Create a Google Cloud Platform (GCP) Connection for Cloud Configuration Assessment (CCA)

You can configure a Google Cloud Platform (GCP) connection that allows the Insight Platform to collect data from your GCP resources for Cloud Configuration Assessment (CCA).

Fields subject to change

Third party UI elements may be subject to change. Updates to the doc will be made accordingly.

GCP connection requirements

In order for the Insight Platform to connect to your GCP resources, you must have the following:

  • A GCP account with appropriate permissions to create service accounts and roles, and enable APIs

Note

You must create a new cloud infrastructure connection for each individual GCP subscription you want to assess.

Configure GCP

Log in to your GCP console and access the project you want to add configuration assessment capabilities to.

Enable APIs
  1. From the GCP navigation menu, go to the APIs & Services > Library.

  2. Search for and enable the following APIs:

    Required APIs
    • Compute Engine API
    • Compute Engine Instance Groups API
    • Compute Engine Instance Group Manager API
    • Compute Engine Instance Group Updater API
    • Cloud Deployment Manager V2 API
    • Cloud SQL
    • Cloud SQL Admin API
    • Cloud Storage
    • Google+ API
    • Kubernetes Engine API
Create a custom role
  1. Go to IAM & Admin > Roles and click Create Role.
  2. Enter a title and ID for your custom role.
    • The role ID is a unique identifier for the role within your project. We recommend using an ID that indicates the purpose of this role, such as InsightVM_CCA.
    • The title does not have to be unique, but you should consider entering a description that allows users to easily identify the custom role.
  3. Click Add Permissions.
  4. Using the filter, select the following permissions:
    • storage.buckets.get
    • storage.buckets.getIAMPolicy
    • bigquery.tables.get
    • bigquery.tables.list
    • cloudasset.assets.listResource

Permission selection

You can use the OR operator after each selected permission to find and select all of the permissions at the same time.

  1. With all required permissions selected, click Add.
  2. Verify that the required permissions are assigned and click Create.
Create a service account
  1. Go to API & Services > Credentials.
  2. Click Create Credentials and select Service Account.
  3. Enter a service account name and ID, then click Create and Continue.
    • We recommend using a name and ID that indicate the purpose of this service account, such as InsightVM-CCA.
  4. In the Select a role field, select the custom role you created in step 6 of the Create a custom role process.
  5. Click Add Another Role and select the Viewer role.
  6. Click Done.
Create a service account key
  1. On the API & Services > Credentials page, select the service account that you created in step 3 of the Create a service account process.
  2. Select Keys and click Add Key > Create new key.
  3. Select JSON as the key type and click Create to download your private key file.

Save the JSON key somewhere safe

Store this JSON file in a secure place as it contains the only copy of the key.

Sample JSON key file
JSON
1
{
2
"type": "service_account",
3
"project_id": "project-id",
4
"private_key_id": "key-id",
5
"private_key": "-----BEGIN PRIVATE KEY-----\nprivate-key\n-----END PRIVATE KEY-----\n",
6
"client_email": "service-account-email",
7
"client_id": "client-id",
8
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
9
"token_uri": "https://accounts.google.com/o/oauth2/token",
10
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
11
"client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/service-account-email"
12
}
  1. Click Close.

Configure InsightVM

Create a GCP connection
  1. On the Cloud Configuration page, click Add/Manage Connections.
  2. In the Cloud Infrastructure section, click Add.
  3. Enter an Account Nickname.
    • This is the name for the connection you are creating in InsightVM. We recommend creating a nickname to help you easily identify the GCP project that is being assessed, such as including the GCP project name.
  4. Enter the following information from the Service account key (JSON file) that you downloaded during GCP setup:
    • Project ID – The value for “project_id”.
    • Private Key ID – The value for “private_key_id”.
    • Private Key – The value for “private_key”.
    • Client Email – The value for “client_email”.
    • Client ID – The value for “client_id”.
    • Client X509 Certificate URL – The value for “client_x509_cert_url”.
  5. Click Save.