Recent Searches

No recent searches

    Popular Articles

      Articles
      View all
        Topics
        View all
          Tickets
          View all
            no results

            Sorry! nothing found for

            How to Onboard GCP Project/Folder/Organization

            Modified on Wed, 5 Nov at 6:36 PM

            Minimal Permissions Requirement for User Performing CDAI Onboarding


            Purpose:
            These permissions are the minimal required for executing the CDAI onboarding script. The script creates custom roles, service accounts, and IAM bindings across organization and project scopes.

            1. Organization-Level Permissions

            Required Roles:

            • Organization Role Admin (roles/iam.organizationRoleAdmin)
            • Organization Admin (roles/resourcemanager.organizationAdmin)

            Permissions Included:

            Category

            Permission

            Description

            IAM Policy Management

            resourcemanager.organizations.getIamPolicy

            View the IAM policy at the organization level.

            IAM Policy Management

            resourcemanager.organizations.setIamPolicy

            Update or assign IAM policies for the organization.

            Custom Role Management

            iam.roles.create

            Create custom roles within the organization.

            Custom Role Management

            iam.roles.update

            Update existing custom roles.

            Custom Role Management

            iam.roles.get

            Retrieve details of a specific custom role.

            Custom Role Management

            iam.roles.list

            List all custom roles at the organization level.


            2. Project-Level Permissions

            Required Roles:

            • Project IAM Admin (roles/resourcemanager.projectIamAdmin)
            • Service Account Admin (roles/iam.serviceAccountAdmin)

            Permissions Included:

            Category

            Permission

            Description

            Project Management

            resourcemanager.projects.get

            Retrieve details of the target project.

            Project Management

            resourcemanager.projects.getIamPolicy

            View IAM policies for the project.

            Project Management

            resourcemanager.projects.setIamPolicy

            Update or assign IAM policies for the project.

            Custom Role Management

            iam.roles.create

            Create custom roles within the project.

            Custom Role Management

            iam.roles.update

            Update existing project-level custom roles.

            Custom Role Management

            iam.roles.get

            Retrieve details of project-level custom roles.

            Custom Role Management

            iam.roles.list

            List all custom roles within the project.

            Service Account Management

            iam.serviceAccounts.create

            Create service accounts in the project.

            Service Account Management

            iam.serviceAccounts.get

            Retrieve details of a specific service account.

            Service Account Management

            iam.serviceAccounts.list

            List all service accounts in the project.

            Service Account Management

            iam.serviceAccounts.getIamPolicy

            View IAM policy bindings on a service account.

            Service Account Management

            iam.serviceAccounts.setIamPolicy

            Update IAM bindings for service accounts.

            Service Account Key Management

            iam.serviceAccountKeys.create

            Create keys for service accounts.

            Service Account Key Management

            iam.serviceAccountKeys.enable

            Enable disabled service account keys.

            Service Account Key Management

            iam.serviceAccountKeys.get

            Retrieve metadata for service account keys.

            Service Account Key Management

            iam.serviceAccountKeys.list

            List all keys for a given service account.


            3. Summary of Required Access

            Scope

            Required Roles

            Purpose

            Organization Level

            • Organization Role Admin
            • Organization Admin

            Manage custom roles and IAM policies at the organization level.

            Project Level

            • Project IAM Admin
            • Service Account Admin

            Manage roles, service accounts, and bindings within specific projects.



            CloudDefense.AI GCP Single Project Onboarding Process


            Important: For a smooth functioning of scans, below mentioned permissions needs to be enabled for each project you want to onboard 


            • IAM Service Account Credentials API
            • Cloud Resource Manager API
            • Compute API
            • IAM API
            • Cloud Function API
            • SQLAdmin API
            • Container API
            • API keys API
            • PubSub API
            • CloudKMS API
            • Artifact Registry API



            Single Onboarding STEP 1:


            Login to CloudDefense portal using your credentials.



            From the Sidebar, navigate to Admin -> Environments.

            Now Click on Add New Environment and then choose GCP provider as below.




            Single Onboarding STEP 2:

            Select Single GCP Project and click Next.



            Now, give this project an account name as desired, which will be used as its identifier. You can also add relevant tags, if needed. Click Next.



            Now select your Organization from the drop down menu and click next.



            Single Onboarding STEP 3:


            This is the final step now.


            1. Create your Google Cloud service account

            • Open your Google Cloud Console

            • Go to the project you want to onboard.

            • Navigate to IAM & Admin > Service Accounts.

            • Click on Create service account at top.

            • Give the service account a unique name, then click Create and continue.


            Add following Roles to the service account

            • Viewer

            Click Continue to complete creating the service account.


            2. Add CloudDefense.AI principal to this service account

            • In Google Cloud console, under the Service Accounts menu, find the service account you just created.

            • Go to the Permissions tab and click on Grant Access.

            • Copy the cloudDefense.AI principal service account ID below, and Paste it into the New Principals text box

            • cdai-service-account@first-project-476708.iam.gserviceaccount.com

            • Assign the role of Service Account Token Creator and click Save


            3. Complete Onboarding setup

            • Now in Google Cloud console, navigate to the Service Account > Details tab. You can find the email associated with this Google service account.
              It resembles sa-name@project-id.iam.gserviceaccount.com

            • Copy this email and paste in input box in left section and click Connect Project button.


            Now, just click on Connect Project and the onboarding is completed! 




            CloudDefense.AI GCP Multi Onboarding Process


            Important: For a smooth functioning of scans, below mentioned permissions needs to be enabled for each project you want to onboard 


            • IAM Service Account Credentials API
            • Cloud Resource Manager API
            • Compute API
            • IAM API
            • Cloud Function API
            • SQLAdmin API
            • Container API
            • API keys API
            • PubSub API
            • CloudKMS API
            • Artifact Registry API


            Multi Onboarding STEP 1:


            Login to CloudDefense Portal.




            From the Sidebar, navigate to Admin -> Environments.

            Now Click on Add New Environment and then choose GCP provider as below 

             

            Multi Onboarding STEP 2:


            Select Multiple GCP Projects and then select if you wish to onboard your GCP organisation or a specific folder inside the organisation.



            Multi Onboarding STEP 3:


            Now select your Organization from the drop down menu and click next.



            Multi Onboarding STEP 4:

            1. For organisation onboarding:

            • Enter the project ID of any one of your projects (we will use this project as the master project to onboard all the other projects under the organisation).

            • Enter the GCP organisation ID in the next input box.


            Now, click, generate Bash Script and download it.


            1. For folder level onboarding:


            • Enter the project ID of any one of your projects (we will use this project as the master project to onboard all the other projects under the folder).

            • Enter the GCP organisation ID in the next input box.

            • Enter the folder ID which you wish to onboard.


            Now, click, generate Bash Script and download it.


            STEP 5:


            • Open your Google Cloud Console.

            • You will be navigated to Cloud Shell Editor and the terminal will be opened at the bottom of your screen.
              If the terminal is not opened, click Open Terminal Icon on top right of your screen. As shown in the screenshot below.

            • Drag and drop the CDAI-onboarding bash file (downloaded in the previous step) into the Editor. Your file will be opened in Editor.

            • Press Ctrl + S to save the file. Keep the default location to save, click OK to save the file.

            • Type the following command in the terminal below to login to the terminal.

              gcloud auth login

            • You might be logged in previously to the terminal, we still recommend completing the instructions below.

            • Follow the instructions in the terminal, to complete the sign-in process.
              (sign-in link will be provided in terminal, click the link to sign-in)
              NOTE: when selecting any google account to login, or logging In to any google account, make sure to login into the organisation account that has following required permissions.

              • organisation role administrator (to be able to create custom roles)

              • service account admin (to be able to create service accounts)

              • org admin (to access projects in the org)

            • Once the sign-in process is completed, you will be navigated to the confirmation screen. (as in screenshot below)
              Copy the verification code and Paste this code in the google console terminal and press Enter. You will be logged in with your Google account to the terminal.


            • Type the following command in the terminal to set Project ID for connecting your Project to CloudDefense.AI. Replace <master_project_id> with the project_id you provided earlier in Step 4

              gcloud config set project <master_project_id>



            • Run the following command into the terminal to execute the bash file saved in your editor.

              bash CDAI-onboarding.sh

            • Copy the client base project service account email id, generated at the end of the script.

            • Paste in the input box in the left section


            Now, just click on Connect Project and the onboarding is completed!

            Was this article helpful?

            That’s Great!

            Thank you for your feedback

            Sorry! We couldn't be helpful

            Thank you for your feedback

            Let us know how can we improve this article!

            Select at least one of the reasons

            Feedback sent

            We appreciate your effort and will try to fix the article

            Preview
            0 of 0