USM Anywhere™

Preparing Your GCP Environment for Sensor Deployment

Role Availability Read-Only Analyst Manager

After you have ensured that your Google Cloud Platform (GCP) environment meets the sensor requirements, you must complete both of the following tasks before deploying a GCP Sensor in your environment:

Enable Required APIs

Certain APIs must be enabled in your GCP environment to enable the features dependent on them to operate as designed.

Important: APIs are enabled at the project level, so you must enable all five of these APIs for each project the GCP Sensor will monitor.

The following APIs are needed in your GCP environment:

To enable an API in your GCP environment

  1. Log in to your GCP environment.
  2. Navigate to that API in the GCP API library (or follow the corresponding link in the list above).
  3. Note: If the API is already enabled, you will see a green check mark and the text "API enabled" instead of the Enable button.

  4. Click Enable.

    If the Enable button is grayed out, ensure that you have the appropriate permissions required to manage APIs.

Create a New Service Account

The service account you have selected for your GCP Sensor must have adequate permissions for every GCP project it will monitor. Without these permissions, the sensor will not be able to accomplish the task that requires that access.

To create a new service account

  1. In the Cloud Console, go to your project.
  2. Go to the IAM & admin tab in the navigation pane and click Service accounts.
  3. Click Create service account and enter the required information for your new service account.
    1. Service account name: A display name for this service account
    2. Service account ID: A name for your service account, which will be followed by "@<name-of-project>"
    3. Service account description: A description for this service account
  4. Click Create to save your new service account.

Generally, you will use the pre-defined roles Project: Viewer and Pub/Sub: Pub/Sub Subscriber for your service account. The Project: Viewer role allows your sensor to discover all your services, and the Pub/Sub: Pub/Sub Subscriber role allows your sensor to collect logs from Cloud Pub/Sub.

To assign the pre-defined roles to your service account

Important: This process must be followed for every project the GCP Sensor will be monitoring.

  1. In the Cloud Console, go to your project.
  2. Go to the IAM & admin tab in the navigation pane and click IAM.
  3. Click Add.
  4. Enter the name of the service account you just created.
  5. In the Role field, select Project and then Viewer.
  6. Click Save.
  7. Open a second Role field, this time selecting Pub/Sub and then Pub/Sub Subscriber.
  8. Click Save.
  9. (Optional.) Open a third Role field, this time selecting Service Accounts and then List.

Note: This role is only required if you intend to enable User Behavior Analytics (UBA).

If these roles are too expansive for your use, you can create a new role and limit its access according to your needs, so long as it has the minimum requirements necessary for the sensor to operate. See Creating a Custom Role for instructions detailing how to create a custom role for your sensor. Also be sure to review the Required IAM Policies table to see which functions depend on which IAM policies.