis Viewer

    • Custom > GravityZone Cloud Scanner (This is the Role created earlier)

      Tip

      If this role is not immediately available, wait for a few minutes for it to appear in the list.

  32. Click Save.

    CSPM_GCO_save_role_452588_en_copy.png

  33. Go back to the Scan Configuration browser page.

  34. Copy and paste the contents of the JSON file into the API Credentials field.

  35. Under the Identifier field type in organizations/ followed by organization ID, as it appears in your GCP console.

    CSPM_GCO_view_id_452588_en_copy.png

  36. Under Google Cloud Organization Name paste the email address you copied at step 11.

  37. Click Add.

Asset inventory onboarding

Enabling GravityZone Cloud Security to scan Google Workspace Identities provides you a more accurate representation of your cloud environment, by providing access to identity related metadata.

Tip

Once enabled, the benefits will apply to the information available in the Identities page, along with the Identities with access tab in the Resource Details panel from the Resources page.

To enable the workspace, you need admin permissions on the workspace account.

Enable GravityZone Cloud Security to scan Google Workspace Identities for a new Google Cloud Platform (GCP) account

To enable GravityZone Cloud Security to scan Google Workspace Identities for a new GCP account, follow the steps listed here and after that process is completed, continue with the below:

  1. Open a new browser tab or window and log in to admin.google.com.

  2. Navigate to Account > Admin Roles.

  3. Click Create New Role.

    CSPM_IAM_GCP_create_new_role_462777_en.png

  4. Under Name, type in a descriptive name, such as GravityZone Cloud Security.

  5. Click Continue.

  6. Scroll down to Admin API privileges, check the following checkboxes:

    • Users > Read

    • Groups > Read

      CSPM_IAM_GCP_admin_API_462777_en.png

  7. Click Continue.

    You will see 2 privileges selected.

    CSPM_IAM_GCP_create_role_462777_en.png

  8. Click Create role.

  9. Click Assign service accounts.

    CSPM_IAM_GCP_assign_service_accounts_462777_en.png

  10. Enter the email of the previously created account.

  11. Click Add.

    CSPM_IAM_GCP_assign_service_accounts_add_button_462777_en.png

  12. Click Assign Role.

    CSPM_IAM_GCP_assign_role_button_462777_en.png

    The role is added with the permissions selected previously.

    CSPM_IAM_GCP_service_account_list_462777_en.png

  13. Navigate to Settings > Integrations, select GCP Cloud Organization and click the Modify button to access the Google Cloud Organization card. From here, click Update and this will display a new information card with the API Credentials.

Note

Once the Asset Inventory is enabled, it also applies to all other projects and organizations inside the same Google workplace.

If you have an additional workspace, you need to enable this option again for one of its Projects or Organizations.

Enable GravityZone Cloud Security to scan Google Workspace Identities for an existing Google Cloud Platform (GCP) account

To enable GravityZone Cloud Security to scan Google Workspace Identities for an existing GCP account, you need to follow the exact same steps as for a new account. The only difference is that you need to obtain the email of the previously created account.

To find the email of the previously created account, refer to the steps bellow:

  1. Navigate to Scan Configuration page, select the account and click the Edit icon.

  2. From the Account Details panel, copy the Account Name details.

    CSPM_IAM_GCP_service_account_name_details_462777_en.png

  3. Open a new browser tab or window and log in to your Google Cloud Console.

  4. Navigate to IAM & Admin and click Search a project.

    CSPM_IAM_GCP_select_project_462777_en.png

  5. In the Search projects and folders field, type in or paste the info copied at step 2.

    CSPM_IAM_GCP_search_project_462777_en.png

  6. Once the project is selected, navigate to Service Accounts page and search for the API Credentials. You can copy the API Credentials from the Account Details panel (step 2).

    CSPM_IAM_GCP_API_credentials_462777_en.png

  7. Click the service account corresponding to the API Credentials.

  8. From the Service account details page, you can then copy the email address which you can use to complete the enabling process.

    CSPM_IAM_GCP_email_address_462777_en.png
In this section: