Introduction

There are certain prerequisites that need to be set up in your GCP account before it can be onboarded into CoreStack and used for CoreStack Assessments.

While the specific steps vary depending on which type of cloud account you want to onboard from GCP, in general for GCP Projects you will have to create either a user account or service account for CoreStack and then provide appropriate roles for the user account or service account for the Assessment + Governance option.

In this user guide, we'll cover the different steps you need to follow to properly configure the prerequisites in your GCP cloud account(s) based on which type of account(s) you're onboarding.

Prerequisites for GCP Billing Accounts

GCP Projects can be onboarded as a Billing Account in CoreStack. Onboarding a Billing Account allows you to discover the cost information of all its linked GCP Projects.

However, before your GCP project can be onboarded into CoreStack, there are certain prerequisites that need to be met.

Set Up Cloud Billing Data Export to BigQuery:

To enable your Cloud Billing usage costs and/or pricing data to be exported to BigQuery, please do the following:

1. in the Google Cloud console, go to the Billing export page.

2. Click to select the cloud Billing account for which you would like to export the billing data. The Billing export page opens for the selected billing account.

3. On the BigQuery export tab, click Edit settings for each type of data you'd like to export. Each type of data is configured separately.

4. From the Projects list, select the project that you set up which will contain your BigQuery dataset.

   The project you select is used to store the exported Cloud Billing data in the BigQuery dataset.

   • For standard and detailed usage cost data exports, the Cloud Billing data includes usage/cost data for all Cloud projects paid for by the same Cloud Billing account.
   • For pricing data export, the Cloud Billing data includes only the pricing data specific to the Cloud Billing account that is linked to the selected dataset project.

5. From the Dataset ID field, select the dataset that you set up which will contain your exported Cloud Billing data.

   For all types of Cloud Billing data exported to BigQuery, the following applies:

   • The BigQuery API is required to export data to BigQuery. If the project you selected doesn't have the BigQuery API enabled, you will be prompted to enable it. Click Enable BigQuery API to enable the API.

   • If the project you selected doesn't contain any BigQuery datasets, you will be prompted to create one. If necessary, follow these steps to create a new dataset.

   • If you use an existing dataset, review the limitations that might impact exporting your billing data to BigQuery, such as being unable to export data to datasets configured to use customer-managed key encryption.

     For pricing data export, the BigQuery Data Transfer Service API is required to export the data to BigQuery. If the project you selected doesn't have the BigQuery Data Transfer Service API enabled, you are prompted to enable it. If necessary, follow these steps to enable the API.

6. Click Save.

GCP Project Permissions

The following permissions must be configured in your GCP Project before onboarding.

User Account Permissions:

• A user account must be created in GCP with the following permissions:
• Project Editor (View and Modify.)
• Billing Account Admin (This is required for exporting the billing data to a BigQuery dataset. If the data is already exported, then this permission is not required.)
• BigQuery Admin (If the BigQuery dataset exported is in a different project, you need this access to retrieve the BigQuery dataset name. )

API Access:

• In GCP, enable API Access for the Cloud Resource Manager API, Recommender API, Cloud Billing API, and Compute Engine API in the API & Services – Library screen.

📘

Automated Approach for GCP Billing Account Onboarding:

• When it comes to onboarding Google Cloud Platform (GCP) billing accounts into CoreStack, one method that might be best for certain situations is to use the GCP cloud shell interface. Execute the below command to download the shell script in GCP CLI and run it to help in onboarding the GCP Billing Account.
• wget https://storage.googleapis.com/gcp-onboarding-script/Corestack-Onboarding/GCP-Billing%20Account.sh

Service Account Permissions:

• A service account must be created in GCP with the following permissions:
• Project Viewer (Read only).

Billing Account Prerequisites:

• Schedule queries must be created in the GCP BigQuery console.
• Create a Bucket for a BigQuery data transfer (under the same GCP Project where BigQuery exists).

📘

Note:

The Bucket, Dataset and Scheduled Query created should be in the same location for the schedule query to execute successfully.

Bucket Name:

1. Login to the GCP console.
2. Navigate to the Storage - Browser screen.
3. Click Create bucket. The Create bucket screen appears.
4. Provide a unique value in the Name your bucket field along with the other details required to create the bucket.
5. Click the Create button.
6. Copy the value provided in the Name your bucket field.

Schedule Queries in GCP

Next, you need to schedule some queries in GCP. Navigate to the Schedule Query Page in the GCP console then follow the steps below:

1. Login to the GCP console.
2. Navigate to the GCP BigQuery console.
3. On the left menu, click Schedule Queries. The schedule queries list appears.



4. Click Create Schedule Queries located at the top of the page.



5. Copy each schedule query (Daily Schedule Query, Monthly Schedule Query, and On-demand Schedule Query).
6. For the Daily Schedule Query, schedule it on an hourly basis.



7. For the Monthly Schedule Query, schedule it on the fifth of every month.



8. For On-demand Schedule Query, run it in real time.



9. Select the Data location for the query to be executed.


📘

Note:

The Data location selected should be the same as what was selected for Bucket and the Dataset.



🚧

Note:

For the code snippets below, you need to insert your table id and bucket name.

Daily Schedule Query

Daily Schedule Query

DECLARE
unused STRING;
DECLARE
current_month_date DATE DEFAULT DATE_SUB(@run_date, INTERVAL 0 MONTH);
DECLARE
cost_data_invoice_month NUMERIC DEFAULT EXTRACT(MONTH
FROM
current_month_date);
DECLARE
cost_data_invoice_year NUMERIC DEFAULT EXTRACT(YEAR
FROM
current_month_date);
EXPORT DATA
OPTIONS ( uri = CONCAT('gs://<your bucket name>/', CAST(cost_data_invoice_year AS STRING), '-', CAST(current_month_date AS STRING FORMAT('MM')), '/', CAST(DATE(CURRENT_DATE()) as STRING FORMAT('YYYY-MM-DD')), '/*.csv'),
format='JSON',
overwrite=False) AS
SELECT
*, (SELECT STRING_AGG(display_name, '/') FROM B.project.ancestors) organization_list
FROM
`<complete table id>` as B
WHERE
B.invoice.month = CONCAT(CAST(cost_data_invoice_year AS STRING), CAST(current_month_date AS STRING FORMAT('MM'))) AND B.cost != 0.0

Monthly Schedule Query

Monthly Schedule Query

DECLARE
unused STRING;
DECLARE
current_month_date DATE DEFAULT DATE_SUB(@run_date, INTERVAL 1 MONTH);
DECLARE
cost_data_invoice_month NUMERIC DEFAULT EXTRACT(MONTH
FROM
current_month_date);
DECLARE
cost_data_invoice_year NUMERIC DEFAULT EXTRACT(YEAR
FROM
current_month_date);
EXPORT DATA
OPTIONS ( uri = CONCAT('gs://<your bucket name>/', CAST(cost_data_invoice_year AS STRING), '-', CAST(current_month_date AS STRING FORMAT('MM')), '_backfill/*.csv'),
format='JSON',
overwrite=True) AS
SELECT
*, (SELECT STRING_AGG(display_name, '/') FROM B.project.ancestors) organization_list
FROM
`<complete table id>` as B
WHERE
B.invoice.month = CONCAT(CAST(cost_data_invoice_year AS STRING), CAST(current_month_date AS STRING FORMAT('MM')))
AND B.cost != 0.0

On-Demand Scheduled Query

On-demand Scheduled Query 1On-demand Scheduled Query 2On-demand Scheduled Query 3

DECLARE
unused STRING;
DECLARE
current_month_date DATE DEFAULT DATE_SUB(@run_date, INTERVAL 1 MONTH);
DECLARE
cost_data_invoice_month NUMERIC DEFAULT EXTRACT(MONTH
FROM
current_month_date);
DECLARE
cost_data_invoice_year NUMERIC DEFAULT EXTRACT(YEAR
FROM
current_month_date);
EXPORT DATA
OPTIONS ( uri = CONCAT('gs://<your bucket name>/', CAST(cost_data_invoice_year AS STRING), '-', CAST(current_month_date AS STRING FORMAT('MM')), '/*.csv'),
format='JSON',
overwrite=True) AS
SELECT
*, (SELECT STRING_AGG(display_name, '/') FROM B.project.ancestors) organization_list
FROM
`<Your complete Table Id goes here>` as B
WHERE
B.invoice.month = CONCAT(CAST(cost_data_invoice_year AS STRING), CAST(current_month_date AS STRING FORMAT('MM')))
AND B.cost != 0.0

DECLARE
unused STRING;
DECLARE
current_month_date DATE DEFAULT DATE_SUB(@run_date, INTERVAL 2 MONTH);
DECLARE
cost_data_invoice_month NUMERIC DEFAULT EXTRACT(MONTH
FROM
current_month_date);
DECLARE
cost_data_invoice_year NUMERIC DEFAULT EXTRACT(YEAR
FROM
current_month_date);
EXPORT DATA
OPTIONS ( uri = CONCAT('gs://<your bucket name>/', CAST(cost_data_invoice_year AS STRING), '-', CAST(current_month_date AS STRING FORMAT('MM')), '/*.csv'),
format='JSON',
overwrite=True) AS
SELECT
*, (SELECT STRING_AGG(display_name, '/') FROM B.project.ancestors) organization_list
FROM
`<your Complete Table id goes here>` as B
WHERE
B.invoice.month = CONCAT(CAST(cost_data_invoice_year AS STRING), CAST(current_month_date AS STRING FORMAT('MM')))
AND B.cost != 0.0

DECLARE
unused STRING;
DECLARE
current_month_date DATE DEFAULT DATE_SUB(@run_date, INTERVAL 3 MONTH);
DECLARE
cost_data_invoice_month NUMERIC DEFAULT EXTRACT(MONTH
FROM
current_month_date);
DECLARE
cost_data_invoice_year NUMERIC DEFAULT EXTRACT(YEAR
FROM
current_month_date);
EXPORT DATA
OPTIONS ( uri = CONCAT('gs://<your bucket name>/', CAST(cost_data_invoice_year AS STRING), '-', CAST(current_month_date AS STRING FORMAT('MM')), '/*.csv'),
format='JSON',
overwrite=True) AS
SELECT
*, (SELECT STRING_AGG(display_name, '/') FROM B.project.ancestors) organization_list
FROM
`Your complete Table Id goes here` as B
WHERE
B.invoice.month = CONCAT(CAST(cost_data_invoice_year AS STRING), CAST(current_month_date AS STRING FORMAT('MM')))
AND B.cost != 0.0

Retrieving Onboarding Information from the GCP Console

Based on the authentication protocol being used in CoreStack (refer to the options below for guidance), certain information must be retrieved from the GCP console.

Service Account protocol:

A service account must be created in your GCP Project. Then, you need to create a service account key and download it as a JSON file. Also, the Project ID must be retrieved from your GCP Project.

How to Download the Credentials File (JSON):

1. Navigate to the Credentials screen.
2. Click Create credentials and select Service account. The Create service account page appears.
3. Provide the necessary details to create a service account: Name, ID, and Description.
4. Click the Create button.
5. Click Select a role to select the required roles.
6. Click the Continue button.
7. Click Create key.
8. Select JSON as the Key type.
9. Click the Create button. A JSON key file will be downloaded.
10. Click Done.

Project ID:

Refer to the steps in the Project ID topic of the OAuth2 Based section above.

Provide the JSON and Project ID while onboarding the GCP Project in CoreStack when using the Service Account option.

OAuth2 protocol:

The following values must be generated/copied from your GCP Project and configured in CoreStack.

Client ID & Client Secret:

1. Login to the GCP console.
2. Navigate to the Credentials screen.
3. Click Create credentials and select OAuth client ID.
4. Select Web application in the Application type field.
5. Specify the following URI in the Authorized redirect URIs by clicking the Add URI button:
URI

https://corestack.io/

6. Click the Create button. The Client ID and Client secret values will be displayed.

Scope:

The OAuth 2.0 scope information for a GCP project can be found at: https://www.googleapis.com/auth/cloud-platform.

Project ID:

The project ID is a unique identifier for a project and is used only within the GCP console.

1. Navigate to the Projects screen in the GCP console.
2. The Project ID will be displayed next to your GCP project in the project list.

Redirect URI:

The following redirect URI that is configured while creating the Client ID and Client Secret must be used:

Redirect URI

https://corestack.io/

Authorization Code:

The authorization code must be generated with user consent and required permissions.

1. Construct a URL in the following format:
Contructed URL

https://accounts.google.com/o/oauth2/auth?response_type=code&client_id=<Client ID>&redirect_uri=<Redirect URI>&scope=https://www.googleapis.com/auth/cloud-platform&prompt=consent&access_type=offline

2. Open a browser window in private mode (e.g. InPrivate, Incognito) and use it to access the above URL.
3. Login using your GCP credentials.
4. The page will be redirected to the Redirect URI, but the address bar will have the Authorization Code specified after code=.

📘

Note:

The values retrieved in the earlier steps can be used instead of <Client ID> and <Redirect URI> specified in the URL format.

Copy these details and provide them while onboarding your GCP Project into CoreStack when using the OAuth2 option.

Prerequisites for GCP Parent Billing Accounts

GCP Projects can be onboarded as a parent billing account. Onboarding a parent billing account allows you to discover the cost information for a parent account and all linked GCP Projects.

However, before your GCP project can be onboarded into CoreStack there are certain prerequisites that need to be set up.

GCP Project Permissions

The following permissions must be configured in your GCP Project before onboarding.

API access:

• Enable API Access for Cloud Resource Manager API, Cloud Billing API, Security Command Center API in the API & Services – Library screen.

User account permissions:

A user account must be created with the following permissions:

• For Assessment: Project Viewer (Read only).
• For Assessment + Governance: Project Editor (View and Modify).
• Security Command Center Access: Either Security Center Admin or Security Center Admin Viewer role is required for security vulnerability and compliance.
• Operations Governance: Logging Admin & Pub/Sub Admin.

Service account permissions:

A service account must be created with the following permissions:

• For Assessment: Project Viewer (Read only).
• For Assessment + Governance: Project Editor (View and Modify).
• Security Command Center Access: Either Security Center Admin or Security Center Admin Viewer role is required for security vulnerability and compliance.
• Operations Governance: Logging Admin & Pub/Sub Admin.

Parent Billing Account Prerequisites:

• Schedule queries in the GCP BigQuery console.
• Create a Bucket for BigQuery data transfer (under the same GCP Project where BigQuery exists).

📘

Note:

If threats and advanced security health analytic policies are required then the Security Command Center premium tier needs to be enabled.

Retrieve Onboarding Information from the GCP Console

Based on the authentication protocol being used in CoreStack (refer to the options below for guidance), certain information must be retrieved from the GCP console.

OAuth2 Protocol:

The following values must be generated/copied from your GCP Project and configured in CoreStack:

Client ID & Client Secret:

1. Login to the GCP console.
2. Navigate to the Credentials screen.
3. Click Create credentials and select OAuth client ID.
4. Select Web application in the Application type field.
5. Specify the following URI in the Authorized redirect URIs field by clicking the Add URI button:
URI

https://corestack.io/

6. Click theCreate button. The Client ID and Client Secret values will be displayed.

Scope:

The OAuth 2.0 scope information for a GCP project can be found here: https://www.googleapis.com/auth/cloud-platform.

Project ID:

The project ID is a unique identifier for a project and is used only within the console.

1. Navigate to the Projects screen in the GCP console.
2. The Project ID will be displayed next to your GCP project in the project list.

Redirect URI:

The following redirect URI that is configured while creating the Client ID and Client Secret must be used:

Redirect URI

https://corestack.io/

Authorization Code:

The authorization code must be generated with user consent and required permissions.

1. Construct a URL in the following format:
Constructed URL

https://accounts.google.com/o/oauth2/auth?response_type=code&client_id=<Client ID>&redirect_uri=<Redirect URI>&scope=https://www.googleapis.com/auth/cloud-platform&prompt=consent&access_type=offline

2. Open a browser window in private mode (e.g. InPrivate, Incognito) and use it to access the above URL.
3. Login using your GCP credentials.
4. The page will be redirected to the Redirect URI, but the address bar will have the Authorization Code specified after code=.

📘

Note:

The values retrieved in the earlier steps can be used instead of <Client ID> and <Redirect URI> specified in the URL format.

Copy these details and provide them while onboarding your GCP Project into CoreStack when using the OAuth2 protocol option.

Service Account Protocol:

A service account must be created in your GCP Project. Then, you need to create a service account key and download it as a JSON file. Also, the Project ID must be retrieved from your GCP Project.

How to Download the Credentials File (JSON):

1. Navigate to the Credentials screen.
2. Click Create credentials and select Service account. The Create service account page appears.
3. Provide the necessary details to create a service account: Name, ID, Description.
4. Click the Create button.
5. Click Select a role to select the required roles.
6. Click the Continue button.
7. Click Create key.
8. Select JSON as the Key type.
9. Click the Create button. A JSON key file will be downloaded.
10. Click Done.

Project ID:

Refer to the steps in the Project ID topic in the previous OAuth2 Based section.

Provide the JSON and Project ID while onboarding the GCP Project in CoreStack when using the Service Account protocol option.

Additional Values from the Parent Billing Account:

In addition to the prerequisites explained earlier, there are a few additional values that must be generated/copied from your GCP Parent Billing Account and configured in CoreStack.

Bucket Name:

1. Login to the GCP console.
2. Navigate to the Storage - Browser screen.
3. Click Create bucket. The Create bucket screen appears.
4. Provide a unique value in the Name your bucket field along with the other details required to create the bucket.
5. Click the Create button.
6. Copy the value provided in the Name your bucket field.

Billing Account ID:

1. Login to the GCP console.
2. Navigate to the Manage Billing Accounts screen.
3. Click My Projects. A list of projects will be displayed.
4. Copy the Billing Account ID for the required projects.

Set Up Cloud Billing Data Export to BigQuery:

To enable Cloud Billing data export to BigQuery, refer to the GCP configuration guide.

Provide these details in CoreStack for your Parent Billing Account onboarding, along with either the OAuth2 or Service Account information explained above, based on your Authentication Protocol selection.

Schedule Queries in GCP

Navigate to the Schedule Query Page in GCP, then follow the below steps:

1. Login to the GCP console.
2. Navigate to the GCP BigQuery console.
3. On the left menu, click Schedule Queries. The schedule queries list appears.



4. Click Create Schedule Queries located at the top of the page.



5. Copy each schedule query (Daily Schedule Query, Monthly Schedule Query and On-demand Schedule Query).
6. For the Daily Schedule Query, schedule it on an hourly basis.



7. For the Monthly Schedule Query, schedule it on the fifth of every month.



8. For the On-demand Schedule Query, run the query in real time.





🚧

Note:

You need to insert your own dataset id and bucket name into the code snippets below.

Daily Schedule Query

Daily Schedule Query

DECLARE
  unused STRING;
DECLARE
  current_month_date DATE DEFAULT DATE_SUB(@run_date, INTERVAL 0 MONTH);
DECLARE
  cost_data_invoice_month NUMERIC DEFAULT EXTRACT(MONTH
  FROM
    current_month_date);
DECLARE
  cost_data_invoice_year NUMERIC DEFAULT EXTRACT(YEAR
  FROM
    current_month_date);
EXPORT DATA
  OPTIONS ( uri = CONCAT('gs://<your_bucket_name>/', CAST(cost_data_invoice_year AS STRING), '-', CAST(current_month_date AS STRING FORMAT('MM')), '/*.csv'),
    format='JSON',
    overwrite=True) AS
SELECT
  *, (SELECT STRING_AGG(display_name, '/') FROM B.project.ancestors) organization_list
FROM
  `<Your Complete Data setDataset ID>` as B
WHERE
  B.invoice.month = CONCAT(CAST(cost_data_invoice_year AS STRING), CAST(current_month_date AS STRING FORMAT('MM')))
  AND B.cost != 0.0

Monthly Schedule Query

Monthly Schedule Query

DECLARE
  unused STRING;
DECLARE
  current_month_date DATE DEFAULT DATE_SUB(@run_date, INTERVAL 1 MONTH);
DECLARE
  cost_data_invoice_month NUMERIC DEFAULT EXTRACT(MONTH
  FROM
    current_month_date);
DECLARE
  cost_data_invoice_year NUMERIC DEFAULT EXTRACT(YEAR
  FROM
    current_month_date);
EXPORT DATA
  OPTIONS ( uri = CONCAT('gs://<your_bucket_name>/', CAST(cost_data_invoice_year AS STRING), '-', CAST(current_month_date AS STRING FORMAT('MM')), '/*.csv'),
    format='JSON',
    overwrite=True) AS
SELECT
  *, (SELECT STRING_AGG(display_name, '/') FROM B.project.ancestors) organization_list
FROM
  `<Your Complete Data setDataset ID>` as B
WHERE
  B.invoice.month = CONCAT(CAST(cost_data_invoice_year AS STRING), CAST(current_month_date AS STRING FORMAT('MM')))
  AND B.cost != 0.0

On-demand Schedule Query

On-demand Schedule Query

DECLARE
  unused STRING;
DECLARE
  current_month_date DATE DEFAULT DATE_SUB(@run_date, INTERVAL <Change the Period> MONTH);
DECLARE
  cost_data_invoice_month NUMERIC DEFAULT EXTRACT(MONTH
  FROM
    current_month_date);
DECLARE
  cost_data_invoice_year NUMERIC DEFAULT EXTRACT(YEAR
  FROM
    current_month_date);
EXPORT DATA
  OPTIONS ( uri = CONCAT('gs://<your_bucket_name>/', CAST(cost_data_invoice_year AS STRING), '-', CAST(current_month_date AS STRING FORMAT('MM')), '/*.csv'),
    format='JSON',
    overwrite=True) AS
SELECT
  *, (SELECT STRING_AGG(display_name, '/') FROM B.project.ancestors) organization_list
FROM
  `<Your Complete Data setDataset ID>` as B
WHERE
  B.invoice.month = CONCAT(CAST(cost_data_invoice_year AS STRING), CAST(current_month_date AS STRING FORMAT('MM')))
  AND B.cost != 0.0

🚧

Note:

In the Period column, you need to update the interval range from 1 to 3 and create a schedule 3 times.

Prerequisites for GCP Linked Projects

There are certain prerequisites that need to be set up in your GCP Linked project before it can be onboarded into CoreStack.

1. We need to onboard a GCP Billing account before proceeding to onboard the Linked project.
2. All the costs will be fetched from the billing account and the metadata sync for all the projects linked to this billing account will take 24 hours to be completed.

📘

Note:

• The sync of the cost data will take 24 hours to reflect in CoreStack.
• We will be able to onboard the linked project account only after the sync is completed.

Permissions

The following permissions must be configured in your GCP Project before onboarding:

API access:

• Enable API Access for Cloud Resource Manager API, Security Command Center API, Recommender API, Cloud Pub/Sub API, Organization Policy API, Compute Engine API, Cloud SQL Admin API, and Monitoring API in the API & Services – Library screen.

User account permissions:

• A user account must be created with the following permissions:
• For Assessment: Project Viewer (Read only).
• For Assessment + Governance: Project Owner (View and Modify).
• Security Command Center Access: Either Security Center Admin or Security Center Admin Viewer role is required for security vulnerability and compliance.
• Operations Governance: Logging Admin & Pub/Sub Admin.

Service account permissions:

A service account must be created with the following permissions:

For Assessment: Project Viewer (Read only).

For Assessment + Governance:

• Project Viewer (Read only)
• Security Center admin editor
• Pub/Sub Admin
• Monitoring editor
• Logs Configuration writer
• Compute Admin

Security Command Center Access is required for configuring security vulnerabilities assessment and compliance.

Operations and Inventory Access is required for creating activity templates and alerting configurations through logging and pub/sub based on the utilization data.

Compute Admin Access is required for running most of the templates and blueprints from CoreStack marketplace.

📘

Note:

In the future, if there are any operations-related activities which need more permissions, please grant the service account the necessary permissions.

📘

Note:

If threats and advanced security health analytics policies are required, then the Security Command Center premium tier needs to be enabled.

Retrieving Onboarding Information from GCP Console

Based on the authentication protocol being used in CoreStack, the following information must be retrieved from the GCP console:

1. Service Account Based:

A service account must be created in your GCP Project. You need to create a service account key and download it as a JSON file. Also, Project ID / Folder ID must be retrieved to onboard a GCP Project or GCP folder.

How to Download the Credentials File (JSON):

1. Navigate to the Credentials screen.
2. Click Create credentials and select Service account. The Create service account page appears.
3. Provide the necessary details to create a service account: Name, ID, Description.
4. Click Create button.
5. Click Select a role to select the required roles.
6. Click the Continue button.
7. Click Create key.
8. Select JSON as the Key type.
9. Click the Create button. A JSON key file will be downloaded.
10. Click Done.

Project ID:

Refer to the steps in the Project ID topic of the OAuth2 Based section above.

Provide the JSON and Project ID while onboarding the GCP Project in CoreStack when using the Service Account option.

2. OAuth2 Based:

The following values must be generated/copied from your GCP Project and configured in CoreStack:

Client ID & Client Secret:

1. Login to the GCP console.
2. Navigate to the Credentials screen.
3. Click Create credentials and select OAuth client ID.
4. Select Web application in the Application type field.
5. Specify the following URI in the Authorized redirect URIs by clicking the Add URI button: <https://corestack.io/>.
6. Click the Create button. The Client ID and Client secret values will be displayed.

Scope:

The OAuth 2.0 scope information for GCP project is: <https://www.googleapis.com/auth/cloud-platform>.

Project ID:

The project ID is a unique identifier for a project and is used only within the console.

1. Navigate to the Projects screen in the GCP console.
2. The Project ID will be displayed next to your GCP project in the project list.

Redirect URI:

The following redirect URI that is configured while creating the client ID and client secret must be used: <https://corestack.io/>.

Authorization Code:

The authorization code must be generated with user consent and required permissions.

1. Construct a URL in the following format: <https://accounts.google.com/o/oauth2/auth?response_type=code&client_id=><Client ID>&redirect_uri=<Redirect URI>&scope=<https://www.googleapis.com/auth/cloud-platform&prompt=consent&access_type=offline>
2. Open an InPrivate or Incognito/Private mode browser window then access the above URL.
3. Login using your GCP credentials.
4. The page will be redirected to the Redirect URI, but the address bar will have the Authorization Code specified after code=.

📘

Note:

The values retrieved in the earlier steps can be used instead of <Client ID> and <Redirect URI> specified in the URL format.

Copy these details and provide them while onboarding your GCP Project into CoreStack using the OAuth2 option.

Project ID/Folder ID:

The Project ID or Folder ID is a unique identifier for a project or folder in GCP respectively. To retrieve a Project ID or Folder ID, perform the following steps:

1. Login to the GCP console.
2. Click the Select from drop-down menu at the top of the console. The Select from screen appears.
3. Search for the project or folder that you want to onboard in the Search projects and folders field. The required project or folder will be displayed in the list.
4. The Project ID or Folder ID will be displayed next to your GCP project or folder in the list.

Provide the JSON and Project / Folder ID while onboarding the GCP Project in CoreStack using the Service Account option.

Prerequisites for GCP Linked Projects - Organization/Folder Scope

There are certain prerequisites that need to be set up in your GCP project before it can be onboarded into CoreStack.

1. We need to onboard a GCP Billing account before proceeding to onboard the Linked project.
2. All the costs will be fetched from the billing account and the metadata sync for all the projects linked to this billing account will take 24 hours to be completed.

📘

Note:

• The sync of the cost data will take 24 hours to reflect in CoreStack.
• We will be able to onboard the linked project account only after the sync is completed.

Permissions

The following permissions must be configured in your GCP Project before onboarding.

API access:

• Enable API Access for Cloud Resource Manager API, Security Command Center API, Recommender API, Cloud Pub/Sub API, Organization Policy API, Compute Engine API, Cloud SQL Admin API, and Monitoring API in the API & Services – Library screen.

User account permissions:

• A user account must be created with the following permissions:
• For Assessment: Viewer (Read only).
• For Assessment + Governance: Organization Administrator/Security Admin (View and Modify).

Service account permissions:

Assign the following permissions at the Organization level for the service account which was created earlier as part of onboarding of a billing account.

For Assessment: Viewer at Organization level (Read only).

For Assessment + Governance:

• Viewer (Read only)
• Security Center admin editor
• Pub/Sub Admin
• Monitoring editor
• Logs Configuration writer
• Compute Admin

Security Command Center Access is required for configuring security vulnerabilities assessment and compliance.

Operations and Inventory Access is required for creating activity templates and alerting configurations through logging and pub/sub based on the utilization data.

Compute Admin Access is required for running most of the templates and blueprints from the CoreStack marketplace.

📘

Note:

In the future, if there are any operations-related activities which need more permissions, please grant the service account the necessary permissions.

📘

Note:

If threats and advanced security health analytics policies are required then the Security Command Center premium tier needs to be enabled.

Retrieving Onboarding Information from GCP Console

Based on the authentication protocol being used in CoreStack, the following information must be retrieved from the GCP console:

1. Service Account Based:

A service account must be created in your GCP Project. You need to create a service account key and download it as a JSON file. Also, Project ID / Folder ID must be retrieved to onboard a GCP Project or GCP folder.

How to Download the Credentials File (JSON):

1. Navigate to the Credentials screen.
2. Click Create credentials and select Service account. The Create service account page appears.
3. Provide the necessary details to create a service account: Name, ID, Description.
4. Click the Create button.
5. Click Select a role to select the required roles.
6. Click the Continue button.
7. Click Create key.
8. Select JSON as the Key type.
9. Click the Create button. A JSON key file will be downloaded.
10. Click Done.

Project ID:

Refer to the steps in the Project ID topic of the OAuth2 Based section above.

Provide the JSON and Project ID while onboarding the GCP Project in CoreStack when using the Service Account option.

2. OAuth2 Based:

The following values must be generated/copied from your GCP Project and configured in CoreStack.

Client ID & Client Secret:

1. Login to the GCP console.
2. Navigate to the Credentials screen.
3. Click Create credentials and select OAuth client ID.
4. Select Web application in the Application type field.
5. Specify the following URI in the Authorized redirect URIs by clicking the Add URI button: <https://corestack.io/>.
6. Click the Create button. The Client ID and Client secret values will be displayed.

Scope:

The OAuth 2.0 scope information for GCP project is: <https://www.googleapis.com/auth/cloud-platform>.

Project ID:

The project ID is a unique identifier for a project and is used only within the console.

1. Navigate to the Projects screen in the GCP console.
2. The Project ID will be displayed next to your GCP project in the project list.

Redirect URI:

The following redirect URI that is configured while creating the client ID and client secret must be used: <https://corestack.io/>.

Authorization Code:

The authorization code must be generated with user consent and required permissions.

1. Construct an URL in the following format: <https://accounts.google.com/o/oauth2/auth?response_type=code&client_id=><Client ID>&redirect_uri=<Redirect URI>&scope=<https://www.googleapis.com/auth/cloud-platform&prompt=consent&access_type=offline>
2. Open an InPrivate or Incognito/Private mode browser window and access the above URL.
3. Login using your GCP credentials.
4. The page will be redirected to the Redirect URI, but the address bar will have the Authorization Code specified after code=.

📘

Note:

The values retrieved in the earlier steps can be used instead of <Client ID> and <Redirect URI> specified in the URL format.

Copy these details and provide them while onboarding your GCP Project into CoreStack using OAuth2 option.

Project ID/Folder ID:

The Project ID or Folder ID is a unique identifier for a project or folder in GCP respectively. To retrieve a Project ID or Folder ID, perform the following steps:

1. Login to the GCP console.
2. Click the Select from drop-down menu at the top of console. The Select from screen appears.
3. Search for the project or folder that you want to onboard in the Search projects and folders field. The required project or folder will be displayed in the list.
4. The Project ID or Folder ID will be displayed next to your GCP project or folder in the list.

Provide the JSON and Project / Folder ID while onboarding the GCP Project in CoreStack using Service Account option.

Next steps

Now that you understand how to create the necessary roles and permissions in your GCP environment to onboard your GCP cloud account(s) into CoreStack so that you can fully utilize CoreStack assessments, you can proceed to the GCP onboarding for CoreStack Assessments user guide.