GCP
Cloud Security Posture Management (CSPM)
Connecting your GCP environment will set up a Service Account between you and Sysdig, enabling Cloud Security Posture Management (CSPM) which:
- Monitors and detects misconfigurations in your cloud resources.
- Ensures your cloud environment complies with industry standards and regulations.
- Provides a comprehensive inventory of all cloud assets, helping you maintain visibility and control over your environment.
Review GCP Roles and Permissions
Service Accounts
There are two security principals in the onboarding process:
- Installer: The primary security principal, either a User or a Service Account. This security principal will be used to perform the onboarding. Sysdig does not have access to this security principal.
- Sysdig: A Service Account (robot user) created during onboarding with specific, less permissive roles. Sysdig will be given access to this service account.
GCP Roles
GCP IAM has a single control plane that applies to either at the organization or project level:
- GCP Roles: Applied to the entire organization or project.
Prerequisites
- Sysdig Secure SaaS with Admin permissions
- Terraform v1.3.1+ installed
- GCP CLI installed. See How to install the GCP CLI.
- Access to a User with the permissions required to install.
Permissions Required to Install
Single Project
If you are installing CSPM, the user/service account must have the following roles assigned on the Project you are onboarding:
roles/iam.serviceAccountAdminroles/iam.roleAdminroles/resourcemanager.projectIamAdminroles/iam.serviceAccountKeyAdminroles/serviceusage.serviceUsageAdmin
Organization
Note: Certain roles are required at the organization level. Other roles are required on a single project in which you will deploy shared resources. Ensure you have the correct roles assigned at the correct scope.
If you are installing CSPM, the user/service account must have the following roles assigned:
roles/iam.serviceAccountAdmin(On the project where shared resources will be created)roles/iam.organizationRoleAdmin(At the Organization level)roles/resourcemanager.organizationAdmin(At the Organization level)roles/iam.serviceAccountKeyAdmin(On the project where shared resources will be created)roles/serviceusage.serviceUsageAdmin(At the Organization level)
Permissions Granted to Sysdig
The installation creates a Service Account that Sysdig can access. This Service Account is granted the following roles and permissions:
For CSPM:
roles/iam.browserroles/cloudasset.viewerroles/iam.workloadIdentityUserroles/logging.viewerroles/cloudfunctions.viewerroles/cloudbuild.builds.viewerroles/orgpolicy.policyViewer
Prepare Your Environment
1. Configure Installation Permissions
If you install manually or on your local machine, install as a user. If you are automating the installation, such as using Terraform Cloud, install as a service account.
You can:
- Use an existing user or service account that meets the permissions requirements
- Create a new user or service account and set up permissions
- Add permissions to an existing user or service account
Provide User with Appropriate Roles
Ensure your user has the correct roles and permissions in GCP to perform the onboarding.
Single Project
To check or assign roles:
- Log in to the Google Cloud Console as either a user or a service account, ensuring you have the correct project active.
- Navigate to IAM & Admin > IAM.
- In VIEW BY PRINCIPALS, find your User/service account.
- Ensure that all the roles listed in Permissions Required to Install are present.
- If any roles are missing, select your user/service account, and grant the roles using the Grant Access button. You may need to work with your administrator to be granted the correct roles.
Organization
Certain roles are required at the organization level. Certain roles are required on a single project in which you will deploy shared resources. Ensure you have the correct roles assigned at the correct scope.
For roles required on a single project, follow the instructions for a single project above.
For roles that are required at the organization level:
- Log in to the Google Cloud Console as either a user or a service account.
- Ensure the organization is selected in the project selector in the top bar. If you do not see your organization there, you may need to work with your administrator.
- In VIEW BY PRINCIPALS, find your User/Super Administrator.
- Ensure that all the roles listed in Permissions Required to Install are present.
- If any roles are missing, select your user/service account, and grant the roles using the Grant Access button. You may need to work with your administrator to be granted the correct roles.
Enable Required APIs
Enable the APIs at the project level. For organization onboarding, this refers to the project you selected during the onboarding process.
To do so manually:
Click each of the API links in the table below.
Select the appropriate project and click Enable.
| API Name | API ID | Features | Usage | |
|---|---|---|---|---|
| Identity and Access Management (IAM) API | iam.googleapis.com | All Features | Used to access and collect IAM resources for CSPM and CIEM evaluations. | |
| IAM Service Account Credentials API | iamcredentials.googleapis.com | All Features | Used to generate OAuth 2.0 access tokens. | |
| Security Token Service API | sts.googleapis.com | All Features | Used to exchange short-lived access tokens when interacting with Google Cloud resources. | |
| Cloud Resource Manager API | cloudresourcemanager.googleapis.com | CSPM/CIEM | Used to gather resources such as organizations, projects, and IAM access control policy bindings for CSPM and CIEM evaluations. | |
| Cloud Identity API | cloudidentity.googleapis.com | CSPM/CIEM | Used to look up Google Group resource details. | |
| Admin SDK API | admin.googleapis.com | CSPM/CIEM | Used to list users and their details, including information about the users who belong to Google Groups. | |
| Cloud Asset API | cloudasset.googleapis.com | CSPM/CIEM | Used to obtain a comprehensive inventory of Google Cloud resources for CSPM and CIEM evaluations | |
| Compute Engine API | compute.googleapis.com | Vulnerability Management/CSPM | Used by Vulnerability Management and CSPM to gather firewalls for network exposure analysis | |
| Pub Sub API | pubsub.googleapis.com | CDR | Used by CDR to receive all events w.r.t organization / project |
Check API Enablement
To confirm that the required APIs were enabled:
Enable the
serviceusage.googleapis.comService API.This is required to execute the following command.
Execute:
gcloud services list --enabled
Include all the services listed above.
2. Authenticate and Configure Terraform
A common way to do this is:
Ensure you are logged in to the correct Project.
Log in using the GCP CLI:
gcloud auth application-default loginA web page to select your user account appears. Log in as the user you configured in Step 1.
Confirm you are logged in as the correct user, by running:
gcloud auth listFor alternative ways to authenticate Terraform, see the Terraform documentation: Google Provider Configuration Reference.
3. Collect your GCP Organization Domain name and Project ID
Organization Domain Name
- Sign in to the GCP portal.
- Browse to Select a Resource > All.
- Search for your Organization name in the overlay.
- Copy the Organization Domain Name. You can paste this value into a text document or other location.
Project ID
- Sign in to the GCP portal.
- Browse to Select a Resource > All.
- Search the project in the list, and note the Project ID shown in the second column. If no projects appear, or you don’t see the right one, you may need to switch organizations to show the projects.
- To easily copy the Project ID, select the project name to display more details. Select the Copy to clipboard icon shown next to the Project ID. You can paste this value into a text document or another location.
Install GCP Using the Wizard
- Log in to Sysdig Secure.
- Select Integrations > Cloud Accounts > GCP and click Add GCP Account on the top right corner.
- Connect your GCP Organization or Project.
- This enables CSPM and lets you onboard Vulnerability Management and CDR after completing.
Organization Multi-Project
- Enter your:
- Project ID: The ID of the project where the Sysdig resources will be created.
- Specify Management Groups:
- For onboarding the entire Organization: Enter Organization Domain Name.
- Generate and apply the Terraform code:
- Create a
main.tffile. - Copy the snippet provided into the file.
- Run the command:
terraform init && terraform apply.
Within an hour after deployment, your accounts will appear on the Cloud Accounts page.
Single Project
- Enter your:
- Project ID: The ID of the project you want to onboard.
- Generate and apply the Terraform code:
- Create a
main.tffile. - Copy the snippet provided into the file.
- Run the command:
terraform init && terraform apply.
Within an hour after deployment, your accounts will appear on the Cloud Accounts page.
Check the Connection Status
Within 10 minutes, after you apply Terraform, your accounts will appear on the Sysdig Cloud Accounts page. You can add more features after this initial connection by following instructions to Add New Features.
You can verify your CSPM configuration by checking the connection status.
In Sysdig Secure, select Integrations > Cloud Accounts > GCP.
The Status column shows the overall connection status:
- Connected
- Error
- Unknown
Select the desired account to review the individual services in the detail drawer.
The health status for CSPM configuration is given below:
CSPM Status Description Healthy ✅ The account has been successfully connected, and all the resources have been scanned. Error ❌ - Authentication errors. For example:
- Invalid account ID
- Invalid client secret
- Invalid access credentials
- Access token errors
- Deny policy created by the user is preventing Sysdig from collecting resources
- The scan takes too long and eventually times out.
- Unknown error
- Authentication errors. For example:
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.
