3.2 Onboard Your Google Cloud Platform Account (GCP)

Warden supports GCP environments.

Onboarding a Google Cloud Platform (GCP) Project

Setting up Warden in a GCP project can only be done the manual way at this time.

1. Log into your Google Cloud Console, navigate to IAM Admin > Service Accounts and select the project to onboard.


2. Click on Create Service Account.

Screenshot from 2020-09-21 13-17-51

3. Under Service account details, enter Horangi Warden as the Service account name, then enter Horangi API Access as the Service account description.


4. Click on Create.

Screenshot from 2020-12-03 09-58-39

5. Under Service account permissions (optional), select the following roles to attach to the service account.

  • IAM > Security Reviewer
  • Compute Engine > Compute Network Viewer
  • BigQuery > BigQuery Metadata Viewer
  • Binary Authorisation > Binary Authorisation Policy Viewer

6. Click on Continue.

7. Under Grant users access to this service account (optional), leave the fields blank and click on Done.

8. Select the service account that you just created (Horangi Warden) in the Service Accounts page.

Screenshot from 2020-09-21 13-20-01

9. Click on Add Key > Create New Key.

Screenshot from 2020-09-21 13-20-15

10. Leave the default JSON selected and click Create.

11. Save the provided JSON file.

12. Enable the APIs necessary for Warden to work.

Using Google Cloud Shell:

gcloud services enable compute.googleapis.com sqladmin.googleapis.com storage.googleapis.com dns.googleapis.com cloudkms.googleapis.com iam.googleapis.com container.googleapis.com monitoring.googleapis.com logging.googleapis.com cloudresourcemanager.googleapis.com bigquery.googleapis.com binaryauthorization.googleapis.com

Via the Google Cloud Console API Library:

Enable the following APIs:

The Compute Engine and Cloud DNS APIs require you to have billing enabled on the projects you are onboarding.

Screenshot from 2020-09-21 13-55-24

13. Copy and paste the contents of the JSON file into the API Credentials field.

14. Click on Add.

Enable Scanning for Google Workspace Identities (GCP Project). 

15.To enable Warden to scan Google Workspace Identities, the following steps are necessary:

  1. Go to admin.google.com -> Admin Roles
  2. Click Create New Role
  3. Fill in the name (For example, Horangi Warden)
  4. Scroll down to Admin API privileges and tick Users->Read and Groups->Read. Click Continue. If done correctly, you will only see 2 permissions, as follows:
  5. Go back to the Admin Role page and select Horangi Warden (the role that was created earlier)
  6. Click ASSIGN ROLE -> Assign Service Accounts
  7. Type in the service account name from Step 3 then Click Assign Role.

Onboarding a GCP Organization 

For all GCP projects that you want to scan, Warden will enable the following APIs during scanning.

  • Compute Engine API
  • Cloud SQL Admin API
  • Cloud Storage API
  • Cloud DNS API
  • Cloud Key Management Service (KMS) API
  • Identity and Access Management (IAM) API
  • Kubernetes Engine API
  • Stackdriver Monitoring API
  • Cloud Logging API
  • Cloud Resource Manager API
  • BigQuery API
  • Binary Authorization API
  • Admin SDK API

If you are unable to create the IAM Role (see step 10 below), you will have to manually enable all of the above APIs in each project. You can run the following command in google cloud shell to enable the APIs:

gcloud services enable compute.googleapis.com sqladmin.googleapis.com storage.googleapis.com dns.googleapis.com cloudkms.googleapis.com iam.googleapis.com container.googleapis.com monitoring.googleapis.com logging.googleapis.com cloudresourcemanager.googleapis.com bigquery.googleapis.com binaryauthorization.googleapis.com

Repeat the command once for each project.

Pre-Requisites:

  • A GCP account within the organization assigned with the Organization Administrator and Organization Role Administrator roles.
  • An active Cloud Billing Account

Adding a GCP Cloud Organization

1. Login to the GCP console using an account assigned with the Organization Administrator and Organization Role Administrator roles.

2 - Create New Project

2. Create a new project within the organization to ensure API limits for Warden are controlled separately from production workloads. 

3. Enter a unique project name and click Create. You will then be redirected to the project view.

4 - Billing icon

4. Click the hamburger menu button on the top left corner and click Billing.

5 - Project no billing acc

5. If a billing account has already been linked to the project, you should see the Billing Overview page. Otherwise, click Link a Billing Account.

6 - Billing account drop down box

6. Select the billing account you would like to associate the project with from the dropdown menu and click on Link Account.

7 - Service Account

7. Navigate to IAM & Admin > Service Accounts, then click on Create Service Account.

8 - Service acc details

8. Under Service account details, enter ​Horangi Warden​ as the Service account name, then enter ​Horangi API Access​ as the Service account description.

9. Click Create, then Done.

10 - Email Address of Service Account

10. Note down the email address of the service account​ you just created (Horangi Warden) in an accessible location.

11. Click the 3-dot menu icon under the Actions column for the new service account and click Create key.

12 - Leave Default JSON Key

12. Leave the Key type as JSON and click Create.

13. Save the JSON file to a secure location. You will not be able to recover the key if you lose it.

14. Enable the APIs necessary for Warden to work.

Method 1: Using Google Cloud Shell

Type the following command in the Google Cloud Shell:

gcloud services enable compute.googleapis.com sqladmin.googleapis.com storage.googleapis.com dns.googleapis.com cloudkms.googleapis.com iam.googleapis.com container.googleapis.com monitoring.googleapis.com logging.googleapis.com cloudresourcemanager.googleapis.com bigquery.googleapis.com binaryauthorization.googleapis.com cloudbilling.googleapis.com

Method 2: Via the Google Cloud Console API Library:

Method 2 - Compute engine API

Enable the following APIs:

The Compute Engine and Cloud DNS APIs require you to have billing enabled on the projects you are onboarding.

15 - Create Role

15. Switch back to Organization view to start setting up the organization-wide permissions.

16. Navigate to IAM & Admin > Roles, then click Create Role.

Title Horangi Warden Scanner

17. Under Title, enter ​Horangi Warden Scanner​, then enter HorangiWardenScanner​ as the ID.

18. Click Add Permissions.

Screenshot 2021-02-19 at 12.17.34 PM

19. Under the Filter table field, enter and select `serviceusage.services.enable`

20. Once the permission has been selected, click Add.

21. Click Create to finish creating the custom role.

Screenshot from 2021-03-08 14-58-36

22. Still in Organization view, navigate to IAM & Admin > IAM. Click Add to add permissions for the service account you created in Steps 7-9.

Screenshot from 2021-03-08 14-57-24

23. Input the email of the service account you created as ​New members​.

Add member to tigerengineer

24. Add the following roles:

  • Custom > Horangi Warden Scanner (the Role created earlier)
  • Resource Manager > Organization Viewer
  • Resource Manager > Folder Viewer
  • Billing > Billing Account Viewer
  • IAM > Security Reviewer
  • Compute Engine > Compute Network Viewer
  • BigQuery > BigQuery Metadata Viewer
  • Binary Authorisation > Binary Authorisation Policy Viewer
  • Service Usage > Service Usage Viewer

If you can’t find the Role `Horangi Warden Scanner`, wait for a few minutes and try again. It may take some time for the Role to appear after creation.

25. Click Save to finish adding permissions.

S1


26. Go to Storyfier’s Settings (gear icon) page, then click on Integrations.

27. Click the Add button next to GCP. A popup of the list of organizations linked to your Storyfier org will appear.

S2

28. Click Add New GCP Cloud Organization. 

You can only add a GCP organization once. If you need to make changes to your service account credentials, you can edit an existing GCP organization.

S3

29. Paste the service account credentials JSON file you saved earlier in the API Credentials field.

ksnip_20210309-131442

30. For the Identifier field, enter the text `organizations/` followed by your Organization ID. The Organization ID can be found by clicking on the dropdown menu on the top and looking at the ID next to your organization.

31. Click Add.

Enable Scanning for Google Workspace Identities (GCP Organization). 

32. [Optional] To enable Warden to scan Google Workspace Identities, refer to here.

  1.  Go to admin.google.com -> Admin Roles
  2. Click Create New Role
  3. Fill in the name (For example, Horangi Warden)
  4. Scroll down to Admin API privileges and tick Users->Read and Groups->Read. Click Continue. If done correctly, you will only see 2 permissions, as follows:
  5. Go back to the Admin Role page and select Horangi Warden (the role that was created earlier)
  6. Click ASSIGN ROLE -> Assign Service Accounts
  7.  Type in the service account name from Step 8 then Click Assign Role.

Caution: You cannot remove GCP organizations in Storyfier and doing so will disable all scans tied to that GCP organization. If you have to remove your organization, contact us at hello@horangi.com for assistance.

Updating GCP Cloud Organization API Credentials

1. Follow Steps 1-25 of Adding a GCP Cloud Organization to create a new Service Account.

Screenshot 2021-03-10 at 5.24.54 PM

2. In Storyfier, click on Settings > Integrations, then click Update next to GCP.

3. Click Update next to the GCP Organization you want to update.

Screenshot 2021-03-10 at 5.25.00 PM

4. Paste the API credentials you downloaded in Step 12 of Adding a GCP Cloud Organization.

5. Click Save Changes.

Importing Projects from a GCP Cloud Organization

S4

1. Navigate to the Settings page (gear icon), then click Scan Configuration on the left sidebar.

2. Create a new scan group or use an existing one.

3. On the Scan Configuration page, click on the pencil icon next to the scan group which you would like to import GCP projects into.

S7

4. On the right-side panel, click Add Account.

S8

5. Select Add Projects From Google Cloud Organization and click Next.

Screenshot from 2021-03-10 15-57-46

6. Select the Organization that you created previously and click on Next.

Screenshot from 2021-03-10 15-58-20

7. Select the projects you want to onboard in Warden and click Add Projects.

S10-1

8. On the Scan Configuration page, you should see the projects imported into the scan group.

9. Click on the Refresh icon next to each project to start a scan.

Only projects that have billing accounts linked are imported. If there is a project in your organization that has not been imported, check to see if the project is linked to a billing account.