Cloud Integration: On-board GCP

Pre-Requisite: In order to complete the following onboard steps you will need to have privileges to: create a new GCP project, create a service account, and modify your organizations IAM policy.

A video tutorial describing the GCP onboarding process is available here.

Step 1: Creating a new GCP project

Click on https://console.cloud.google.com/projectcreate and create a new project. Ensure that the project gets created in your organization.

Step 2: Enabling APIs for the new project

Click on each link below and then “Enable API” button near the top of the page. Ensure that the newly created project is currently selected in the project list drop down.

• Service Usage API
  
  • https://console.cloud.google.com/apis/library/serviceusage.googleapis.com
  • This enables us to make sure necessary APIs are enabled
• Cloud Resource Manager API
  • https://console.cloud.google.com/apis/library/cloudresourcemanager.googleapis.com
  • This enables us to view resources such as the list of projects
• Identity and Access Management (IAM) API
  
  • https://console.cloud.google.com/apis/library/iam.googleapis.com
  • This enables us to determine which permissions each role contains
• Firebase Management API
  • https://console.cloud.google.com/apis/library/firebase.googleapis.com
  • This enables us to view Firebase projects and associated resources
• Firebase Realtime Database Management API
  
  • https://console.cloud.google.com/apis/library/firebasedatabase.googleapis.com
  • This enables us to enumerate your Firebase Realtime databases
• Firebase Rules API
  • https://console.cloud.google.com/apis/library/firebaserules.googleapis.com
  • This enables us to view your Firebase projects’ rules
• Cloud Functions API
  • https://console.cloud.google.com/apis/library/cloudfunctions.googleapis.com
  • This enables us to enumerate your Cloud Functions
• App Engine Admin API
  • https://console.cloud.google.com/apis/library/appengine.googleapis.com
  • This enables us to enumerate the deployed App Engine services so that we can discover APIs deployed with the Endpoints Framework
• Kubernetes Engine API
  • https://console.cloud.google.com/apis/library/container.googleapis.com
  • This enables us to enumerate Kubernetes clusters
    
• Secret Manager API
  • https://console.cloud.google.com/apis/library/secretmanager.googleapis.com

  • This enables us to enumerate secrets (note that we cannot access secrets value, only secrets metadata)

• Cloud Key Management Service API

  • https://console.cloud.google.com/apis/library/cloudkms.googleapis.com

  • This enables us to enumerate cryptographic keys (note that we cannot retrieve the key itself, just its metadata)

• Compute Engine API
  • https://console.cloud.google.com/apis/library/compute.googleapis.com
  • This enables us to enumerate your Virtual Machines
• Cloud SQL Admin API
  • https://console.cloud.google.com/apis/library/sqladmin.googleapis.com
  • This enables us to enumerate your SQL databases

Step 3: Create a service account in the new GCP project

Go to https://console.cloud.google.com/iam-admin/serviceaccounts/create and then:

1. Enter any name for the “Service account name” of “DataTheoremDiscovery”. For the description field, enter a meaningful description such as:
   "This service account will be used by Data Theorem to perform resource discovery".
   Click on Create near the bottom.
2. Click on “Continue” on the Service Account Permissions page. You will be adding permissions later.
3. On the final page, click on “+ CREATE KEY” near the bottom of the page. On the right sidebar, ensure “JSON” is selected and then click on CREATE. Save the JSON (used in Step 6) file. Close the warning dialog that may appear.
4. Click on “DONE” near the bottom of the page.
5. Copy the email of the new service account that will now appear in the list of service accounts for your new project

• It will look like DataTheoremDiscovery@rosy-canyon-234300.iam.gserviceaccount.com where “DataTheoremDiscovery” is the service account name and “rosy-canyon-234300” is the project in which the service account was created

Step 4: Add the new service account as a member to your organization

Go to https://console.cloud.google.com/iam-admin/iam and then:

1. At the top of the page, click the project selection drop-down list (the down arrow). In the window that appears, click on “ALL”  above the table, and then select your Organization (building icon) from the list of items.
2. Click on ADD near the top of the page.
3. In the sidebar that will appear from the right, add the newly created service account’s email in the “New members” field
4. Click on select a role, and type in “Security Reviewer”, select the “Security Reviewer” role from the list below the input field.
5. Click on Add Another Role and do the same as above for “Firebase Viewer”
6. Click on Add Another Role and do the same as above for “Service Controller”
7. Click on Add Another Role and do the same as above for “App Engine Viewer”
8. Finally, click on “Save”

Step 5: Get your organization ID

Go to https://console.cloud.google.com and then, at the top of the page, click on the project selection drop-down list (the down arrow). On the window that appears, on the right side, click the three vertical dots, then click Settings. Your organization id will appear on the settings page.

Step 6: Send the JSON file and organization ID to Data Theorem

Send the JSON file (from Step 3) and organization ID (from step 5) to  support@datatheorem.com

Extra Resources:

https://cloud.google.com/iam/docs/understanding-service-accounts