Cloud Storage Security Help Docs
Release Notes
  • Introduction
  • Getting Started
    • How to Subscribe
      • Pay-As-You-Go (PAYG)
      • Bring Your Own License/GovCloud (BYOL)
      • AWS Transfer Family
    • How to Deploy
      • Steps to Deploy
      • Advanced Deployment Considerations
      • AWS Transfer Family
    • How to Configure
  • Console Overview
    • Dashboard
    • Malware Scanning
      • AWS
        • Buckets
        • Amazon EBS Volumes
        • Amazon EFS Volumes
        • Amazon FSx Volumes
        • WorkDocs Connections
      • Azure
        • Blob Containers
      • GCP
        • GCP Buckets
    • See What's Infected
      • Findings
      • Malware History
      • Results
    • Schedules
    • Monitoring
      • Error Logs
      • Bucket Settings
      • Deployment
      • Jobs
      • Notifications
      • Storage Assessment
      • Usage
    • Configuration
      • Classification Rule Sets
      • Classification Custom Rules
      • Scan Settings
      • Console Settings
      • AWS Integrations
      • Job Networking
      • API Agent Settings
      • Proactive Notifications
      • License Management
      • Event Agent Settings
    • Access Management
      • Manage Users
      • Manage Accounts
        • Linking an AWS Account
        • Linking an Azure Account
        • Linking a GCP Account
      • Manage Groups
    • Support
      • Getting Started
      • Stay Connected
      • Contact Us
      • Documentation
  • Product Updates
  • How It Works
    • Scanning Overview
      • Event Driven Scanning for New Files
      • Retro Scanning for Pre-Existing Files
      • API Driven Scanning
    • Architecture Overview
    • Deployment Details
    • Sizing Discussion
    • Integrations
      • AWS Security Hub
      • AWS CloudTrail Lake
      • AWS Transfer Family
      • Amazon GuardDuty
      • Amazon Bedrock
    • Demo Videos
    • Scanning APIs
    • SSO Integrations
      • Entra ID SSO Integration
      • Okta SSO Integration
  • Frequently Asked Questions
    • Getting Started
    • Product Functionality
    • Architecture Related
    • Supported File Types
  • Troubleshooting
    • CloudFormation Stack failures
    • Cross-Region Scanning on with private network
    • API Scanning: Could not connect to SSL/TLS (v7)
    • Password not received after deployment
    • Conflicted buckets
    • Modifying scaling info post-deployment
    • Objects show unscannable with access denied
    • Remote account objects not scanning
    • My scanning agents keep starting up and immediately shutting down
    • I cannot access the management console
    • Linked Account Out of Date
    • Rebooting the Management Console
    • Error when upgrading to the latest major version
    • I Cannot Create/Delete an API Agent
  • Release Notes
    • Latest (v8)
    • v7
    • v6 and older
  • Contact Us & Support
  • Data Processing Agreement
  • Privacy Policy
Powered by GitBook
On this page
  • Prerequisites
  • Download and unzip the Terraform Module
  • Fill out the 'Link Google Cloud Platform' form in the CSS Console
  • Initialize the gcloud cli and run Terraform
  • Apply Terraform Outputs to CSS Console
  1. Console Overview
  2. Access Management
  3. Manage Accounts

Linking a GCP Account

Linking a GCP account to ingest objects is similar to linking an AWS account.

PreviousLinking an Azure AccountNextManage Groups

Last updated 2 months ago

The below video details how you can link in your Google Cloud account to scan files stored in your Google Cloud Storage Buckets:

You can also follow the steps and information below:

You'll need to perform the following steps to link a GCP account and begin scanning your objects:

  1. Fill out GCP account details in the CSS Console

  2. Download a Terraform file generated by the Console

  3. Modify the values and run the Terraform file

  4. Place the resulting output files from Terraform into the Console

Prerequisites

  • gcloud cli

Terraform utilizes the gcloud cli under the hood to stand up infrastructure. Ensure you have the gcloud cli downloaded.

Download and unzip the Terraform Module

Unzip the files in the directory of your choice.

Fill out the 'Link Google Cloud Platform' form in the CSS Console

  1. In the CSS Console, navigate to Access Management > Manage Accounts

  2. Select Link Account > Link GCP Account

  3. Fill out the form

You will be asked to fill out 4 values:

  • GCP Organization ID: the ID of the Organization you want to protect objects in.

  • GCP Billing Account ID: the Billing Account you want to send infrastructure charges to.

  • Nickname (Optional): the Project Name for the stack that will be created.

  • GCP Project IDs to Protect: projects within the organization that you would like to protect.

  1. Download the main.tf file

Click the 'Download main.tf file' button. You'll download a Terraform file generated by our Console.

  1. Replace the default main.tf file with the new one

In your downloaded GCP module provided by CSS, replace the existing main.tf file with the new one you just downloaded.

Initialize the gcloud cli and run Terraform

  1. Using a terminal in the same location as the CSS GCP module:

gcloud auth application-default login

Authenticate and allow the Google Auth Library.

  1. Initialize Terraform with terraform init

You should see the following output.

  1. validate Terraform with terraform validate

You should see the following output.

  1. apply Terraform with terraform apply

and answer with 'yes' when asked if you want to perform the actions of adding resources.

Apply Terraform Outputs to CSS Console

After Terraform has applied, there are 3 module outputs that you must transfer to the CSS Console:

  • Audience

  • Project_id

  • Service_Account_Impersonation_url

You will see these in the output of your terminal.

  1. For each key, copy the value and paste them in the corresponding section of your CSS Console.

  1. For Groups, choose groups to assign your linked accounts to. For access to all, select Primary.

  2. Click 'Test Credentials' to validate that your credentials are good to go.

  3. Click 'Link Account'.

Congratulations, you have successfully linked GCP Buckets! You can begin scanning your buckets at Protection > GCP in the CSS Console.

Here's documentation from Google to get the cli:

Click this link to download our GCP Terraform Module:

https://cloud.google.com/sdk/docs/install
https://css-cft.s3.amazonaws.com/Gcp/LinkGcpAccountTerraformTemplateProd.zip
Unzipped Module
GCP Link Form
Terraform Init
Terraform Validate
Console Module Entry