GCP

Prepare your environment, then follow the wizard’s prompts to install agentless Cloud Security Posture Management (CSPM), Identity and Access Management (CIEM), Cloud Detection and Response (CDR), and/or Vulnerability Management host scanning on Google Cloud Platform (GCP). You can connect single projects or organizations.

Cloud Security Posture Management (CSPM)

Connecting your GCP environment will set up a Service Account between you and Sysdig, enabling Cloud Security Posture Management (CSPM) which:

  • Monitors and detects misconfigurations in your cloud resources.
  • Ensures your cloud environment complies with industry standards and regulations.
  • Provides a comprehensive inventory of all cloud assets, helping you maintain visibility and control over your environment.

Review GCP Roles and Permissions

Service Accounts

There are two security principals in the onboarding process:

  • Installer: The primary security principal, either a User or a Service Account. This security principal will be used to perform the onboarding. Sysdig does not have access to this security principal.
  • Sysdig: A Service Account (robot user) created during onboarding with specific, less permissive roles. Sysdig will be given access to this service account.

GCP Roles

GCP IAM has a single control plane that applies to either at the organization or project level:

  • GCP Roles: Applied to the entire organization or project.

Prerequisites

  • Sysdig Secure SaaS with Admin permissions
  • Terraform v1.3.1+ installed
  • GCP CLI installed. See How to install the GCP CLI.
  • Access to a User with the permissions required to install.

Permissions Required to Install

Single Project

If you are installing CSPM, the user/service account must have the following roles assigned on the Project you are onboarding:

  • roles/iam.serviceAccountAdmin
  • roles/iam.roleAdmin
  • roles/resourcemanager.projectIamAdmin
  • roles/iam.serviceAccountKeyAdmin
  • roles/serviceusage.serviceUsageAdmin

Organization

Note: Certain roles are required at the organization level. Other roles are required on a single project in which you will deploy shared resources. Ensure you have the correct roles assigned at the correct scope.

If you are installing CSPM, the user/service account must have the following roles assigned:

  • roles/iam.serviceAccountAdmin (On the project where shared resources will be created)
  • roles/iam.organizationRoleAdmin (At the Organization level)
  • roles/resourcemanager.organizationAdmin (At the Organization level)
  • roles/iam.serviceAccountKeyAdmin (On the project where shared resources will be created)
  • roles/serviceusage.serviceUsageAdmin (At the Organization level)

Permissions Granted to Sysdig

The installation creates a Service Account that Sysdig can access. This Service Account is granted the following roles and permissions:

For CSPM:

  • roles/iam.browser
  • roles/cloudasset.viewer
  • roles/iam.workloadIdentityUser
  • roles/logging.viewer
  • roles/cloudfunctions.viewer
  • roles/cloudbuild.builds.viewer
  • roles/orgpolicy.policyViewer

Prepare Your Environment

1. Configure Installation Permissions

If you install manually or on your local machine, install as a user. If you are automating the installation, such as using Terraform Cloud, install as a service account.

You can:

  • Use an existing user or service account that meets the permissions requirements
  • Create a new user or service account and set up permissions
  • Add permissions to an existing user or service account

Provide User with Appropriate Roles

Ensure your user has the correct roles and permissions in GCP to perform the onboarding.

Single Project

To check or assign roles:

  1. Log in to the Google Cloud Console as either a user or a service account, ensuring you have the correct project active.
  2. Navigate to IAM & Admin > IAM.
  3. In VIEW BY PRINCIPALS, find your User/service account.
  4. Ensure that all the roles listed in Permissions Required to Install are present.
  5. If any roles are missing, select your user/service account, and grant the roles using the Grant Access button. You may need to work with your administrator to be granted the correct roles.

Organization

Certain roles are required at the organization level. Certain roles are required on a single project in which you will deploy shared resources. Ensure you have the correct roles assigned at the correct scope.

For roles required on a single project, follow the instructions for a single project above.

For roles that are required at the organization level:

  1. Log in to the Google Cloud Console as either a user or a service account.
  2. Ensure the organization is selected in the project selector in the top bar. If you do not see your organization there, you may need to work with your administrator.
  3. In VIEW BY PRINCIPALS, find your User/Super Administrator.
  4. Ensure that all the roles listed in Permissions Required to Install are present.
  5. If any roles are missing, select your user/service account, and grant the roles using the Grant Access button. You may need to work with your administrator to be granted the correct roles.

Enable Required APIs

Enable the APIs at the project level.

To do so manually:

  1. Click each of the API links in the table below.

  2. Select the appropriate project and click Enable.

API NameAPI IDFeaturesProjectsUsage
Identity and Access Management (IAM) APIiam.googleapis.comAll FeaturesAllUsed to access and collect IAM resources for CSPM and CIEM evaluations.
IAM Service Account Credentials APIiamcredentials.googleapis.comAll FeaturesAllUsed to generate OAuth 2.0 access tokens.
Security Token Service APIsts.googleapis.comAll FeaturesAllUsed to exchange short-lived access tokens when interacting with Google Cloud resources.
Cloud Resource Manager APIcloudresourcemanager.googleapis.comCSPM/CIEMAllUsed to gather resources such as organizations, projects, and IAM access control policy bindings for CSPM and CIEM evaluations.
Cloud Identity APIcloudidentity.googleapis.comCSPM/CIEMAllUsed to look up Google Group resource details.
Admin SDK APIadmin.googleapis.comCSPM/CIEMAllUsed to list users and their details, including information about the users who belong to Google Groups.
Cloud Asset APIcloudasset.googleapis.comCSPM/CIEMAllUsed to obtain a comprehensive inventory of Google Cloud resources for CSPM and CIEM evaluations
Compute Engine APIcompute.googleapis.comVulnerability Management/CSPMAllUsed by Vulnerability Management and CSPM to gather firewalls for network exposure analysis
Pub Sub APIpubsub.googleapis.comCDRManagement ProjectUsed by CDR to receive all events w.r.t organization / project

Check API Enablement

To confirm that the required APIs were enabled:

  1. Enable the serviceusage.googleapis.com Service API.

    This is required to execute the following command.

  2. Execute: gcloud services list --enabled

​ Include all the services listed above.

2. Authenticate and Configure Terraform

A common way to do this is:

  1. Ensure you are logged in to the correct Project.

    Log in using the GCP CLI:

    gcloud auth application-default login

    A web page to select your user account appears. Log in as the user you configured in Step 1.

  2. Confirm you are logged in as the correct user, by running:

    gcloud auth list

    For alternative ways to authenticate Terraform, see the Terraform documentation: Google Provider Configuration Reference.

3. Collect your GCP Organization Domain name and Project ID

Organization Domain Name

  1. Sign in to the GCP portal.
  2. Browse to Select a Resource > All.
  3. Search for your Organization name in the overlay.
  4. Copy the Organization Domain Name. You can paste this value into a text document or other location.

Project ID

  1. Sign in to the GCP portal.
  2. Browse to Select a Resource > All.
  3. Search the project in the list, and note the Project ID shown in the second column. If no projects appear, or you don’t see the right one, you may need to switch organizations to show the projects.
  4. To easily copy the Project ID, select the project name to display more details. Select the Copy to clipboard icon shown next to the Project ID. You can paste this value into a text document or another location.

Install GCP Using the Wizard

  1. Log in to Sysdig Secure.
  2. Select Integrations > Cloud Accounts > GCP and click Add GCP Account on the top right corner.
  3. Connect your GCP Organization or Project.
  • This enables CSPM and lets you onboard Vulnerability Management and CDR after completing.

Organization Multi-Project

  1. Enter your:
  • Project ID: The ID of the project where the Sysdig resources will be created.
  1. Specify Management Groups:
  • For onboarding the entire Organization: Enter Organization Domain Name.
  1. Generate and apply the Terraform code:
  2. Create a main.tf file.
  3. Copy the snippet provided into the file.
  4. Run the command: terraform init && terraform apply.

Within an hour after deployment, your accounts will appear on the Cloud Accounts page.

Single Project

  1. Enter your:
  • Project ID: The ID of the project you want to onboard.
  1. Generate and apply the Terraform code:
  2. Create a main.tf file.
  3. Copy the snippet provided into the file.
  4. Run the command: terraform init && terraform apply.

Within an hour after deployment, your accounts will appear on the Cloud Accounts page.

Validate

You can verify your CSPM configuration by checking the connection status:

  • Log in to Sysdig Secure and select Integrations > Cloud Accounts > GCP.

Within 10 minutes, after you apply Terraform, your accounts will appear on the Sysdig Cloud Accounts page. You can add more features after this initial connection by following instructions to Add New Features.