Google Onboarding

Onboarding Google Cloud Projects using Service Account (SA)

GCP Cloud Onboarding

Creating SA - Customer Prerequisites

Customer must follow bellow requirements and prepare SA with required roles and permissions to proceed on onboarding to INSIGHT platform:

  1. Login to Cloud portal

  2. Create one Service Account in any existing project How to create a service account , then add Key, JSON type, download key for later use.

  3. Assign built-in 'Viewer' role for created SA per organisation or specific projects for INSIGHT access scope How to grant a single role or

Create custom role with specific permissions - to view click this!

Important! Take note that with new functionality we may require new permissions

a. Create a Role definition on organisation level. If the cloud doesn’t have organisation, roles will have to be created per project. Alternatively a combination of roles can be used, so long as result has all of the permissions listed below.

b. Add permissions (39) to created role:

cloudasset.assets.searchAllResources
recommender.bigqueryCapacityCommitmentsRecommendations.list
recommender.bigqueryPartitionClusterRecommendations.list
recommender.cloudDeprecationGeneralRecommendations.list
recommender.cloudFunctionsPerformanceRecommendations.list
recommender.cloudRecentChangeRecommendations.list
recommender.cloudSecurityGeneralRecommendations.list
recommender.cloudsqlIdleInstanceRecommendations.list
recommender.cloudsqlInstanceOutOfDiskRecommendations.list
recommender.cloudsqlInstancePerformanceRecommendations.list
recommender.cloudsqlInstanceReliabilityRecommendations.list
recommender.cloudsqlOverprovisionedInstanceRecommendations.list
recommender.cloudsqlUnderProvisionedInstanceRecommendations.list
recommender.computeAddressIdleResourceRecommendations.list
recommender.computeDiskIdleResourceRecommendations.list
recommender.computeImageIdleResourceRecommendations.list
recommender.computeInstanceGroupManagerMachineTypeRecommendations.list
recommender.computeInstanceIdleResourceRecommendations.list
recommender.computeInstanceMachineTypeRecommendations.list
recommender.containerDiagnosisRecommendations.list
recommender.errorReportingRecommendations.list
recommender.gmpProjectManagementRecommendations.list
recommender.iamPolicyChangeRiskRecommendations.list
recommender.iamPolicyRecommendations.list
recommender.iamServiceAccountChangeRiskRecommendations.list
recommender.loggingProductSuggestionContainerRecommendations.list
recommender.resourcemanagerProjectChangeRiskRecommendations.list
recommender.resourcemanagerProjectUtilizationRecommendations.list
recommender.resourcemanagerServiceLimitRecommendations.list
recommender.runServiceCostRecommendations.list
recommender.runServiceIdentityRecommendations.list
recommender.runServiceSecurityRecommendations.list
recommender.usageCommitmentRecommendations.list
resourcemanager.hierarchyNodes.listEffectiveTags
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list
securitycenter.findings.list
securitycenter.sources.list

c. Assign a created role to organization (if applicable) or all of the projects that you wish to onboard.

  1. Ensure Services and APIs are enabled on the same project holding Service account created for onboarding purposes:

    • Cloud Resource Manager API

    • Recommender API

    • Cloud Asset API

    • Security Command Center API

Important! API's must be enabled on the project where Service Account is created.

Onboarding SA - INSIGHT configuration

  1. Login to INSIGHT platform

  2. Open Cloud Management menu under Administration

  3. Add Google Organisation using SA credentials, example:

    { "type": "service_account", "project_id": "nice-text-id", "private_key_id": "long-key", "private_key": "long-text", "client_email": "email@nice-text-id.iam.gserviceaccount.com", "client_id": "685746216876518", "auth_uri": "https://accounts.google.com/o/oauth2/auth ", "token_uri": "https://oauth2.googleapis.com/token ", "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs ", "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/email%40nice-text-id.iam.gserviceaccount.com " }

  4. Save [done]

GCP Cloud billing Onboarding

Note: Google Cloud cost is not accessible via API, therefore you need to create billing exports.

Creating Cost Export

Customer must follow bellow requirements and prepare cost export to proceed on onboarding to INSIGHT platform. To start collecting your Cloud Billing data, you must enable Cloud Billing data export to BigQuery following this guide steps you need to do:

  1. Login to Cloud portal

  2. Select to use to create billing export

  3. Verify that billing is enabled

  4. Enable the BigQuery Data Transfer Service API for the project

  5. Create a BigQuery dataset

  6. Enable Cloud Billing export to the BigQuery dataset [Detailed usage cost]

  7. Grand Service account permissions for the project used for cost export:

    • bigquery.tables.getData

  8. Ensure APIs are enabled on the project for the project used for cost export:

    • BigQuery API

Onboarding Cost Export

  1. Login to INSIGHT platform

  2. Open Cloud Management menu under Administration

  3. Add Billing Export Configuration

    • Project Name [Project name where cost export data set is located]

    • Cost Export Table ID [projectname.datasetname.tablename], can be copied from: BigQuery->SQLWorkspace->Project->DataSet->Table->Details->TableID

  4. Save [done]

PreviousAzure OnboardingNextAWS Onboarding

Last updated