Google Cloud Platform (GCP)
  • 5 minutes to read
  • Print
  • Share
  • Dark
    Light

Google Cloud Platform (GCP)

  • Print
  • Share
  • Dark
    Light

Google Cloud Platform (GCP) is a suite of cloud computing services. Alongside a set of management tools, it provides a series of modular cloud services including computing, data storage, data analytics and machine learning.

Parameters

  1. JSON Key pair for the service account (required) - A JSON-document containing service-account credentials to GCP, For details, see Connect Axonius to Google Cloud Platform
  2. HTTPS Proxy (optional, default: empty) - A proxy to use when connecting to the GCP APIs.
    • If supplied, Axonius will utilize the proxy when connecting to the GCP APIs.
    • If not supplied, Axonius will connect directly to the GCP APIs.
  3. For details on the common adapter connection parameters and buttons, see Adding a New Adapter Connection.

image.png

Advanced Settings

  1. Fetch Google Cloud SQL database instances (required, default: False) - Fetch all Google Cloud SQL instances.

    • If enabled, all connections for this adapter will fetch Google Cloud SQL database instances.
    • If disabled, all connections for this adapter will not fetch Google Cloud SQL database instances.
    NOTE

    Fetching Google Cloud SQL database instances requires:

    1. Enabling the Cloud SQL Admin API.
    2. Cloud SQL Viewer role.
  2. Fetch Google Cloud Storage buckets (optional, default: False) - Fetch all Google Cloud Storage buckets.

    • If enabled, all connections for this adapter will fetch the GCP Storage buckets.
    • If disabled, all connections for this adapter will not fetch the GCP Storage buckets.
    NOTE

    Fetch all Google Cloud Storage buckets requires:
    1. Cloud Storage JSON API.
    2. Storage Object Viewer role.

  3. Fetch Object metadata in Google Cloud Storage buckets (optional, default: False) - Fetch Object metadata in GCP Storage buckets that includes: name, size, and links to objects within each bucket.

    • If enabled, all connections for this adapter will fetch Object metadata in GCP Storage buckets.
    • If disabled, all connections for this adapter will not fetch Object metadata in GCP Storage buckets.
    NOTE

    Fetch object metadata in GCP Storage buckets requires:

    1. Cloud Storage JSON API.
    2. Storage Object Viewer role.
  4. Fetch IAM permissions for users (required, default: False) - Fetch IAM permissions and associate those to the users roles. This includes permissions for build-in roles as well as Subscription-level and Project-level custom defined roles.

    • If enabled, all connections for this adapter will fetch IAM permissions and will associate those to the users roles. These permissions will be represented as the Role Details complex field.
    • If disabled, all connections for this adapter will not fetch IAM permissions.
    NOTE

    Fetch IAM permissions and associate those to the users roles requires:

    1. IAM: Organization Role Viewer role.

image.png

NOTE

For details on general advanced settings under the Adapter Configuration tab, see Adapter Advanced Settings.

Connect Axonius to Google Cloud Platform

To connect Axonius to Google Cloud Platform you need to:

  1. Enable cloud APIs
  2. Create a service account and grant permissions to that service account

1. Enable Cloud APIs

  1. Go to the Google Cloud Console and select the project that you want Axonius to connect to.
    Then, go to APIs & Services -> Dashboard.
    image.png

  2. Axonius requires the following APIs to be enabled:

    Enabled API Name Required / Optional Used for
    Compute Engine API Required The adapter to fetch assets data from Google Cloud Platform.
    Cloud Resource Manager API Required The adapter to fetch assets data from Google Cloud Platform.
    Cloud Storage JSON API Optional Adapter advanced settings:
    1. Fetch Google Cloud Storage buckets - Fetch all Google Cloud Storage buckets.
    2. Fetch Object metadata in Google Cloud Storage buckets - Fetch Object metadata in GCP Storage buckets.
    Cloud SQL Admin API Optional Adapter advanced settings:
    1. Fetch Google Cloud SQL database instances - Fetch all Google Cloud SQL instances.

    For example, in the screenshot below you can see that since the Cloud Resource Manager API does not appear in the list, it is not enabled. and needs to be enabled.
    image.png

    To enable an API, click Enable APIs and Services at the top of the page.

  3. Search for the API you want to enable and click It. For example: Cloud Resource Manager API
    image.png

  4. Click Enable.
    image.png

2. Create a service account and grant permissions to that service account

  1. Go to the Google Cloud Console and select the project that you want Axonius to connect to.

  2. From menu, select IAM & admin -> Service accounts.
    image.png

  3. Click Create Service Account.
    In the Service account details step (1), provide the service account details.
    image.png

    Once done, click Create.

  4. Skip the Grant this service account access to project step (2).

  5. In the Grant this service account access to service account step (3), select the following roles:

    Role Name Required / Optional Used for
    Compute Viewer Required Grants read-only access to Axonius to fetch assets.
    Kubernetes Engine Viewer Required Grants read-only access to Axonius to fetch assets.
    Storage Object Viewer Optional Adapter advanced settings:
    1. Fetch Google Cloud Storage buckets - Fetch all Google Cloud Storage buckets.
    2. Fetch Object metadata in Google Cloud Storage buckets - Fetch Object metadata in GCP Storage buckets.
    Cloud SQL Viewer Optional Adapter advanced settings:
    1. Fetch Google Cloud SQL database instances - Fetch all Google Cloud SQL instances.
    IAM: Organization Role Viewer Optional Adapter advanced settings:
    1. Fetch IAM permissions for users - Fetch IAM permissions and associate those to the users roles.
  6. Next, click Create Key and create a JSON key type.
    image.png

  7. Your JSON key will be downloaded. Finish creating the account and go back to the service accounts page. Copy the email address of the new service account.

  8. In the top part of the page, select the organization resource, and go to IAM & Admin - IAM.

    1. Click Add and use the service account email to add the new service account as a new member of the organization.
    2. Click + Add Another role to add the following roles to added member:
    Role Name Required / Optional Used for
    Compute Viewer Required Grants read-only access to Axonius to fetch assets.
    Kubernetes Engine Viewer Required Grants read-only access to Axonius to fetch assets.
    Storage Object Viewer Optional Adapter advanced settings:
    1. Fetch Google Cloud Storage buckets - Fetch all Google Cloud Storage buckets.
    2. Fetch Object metadata in Google Cloud Storage buckets - Fetch Object metadata in GCP Storage buckets.
    Cloud SQL Viewer Optional Adapter advanced settings:
    1. Fetch Google Cloud SQL database instances - Fetch all Google Cloud SQL instances.
    IAM: Organization Role Viewer Optional Adapter advanced settings:
    1. Fetch IAM permissions for users - Fetch IAM permissions and associate those to the users roles.

image.png

3. Click Save.

Was this article helpful?