Linking a GCP Account

Linking a GCP account to ingest objects is similar to linking an AWS account.

The below video details how you can link in your Google Cloud account to scan files stored in your Google Cloud Storage Buckets:

You can also follow the steps and information below:

You'll need to perform the following steps to link a GCP account and begin scanning your objects:

  1. Fill out GCP account details in the CSS Console

  2. Download a Terraform file generated by the Console

  3. Modify the values and run the Terraform file

  4. Place the resulting output files from Terraform into the Console

Prerequisites

  • gcloud cli

Terraform utilizes the gcloud cli under the hood to stand up infrastructure. Ensure you have the gcloud cli downloaded.

Here's documentation from Google to get the cli: https://cloud.google.com/sdk/docs/install

Download and unzip the Terraform Module

Click this link to download our GCP Terraform Module: https://css-cft.s3.amazonaws.com/Gcp/LinkGcpAccountTerraformTemplateProd.zip

Unzip the files in the directory of your choice.

Unzipped Module
  1. In the CSS Console, navigate to Access Management > Manage Accounts

  2. Select Link Account > Link GCP Account

  3. Fill out the form

You will be asked to fill out 4 values:

  • GCP Organization ID: the ID of the Organization you want to protect objects in.

  • GCP Billing Account ID: the Billing Account you want to send infrastructure charges to.

  • Nickname (Optional): the Project Name for the stack that will be created.

  • GCP Project IDs to Protect: projects within the organization that you would like to protect.

GCP Link Form
  1. Download the main.tf file

Click the 'Download main.tf file' button. You'll download a Terraform file generated by our Console.

  1. Replace the default main.tf file with the new one

In your downloaded GCP module provided by CSS, replace the existing main.tf file with the new one you just downloaded.

Initialize the gcloud cli and run Terraform

  1. Using a terminal in the same location as the CSS GCP module:

gcloud auth application-default login

Authenticate and allow the Google Auth Library.

  1. Initialize Terraform with terraform init

You should see the following output.

Terraform Init
  1. validate Terraform with terraform validate

You should see the following output.

Terraform Validate
  1. apply Terraform with terraform apply

and answer with 'yes' when asked if you want to perform the actions of adding resources.

Apply Terraform Outputs to CSS Console

After Terraform has applied, there are 3 module outputs that you must transfer to the CSS Console:

  • Audience

  • Project_id

  • Service_Account_Impersonation_url

You will see these in the output of your terminal.

  1. For each key, copy the value and paste them in the corresponding section of your CSS Console.

Console Module Entry
  1. For Groups, choose groups to assign your linked accounts to. For access to all, select Primary.

  2. Click 'Test Credentials' to validate that your credentials are good to go.

  3. Click 'Link Account'.

Congratulations, you have successfully linked GCP Buckets! You can begin scanning your buckets at Protection > GCP in the CSS Console.

Last updated