Cloud Integration: On-board GCP

Pre-Requisite: In order to complete the following onboard steps you will need to have privileges to: create a new GCP project, create a service account, and modify your organizations IAM policy.

A video tutorial describing the GCP onboarding process is available here.

Step 1: Creating a new GCP project

Click on https://console.cloud.google.com/projectcreate and create a new project. Ensure that the project gets created in your organization.

Step 2: Enabling APIs for the new project

Click on each link below and then click on the ENABLE button near the top of the page. Ensure that the newly created project is currently selected in the project list drop down.

• Service Usage API
  
  • https://console.cloud.google.com/apis/library/serviceusage.googleapis.com
  • This enables us to make sure necessary APIs are enabled
• Cloud Resource Manager API
  • https://console.cloud.google.com/apis/library/cloudresourcemanager.googleapis.com
  • This enables us to view resources such as the list of projects
• Identity and Access Management (IAM) API
  
  • https://console.cloud.google.com/apis/library/iam.googleapis.com
  • This enables us to determine which permissions each role contains
• Firebase Management API
  • https://console.cloud.google.com/apis/library/firebase.googleapis.com
  • This enables us to view Firebase projects and associated resources
• Firebase Realtime Database Management API
  
  • https://console.cloud.google.com/apis/library/firebasedatabase.googleapis.com
  • This enables us to enumerate your Firebase Realtime databases
• Firebase Rules API
  • https://console.cloud.google.com/apis/library/firebaserules.googleapis.com
  • This enables us to view your Firebase projects’ rules
• Cloud Functions API
  • https://console.cloud.google.com/apis/library/cloudfunctions.googleapis.com
  • This enables us to enumerate your Cloud Functions
• App Engine Admin API
  • https://console.cloud.google.com/apis/library/appengine.googleapis.com
  • This enables us to enumerate the deployed App Engine services so that we can discover APIs deployed with the Endpoints Framework
• Kubernetes Engine API
  • https://console.cloud.google.com/apis/library/container.googleapis.com
  • This enables us to enumerate Kubernetes clusters
    
• Secret Manager API
  • https://console.cloud.google.com/apis/library/secretmanager.googleapis.com

  • This enables us to enumerate secrets (note that we cannot access secrets value, only secrets metadata)

• Cloud Key Management Service API

  • https://console.cloud.google.com/apis/library/cloudkms.googleapis.com

  • This enables us to enumerate cryptographic keys (note that we cannot retrieve the key itself, just its metadata)

• Compute Engine API
  • https://console.cloud.google.com/apis/library/compute.googleapis.com
  • This enables us to enumerate your Virtual Machines
• Cloud SQL Admin API
  • https://console.cloud.google.com/apis/library/sqladmin.googleapis.com
  • This enables us to enumerate your SQL databases

Step 3: Create a service account in the new GCP project

Go to https://console.cloud.google.com/iam-admin/serviceaccounts/create and then:

1. Enter any name for the “Service account name” of “DataTheoremDiscovery”. For the description field, enter a meaningful description such as:
   "This service account will be used by Data Theorem to perform resource discovery".
   Click on Create and continue near the bottom.
2. Click on “Continue” in the following 2 steps. Skip the 2 optional steps, you will be adding permissions later at the organization level.
3. Complete the service account creation by clicking on "Done".
4. On the Service accounts page, click on the options icon under "Actions" for the newly created service account, and then click Manage keys
5. On the "Keys" tab, click on the ADD KEY dropdown and select "Create new key".
6. Ensure “JSON” is selected and then click on CREATE
7. Save the JSON (used in Step 6) file. Close the warning dialog that may appear.
8. Switch to the "Details" tab and copy the service account email
   1. It will look like DataTheoremDiscovery@rosy-canyon-234300.iam.gserviceaccount.com where “DataTheoremDiscovery” is the service account name and “rosy-canyon-234300” is the project in which the service account was created

Step 4: Add the new service account as a member to your organization

Go to https://console.cloud.google.com/iam-admin/iam and then:

1. At the top of the page, click the project selection drop-down list (the down arrow). In the window that appears, click on ALL  above the table, and then select your Organization (building icon) from the list of items.
2. Click on GRANT ACCESS under the VIEW BY PRINCIPALS tab.
3. Paste the service account email in the "New Principals" text box
4. Under the "Assign roles" section,  click on the "Select a role" dropdown
5. type in “Security Reviewer”, select the “Security Reviewer” role from the list below the input field.
6. Click on Add Another Role and do the same as above for “Firebase Viewer”
7. Click on Add Another Role and do the same as above for “Service Controller”
8. Click on Add Another Role and do the same as above for “App Engine Viewer”
9. Finally, click on “Save”

Step 5: Get your organization ID

1. Go to https://console.cloud.google.com and then, at the top of the page, click on the project selection drop-down list (the down arrow).
2. On the window that appears, on the right side, click the three vertical dots, then click Settings. Your organization id will appear on the settings page.
3. Copy the organization ID

Step 6a: Submit the JSON file and organization ID via the Data Theorem portal (RECOMMENDED)

Submit the JSON file and organization ID via the ASM setup flow on the Data Theorem portal.

OR

Step 6b: Send the JSON file and organization ID to  Data Theorem support (only if you don't have access to the Data Theorem portal)

Send the JSON file (from Step 3) and organization ID (from step 5) to  support@datatheorem.com

Extra Resources:

https://cloud.google.com/iam/docs/understanding-service-accounts