Role Availability | Read-Only | Investigator | Analyst | Manager |
After you have ensured that your Google Cloud Platform (GCP) environment meets the sensor requirements, you must complete both of the following tasks before deploying a GCP Sensor in your environment:
Enable Required APIs
Certain APIs must be enabled in your GCP environment to enable the features dependent on them to operate as designed.
Important: APIs are enabled at the project level, so you must enable all five of these APIs for each project the GCP Sensor will monitor.
The following APIs are needed in your GCP environment:
-
Google Cloud Resource Manager API: https://console.cloud.google.com/apis/library/cloudresourcemanager.googleapis.com
-
Google Cloud Pub/Sub Logging API: https://console.cloud.google.com/apis/api/pubsub.googleapis.com
-
Google Stackdriver Logging API: https://console.developers.google.com/apis/api/logging.googleapis.com
-
Google Compute Engine API: https://console.cloud.google.com/apis/library/compute.googleapis.com
- Google Cloud Identity and Access Management (IAM) API: https://console.developers.google.com/apis/api/iam.googleapis.com/overview
To enable an API in your GCP environment
- Log in to your GCP environment.
- Navigate to that API in the GCP API library (or follow the corresponding link in the list above).
- Click Enable.
If the Enable button is grayed out, ensure that you have the appropriate permissions required to manage APIs.
Note: If the API is already enabled, you may see a green check mark and the text "API enabled" instead of the Enable button. In some views, you will see a "Disable API" button to indicate that the API has already been enabled.
Create a New Service Account
The service account you have selected for your GCP Sensor must have adequate permissions for every GCP project it will monitor. Without these permissions, the sensor will not be able to accomplish the task that requires that access.
To create a new service account
- In the Cloud Console, go to your project.
- Go to the IAM & admin tab in the navigation pane and click Service Accounts.
- Click Create Service Account and enter the required information for your new service account.
- Service Account Name: A display name for this service account
- Service Account ID: A name for your service account, which will be followed by "@<name-of-project>.iam.gserviceaccount.com"
- Service Account Description: A description for this service account
- Click Create and Continue to save your new service account.
From here, if you are facing a screen that allows you to grant the service account access to the project, or users access to the service account, you can click Done without making any changes on that screen to skip that step and move forward.
Generally, you will use the pre-defined roles Project: Viewer and Pub/Sub: Pub/Sub Subscriber for your service account. The Project: Viewer role allows your sensor to discover all your services, and the Pub/Sub: Pub/Sub Subscriber role allows your sensor to collect logs from Cloud Pub/Sub.
To assign the pre-defined roles to your service account
Important: This process must be followed for every project the GCP Sensor will be monitoring.
- In the Cloud Console, go to your project.
- Go to the IAM & admin tab in the navigation pane and click IAM.
- Click Grant Access.
- Enter the name of the service account you just created.
- In the Role field, select Project and then Viewer.
- Open a second Role field, this time selecting Pub/Sub and then Pub/Sub Subscriber.
- Open a third Role field, this time selecting Deployment Manager and then Deployment Manager Editor.
- (Optional.) Open a fourth Role field, this time selecting Service Accounts and then List.
- Click Save once you are finished assigning roles.
Note: This role is only required if you intend to enable User Behavior Analytics (UBA).
If these roles are too expansive for your use, you can create a new role and limit its access according to your needs, so long as it has the minimum requirements necessary for the sensor to operate. See Creating a Custom Role for instructions detailing how to create a custom role for your sensor. Also be sure to review the Required IAM Policies table to see which functions depend on which IAM policies.
To create and download a new service account key
-
On the Service Accounts page, click the email address of the service account you just created and navigate to the Keys tab.
-
Using the Add Key drop-down, select Create New Key.
-
Select JSON for the key type and click Create.
Clicking Create downloads a service account key file. -
Save this key file in a safe location.
You will need to reference this file when you Deploy the GCP Sensor.
Create and Add an SSH Key
You will need to create an SSH key and add it to your GCP project. This SSH key will be used to connect to your sensor once it is deployed.
To create and add an SSH key
-
Follow the steps outlined in the Google Cloud documentation (appropriate to your OS) to create an SSH key.
You will save a copy of a newly generated SSH key and use it later in this process. -
Within the Google Cloud console, navigate to your project.
-
Search for and select SSH Keys.
-
Click Edit, then Add Item.
-
Enter the key you copied earlier.
This is the .pub file that was generated in step 1. -
Click Save.
Next...