In order to run discovery and visibility on multiple projects in a GCP Organization, Cloud Discovery & Visibility (CDV) needs a GCP service account with a role that has appropriate permissions to access those projects. To set up this service account, you must first set up roles with the appropriate set of permissions. You'll later assign these roles to this service account.
To create the roles necessary for CDV to perform Organization-level jobs in a GCP infrastructure:
In GCP, select the Organization that you want CDV to discover from the dropdown menu at the top of the page.
-
In the left navigation menu, click IAM & Admin to open Google's IAM (Identity and Access Management) & Admin tool.
-
Click Roles in the navigator on the left to open the Roles page.
Click Create role (at the top).
-
Create a new role or roles with the required permissions for GCP Organization-level discovery and visibility. For a complete list, see GCP role permissions for Organization-level discovery and visibility.
You can create a single role with all permissions, or separate roles for each type of action (General Discovery permissions, General Visibility permissions, additional permissions for Organization-level Discoveries, and additional permissions for Organization-level Visibility jobs). We recommend creating separate roles.
When you've created the new roles, you can add them to the GCP service account used by CDV.
To add the new roles to the GCP service account that CDV uses to connect to the GCP infrastructure:
-
Within IAM, locate the Service Account that you want CDV to use.
If CDV is deployed on a Compute Engine virtual machine (VM) and it is using the VM's credentials, use the service account that is attached to the VM.
If you are using a custom GCP service account (needed when CDV is not deployed on a VM), use the custom Service account assigned to CDV in the CDV Setup page under Service Accounts options.
If you have not yet assigned a service account and want CDV to use a new account, create a new account for CDV to use:
In GCP, select any Project from the dropdown menu at the top of the page.
-
In the left navigation menu, click IAM & Admin to open Google's IAM (Identity and Access Management) & Admin tool.
-
In the navigator on the left, click Service Accounts.
Click Create Service Account (at the top).
Create the new service account with the desired details.
-
Within IAM, assign the roles you set up earlier to the Service account that you want CDV to use:
In GCP, select the Organization that you want CDV to discover from the dropdown menu at the top of the page.
-
In the left navigation menu, click IAM & Admin to open Google's IAM (Identity and Access Management) & Admin tool.
On the left panel, click IAM.
For the service account that you want CDV to use, click Edit principle
Assign the new roles that you created earlier to this account.
-
From the Service Accounts page in GCP, generate a GCP service account key file for that account. This will be a JSON file.
If CDV is using the VM's credentials, you're done.
If you're using a new custom service account, you must designate this service account as the one to use for GCP discovery and visibility operations:
-
In CDV, open the Service Account credentials settings for your GCP discovery job. (In the Discovery tab, select the checkboxes for the GCP Schedule manager for the job you want to edit, then click Actions and choose Update credentials.)
-
Under GCP parameters, drag your GCP service account key file to the Service account file area. (You can also click the upload icon and manually browse to the file.)
After successfully uploading GCP service account keys, CDV will validate the service account keys with Google Cloud Platform.
-