GCP Initial Setup

To connect Axonius to Google Cloud Platform, you first need to:

  1. Enable cloud APIs
  2. Create a service account and grant permissions to that service account

1. Enable Cloud APIs

  1. Navigate to the Google Cloud Console and select the project that you want Axonius to connect to.

  2. Navigate to APIs & Services > Dashboard.

  3. The following APIs are required:

Enabled API Name

Required / Optional

Used for

Compute Engine API

Required

The adapter to fetch assets data from Google Cloud Platform.

Cloud Resource Manager API

Required

The adapter to fetch assets data from Google Cloud Platform.

Container Artifact API

Required

https://container.googleapis.com

Identity and Access Management (IAM) API

Required

https://iam.googleapis.com

Security Command Center API

Required

https://securitycenter.googleapis.com

Google Cloud Storage JSON API

Optional

Advanced Settings:

  • Fetch Google Cloud Storage buckets - Fetch all Google Cloud Storage buckets
  • Fetch Object metadata in Google Cloud Storage buckets - Fetch Object metadata in GCP Storage buckets.

Cloud SQL Admin API

Optional

Advanced Settings:

  • Fetch Google Cloud SQL database instances - Fetch all Google Cloud SQL instances.

Cloud DNS API

Optional

Advanced Settings:

  • Fetch Google Cloud DNS Managed Zones - Fetch DNS managed zones from Google Cloud DNS.

For example, in the screenshot below you can see that since the Cloud Resource Manager API doesn't appear in the list, it isn't enabled and needs to be enabled.

To enable an API, click Enable APIs and Services at the top of the page.

  1. Search for the API you want to enable and select it. For example: Cloud Resource Manager API

  2. Click Enable.

2. Create a Service Account and Grant Permissions to that Service Account

  1. Navigate to the Google Cloud Console and select the project that you want Axonius to connect to.

  2. Select IAM & admin > Service accounts.

  3. Click Create a Service Account.

GCPService1.png
  1. Provide a name and description for the service account, then click Create. If you already clicked Done, skip to Step 8.
GCPService2.png
  1. In the Grant this service account access to a project section, give the service account the roles listed below, as well as the "Security Reviewer" role.

Role Name

Required / Optional

Used for

Compute Viewer

Required

Grants read-only access to Axonius to fetch assets.

Kubernetes Engine Viewer

Required

Grants read-only access to Axonius to fetch assets.

Storage Object Viewer

Optional

Advanced Settings:

  • Fetch Google Cloud Storage buckets - Fetch all Google Cloud Storage buckets.
  • Fetch Object metadata in Google Cloud Storage buckets - Fetch Object metadata in GCP Storage buckets.

Cloud SQL Viewer

Optional

Advanced Settings:

  • Fetch Google Cloud SQL database instances - Fetch all Google Cloud SQL instances.

IAM: Role Viewer

Optional

Advanced Settings:

  • Fetch IAM permissions for users - Fetch IAM permissions and associate those to the users roles.

Security Reviewer

Required

Provides permissions to list all resources and allow policies on them.

GCPService3.png
  1. Skip the Grant users access to this service account step.
  2. Click Done.
  3. To modify, or review the permissions granted to this service account in any project or at the organization level, go to IAM, find the service account you've created and click Edit Permissions.
GCPService4.png GCPService5.png GCPSErvice6.png
  1. In the Service Account just created, go to Keys.

  2. Click Add key and then Create.

  3. Your JSON key is subsequently downloaded. Finish creating the account and go back to the Service Accounts page. Copy the email address of the new service account.

  4. In the top part of the page, select the organization resource, and go to IAM & Admin - IAM.

    1. Click Add and use the service account email to add the new service account as a new member of the organization.
    2. Click + Add Another role to add the following roles to added member:

Role Name

Required / Optional

Used for

Compute Viewer

Required

Grants read-only access to Axonius to fetch assets.

Kubernetes Engine Viewer

Required

Grants read-only access to Axonius to fetch assets.

Storage Object Viewer

Optional

Advanced Settings:

  • Fetch Google Cloud Storage buckets - Fetch all Google Cloud Storage buckets.
  • Fetch Object metadata in Google Cloud Storage buckets - Fetch Object metadata in GCP Storage buckets.

Cloud SQL Viewer

Optional

Advanced Settings:

  • Fetch Google Cloud SQL database instances - Fetch all Google Cloud SQL instances.

IAM: Role Viewer

Optional

Advanced Settings:

  • Fetch IAM permissions for users - Fetch IAM permissions and associate those to the users roles.

• Security Center Findings Viewer role• Security Center Assets Viewer role(Or alternatively, Security Center Admin)

Optional

Advanced Settings:

  • Security Command Center organizations - Fetch Security Command Center device assets and their associated vulnerabilities from a specified list of organizations (NOTE: Those organization-level roles are required for each of the specified organizations.)
image.png
  1. Click Save.
🚧

Note

GCP Enforcement Actions require additional permissions, as detailed in each Enforcement Action page: