Cloud Integration: On-board GCP (Per-project)

Pre-Requisite: In order to complete the following onboard steps you will need to have privileges to: edit a GCP project and create a service account.

Step 1: Select the desired GCP project

• Ensure that the project is currently selected in the project list drop down in the top of the GCP console.

Step 2: Enabling APIs for your project

Click on each link below and then “Enable API” button near the top of the page.

• Service Usage API

  • https://console.cloud.google.com/apis/library/serviceusage.googleapis.com

  • This enables us to make sure necessary APIs are enabled

• Cloud Resource Manager API

  • https://console.cloud.google.com/apis/library/cloudresourcemanager.googleapis.com

  • This enables us to view resources such as the list of projects (only those we will have access to, as per this specific setup)

• Firebase Management API

  • https://console.cloud.google.com/apis/library/firebase.googleapis.com

  • This enables us to view Firebase projects and associated resources

• Firebase Realtime Database Management API

  • https://console.cloud.google.com/apis/library/firebasedatabase.googleapis.com

  • This enables us to enumerate your Firebase Realtime databases

• Firebase Rules API

  • https://console.cloud.google.com/apis/library/firebaserules.googleapis.com

  • This enables us to view your Firebase projects’ rules

• Cloud Functions API

  • https://console.cloud.google.com/apis/library/cloudfunctions.googleapis.com

  • This enables us to enumerate your Cloud Functions

• App Engine Admin API

  • https://console.cloud.google.com/apis/library/appengine.googleapis.com

  • This enables us to enumerate the deployed App Engine services so that we can discover APIs deployed with the Endpoints Framework

• Kubernetes Engine API

  • https://console.cloud.google.com/apis/library/container.googleapis.com

  • This enables us to enumerate Kubernetes clusters

• Secret Manager API

  • https://console.cloud.google.com/apis/library/secretmanager.googleapis.com

  • This enables us to enumerate secrets (note that we cannot access secrets value, only secrets metadata)

• Cloud Key Management Service API

  • https://console.cloud.google.com/apis/library/cloudkms.googleapis.com

  • This enables us to enumerate cryptographic keys (note that we cannot retrieve the key itself, just its metadata)

• Compute Engine API

  • https://console.cloud.google.com/apis/library/compute.googleapis.com

  • This enables us to enumerate your Virtual Machines

• Cloud SQL Admin API

  • https://console.cloud.google.com/apis/library/sqladmin.googleapis.com

  • This enables us to enumerate your SQL databases

Step 3: Create a service account in the GCP project

Go to https://console.cloud.google.com/iam-admin/serviceaccounts/create and then:

1. Enter any name for the “Service account name” of “DataTheoremDiscovery”. For the description field, enter a meaningful description such as:
   "This service account will be used by Data Theorem to perform resource discovery".
   Click on Create near the bottom.

2. Click on “Continue” on the Service Account Permissions page. You will be adding permissions later.

3. On the final page, click on “+ CREATE KEY” near the bottom of the page. On the right sidebar, ensure “JSON” is selected and then click on CREATE. Save the JSON (used in Step 6) file. Close the warning dialog that may appear.

4. Click on “DONE” near the bottom of the page.

5. Copy the email of the new service account that will now appear in the list of service accounts for

   your project

• It will look like DataTheoremDiscovery@rosy-canyon-234300.iam.gserviceaccount.com where “DataTheoremDiscovery” is the service account name and “rosy-canyon-234300” is the project in which the service account was created

Step 4: Add the new service account as a member to the project’s IAM

Go to https://console.cloud.google.com/iam-admin/iam and then:

1. At the top of the page, click the project selection drop-down list (the down arrow). In the window that appears, click on “ALL” above the table, and then make sure your project is selected.

2. Click on ADD near the top of the page.

3. In the sidebar that will appear from the right, add the newly created service account’s email in the

   “New members” field

4. Click on select a role, and type in “Security Reviewer”, select the “Security Reviewer” role from

   the list below the input field.

5. Click on Add Another Role and do the same as above for “Firebase Viewer”

6. Click on Add Another Role and do the same as above for “Service Controller”

7. Click on Add Another Role and do the same as above for “App Engine Viewer”

8. Finally, click on “Save”

Step 5: Onboarding additional projects

You can re-use the same service account that was created in the steps above, to onboard additional projects.

Repeat Step 4 for every project you want to onboard, always using the same service account email that was used for the first project.

Step 6: Send the JSON file to Data Theorem to confirm onboarding

Completing the above steps will have your GCP projects ready for integration, but we currently don’t support per-project onboarding through the Portal.

Instead, you must send the JSON file (from Step 3) to  support@datatheorem.com for us to confirm onboarding.

We will let you know as soon as it is done, or inform you of any issues or missing configuration.