Pre-Requisite: In order to complete the following onboard steps you will need to have privileges to: create a new GCP project, create a service account, and modify your organizations IAM policy.
...
Click on each link below and then “Enable API” button click on the ENABLE button near the top of the page. Ensure that the newly created project is currently selected in the project list drop down.
- Service Usage API
- https://console.cloud.google.com/apis/library/serviceusage.googleapis.com
- This enables us to make sure necessary APIs are enabled
- Cloud Resource Manager API
- https://console.cloud.google.com/apis/library/cloudresourcemanager.googleapis.com
- This enables us to view resources such as the list of projects
- Identity and Access Management (IAM) API
- https://console.cloud.google.com/apis/library/iam.googleapis.com
- This enables us to determine which permissions each role contains
- Firebase Management API
- https://console.cloud.google.com/apis/library/firebase.googleapis.com
- This enables us to view Firebase projects and associated resources
- Firebase Realtime Database Management API
- https://console.cloud.google.com/apis/library/firebasedatabase.googleapis.com
- This enables us to enumerate your Firebase Realtime databases
- Firebase Rules API
- https://console.cloud.google.com/apis/library/firebaserules.googleapis.com
- This enables us to view your Firebase projects’ rules
- Cloud Functions API
- https://console.cloud.google.com/apis/library/cloudfunctions.googleapis.com
- This enables us to enumerate your Cloud Functions
- App Engine Admin API
- https://console.cloud.google.com/apis/library/appengine.googleapis.com
- This enables us to enumerate the deployed App Engine services so that we can discover APIs deployed with the Endpoints Framework
- Kubernetes Engine API
- https://console.cloud.google.com/apis/library/container.googleapis.com
- This enables us to enumerate Kubernetes clusters
- Secret Manager API
- https://console.cloud.google.com/apis/library/secretmanager.googleapis.com
This enables us to enumerate secrets (note that we cannot access secrets value, only secrets metadata)
Cloud Key Management Service API
https://console.cloud.google.com/apis/library/cloudkms.googleapis.com
This enables us to enumerate cryptographic keys (note that we cannot retrieve the key itself, just its metadata)
- Compute Engine API
- https://console.cloud.google.com/apis/library/compute.googleapis.com
- This enables us to enumerate your Virtual Machines
- Cloud SQL Admin API
- https://console.cloud.google.com/apis/library/sqladmin.googleapis.com
- This enables us to enumerate your SQL databases
Step 3: Create a service account in the new GCP project
...
- Enter any name for the “Service account name” of “DataTheoremDiscovery”. For the description field, enter a meaningful description such as:
"This service account will be used by Data Theorem to perform resource discovery".
Click on Create and continue near the bottom. - Click on “Continue” on the Service Account Permissions page. You in the following 2 steps. Skip the 2 optional steps, you will be adding permissions later at the organization level.
- Complete the service account creation by clicking on "Done".
- On the final Service accounts page, click on “+ CREATE KEY” near the bottom of the page. On the right sidebar, ensure the options icon under "Actions" for the newly created service account, and then click Manage keys
- On the "Keys" tab, click on the ADD KEY dropdown and select "Create new key".
- Ensure “JSON” is selected and then click on CREATE.
- Save the JSON (used in Step 6) file. Close the warning dialog that may appear.
- Click on “DONE” near the bottom of the page.
- Copy the email of the new service account that will now appear in the list of service accounts for your new projectSwitch to the "Details" tab and copy the service account email
- It will look like DataTheoremDiscovery@rosy-canyon-234300.iam.gserviceaccount.com where “DataTheoremDiscovery” is the service account name and “rosy-canyon-234300” is the project in which the service account was created
Step 4: Add the new service account as a member to your organization
...
- At the top of the page, click the project selection drop-down list (the down arrow). In the window that appears, click on “ALL” ALL above the table, and then select your Organization (building icon) from the list of items.
- Click on ADD near the top of the page.
- In the sidebar that will appear from the right, add the newly created service account’s email in the “New members” field
- Click on select a role, and GRANT ACCESS under the VIEW BY PRINCIPALS tab.
- Paste the service account email in the "New Principals" text box
- Under the "Assign roles" section, click on the "Select a role" dropdown
- type in “Security Reviewer”, select the “Security Reviewer” role from the list below the input field.
- Click on Add Another Role and do the same as above for “Firebase Viewer”
- Click on Add Another Role and do the same as above for “Service Controller”
- Click on Add Another Role and do the same as above for “App Engine Viewer”
- Finally, click on “Save”
Step 5: Get your organization ID
- Go to https://console.cloud.google.com and then, at the top of the page, click on the project selection drop-down list (the down arrow).
- On the window that appears, on the right side, click the three vertical dots, then click Settings. Your organization id will appear on the settings page.
...
- Copy the organization ID
Step 6a: Submit the JSON file and organization ID via the Data Theorem portal (RECOMMENDED)
Submit the JSON file and organization ID via the ASM setup flow on the Data Theorem portal.
OR
Step 6b: Send the JSON file and organization ID to Data Theorem support (only if you don't have access to the Data Theorem portal)
Send the JSON file (from Step 3) and organization ID (from step 5) to support@datatheorem.com
...