Setting Up GCP Organization One-Click Remediation

After you have completed the following onboarding steps, you can follow the steps in the guide Executing One-Click Remediation to start remediations in your GCP Environment.

Remediation Onboarding

Step 1

  1. Go to Organization Settings
  2. Go to Integrations

For a new GCP organization:

Note: Login to the GCP Account you want to add for adding a scan for.

Step 1-1

  1. Click Add/Modify next to the GCP row. 
  2. Follow the instructions on Getting Started with Warden (Onboarding a GCP Organization) to add the Warden Scanner role
  3. Proceed to Adding the Warden Remediation Role.


For an existing GCP organization:

existing modify


  1. Click the Update icon in the Google Cloud Organization account that you want to edit.
  2. Click on Set up / Update Remediate Role ARN.
  3. Proceed to Adding the Warden Remediation Role and follow the instructions in that section

set upupdate remediation

Adding the Warden Remediation Role (GCP)

  • Do not close the creation screen during the GCP installation.
  • Login to your GCP Account in another browser window. 
  • Make sure the GCP account you are logging in from has Administrator access

Setting up Warden in a GCP Organization can only be done the manual way at this time.

  1. Login to the GCP console using an email account with the Organization Administrator and Organization Role Administrator roles.
  2. From the dropdown menu on the top, choose the project created previously in the GCP Organization Onboarding process for the Horangi Warden service account.

  3. Navigate to “IAM & Admin” > “Service Accounts”. Create a service-account:

b. Under Service account details, enter Horangi Warden Organization Remediation as  the Service account name, then enter Horangi API Access for Organization-wide Remediation as the Service account description.
c. Click on “CREATE” and then click “DONE”.

org service account

4. Note down the email address of the service account you just created (Horangi Warden Organization Remediation). Click on the menu icon (3 dots) under the action column for the service account that was just created and click on “Create Key”.


Create new key - org

5. Leave the default JSON selected and click “Create”.

json private key

6.  Save the provided JSON file.

7.  From the dropdown menu on the top, switch to the organization’s view. You must be at the organization’s view to set up organization-wide permissions for the service-account.

8. Navigate to “IAM & Admin” > “Roles”. Click “CREATE ROLE”

create role

Create role1

a. Under Title, enter Horangi Warden Organization Remediation, then enter HorangiWardenOrganizationRemediation as the ID.

b. Click on `ADD PERMISSIONS`. Under `Filter table`, enter and select the following permissions (you will have to do this one by one for each permission):

  1. compute.instances.deleteAccessConfig
  2. compute.instances.setMetadata
  3. compute.subnetworks.update
  4. resourcemanager.projects.setIamPolicy
  5. cloudkms.cryptoKeys.setIamPolicy
  6. cloudkms.cryptoKeys.get
  7. cloudsql.instances.update
  8. cloudsql.instances.get
  9. storage.buckets.update
  10. iam.serviceAccounts.actAs
  11. Storage.buckets.get


Add permission 2

c. Once all the permissions have been selected, click on `ADD`.
d. Click `Create` to finish creating the custom role.

9. Navigate to “IAM & Admin” > “IAM”. Make sure you are still at the organization's view. Add Permissions for the service account by clicking “ADD”.



1. Input the email of the service account you created as New members.
2.  Add the following roles:

    1. Resource Manager > Organization Viewer
    2. Resource Manager > Folder Viewer
    3. Billing > Billing Account Viewer
    4. IAM > Security Reviewer
    5. Compute Engine > Compute Network Viewer
    6. BigQuery > BigQuery Metadata Viewer
    7. Binary Authorisation > Binary Authorisation Policy Viewer
    8. Custom > Horangi Warden Scanner (This is the Role created previously during the Organization Onboarding process)
    9. Custom > Horangi Warden Organization Remediation (This is the Role created earlier)

3. If you can’t find the Role `Horangi Warden Organization Remediation`, wait for a few minutes and try again. It may take some time for the Role to appear after creation.

4. Click on “Save” to finish adding permissions.


10. Paste the saved service account credentials json in the API Credentials field below.

Screenshot 2021-05-07 at 5.30.11 PM