How to Onboard a GCP Billing/Linked Project Account Using GCP Cloud Shell

Learn how to onboard a billing or linked project account from Google Cloud Platform (GCP) by using the GCP cloud shell command line interface.

Introduction

When it comes to onboarding Google Cloud Platform (GCP) billing accounts and/or linked projects into CoreStack, one method that might be best for certain situations is to use the GCP cloud shell interface.

Pre-requisites:

In order to onboard a Google Cloud Platform (GCP) Billing Account into CoreStack using GCP Cloud Shell, the below prerequisites need to be met.

  1. Ensure the billing data export is made to "bigquery dataset".
  2. Enable standard cost usage data export cloud billing data to BigQuery Dataset.
  3. Ensure the IAM user account holds Organization Admin, Organisation Role Administrator, Service Usage Adminroles.

📘

NOTE: For help enabling the cloud billing data export, please refer to this GCP configuration guide. You will need to have billing account admin permission to do this.

The following IAM user account permissions are needed for the successful execution of the script.

Organizational Admin

This permission is required to create and add IAM policies to the service account at an organizational level.

Organization Role Administrator

This permission is required to create a custom role for CoreStack with Reader or Read-Write permission based on the onboarding type selected.

Service Usage Admin

This permission is required to enable API's needed for CoreStack across all projects.

The scripts expect the following information as input from the cloud console. Please keep the below information handy.

  1. Big Query Table ID
  2. Big Query Dataset Location
  3. Organization ID
  4. Project ID where the Billing Account is being onboarded

Login to the GCP console here: [<https://console.cloud.google.com/>] and then log in to your organization cloud account.

Launch the cloud shell command line interface (CLI) highlighted in the above image. You should see the gcloud CLI as shown below.

Execute the WGET command to download the onboarding script from a GCP Cloud Storage bucket:

wget <https://storage.googleapis.com/gcp-onboarding-script/GCP-Onboarding-Scripts/GCP-Onboarding.sh>

Once the onboarding script is downloaded, you need to run the script by executing the below command:

sh. GCP-Onboarding.sh

Please specify the onboarding type:

Option 1: Assessment

The service account will have Read-Only permissions to your cloud account and the account onboarding type in CoreStack should be set to Assessment.

Option 2: Assessment & Governance

The service account will have Read and Write permissions across your cloud account and the account onboarding type in CoreStack should be set to Assessment & Governance.

Please specify the hierarchy level:

Option 1: Organization

This is to onboard all the projects under this organization account.

Option 2: Project Level

This is to onboard some of the projects in the organization.

Please enter the service account name to be created.

📘

Note:

Please follow Google's recommended practices for naming resources.

Please enter the bucket name to be created.

Please enter the location where the bucket should be created.

📘

Note:

Make sure the location entered is the same as the BigQuery dataset location -- in this case it is “asia-south1”.

Please enter the Table ID created after exporting your billing data to BigQuery. You can refer to this by going to BigQuery > SQL Workspace.

Next, you need to input the Organization ID which can be found in the Organization hierarchy. Refer to the below image for more guidance.

Next is to enter the Project ID, which can be found on the hierarchy page.

Next, provide the name of the custom role for CoreStack. This is the role to which we are assigning Read-Only or Read-Write permissions based on the onboarding type specified.

Next, we can see the enablement of APIs across all the projects under this organization.

Once the service account is created, permissions for the custom role will be pushed and granted. There will be a prompt displayed to accept some of the permissions for the custom role.

The script needs a 'Yes' to proceed, as a custom role with these permissions is required for CoreStack to retrieve activity-related data.

The next step is the IAM policy binding at the organization level to the service account with the custom role provided.

A storage bucket is created with the provided name. You can verify this from buckets shown in cloud storage.

Next is the scheduled queries configuration -- you should see them with the transfer run completed successfully as displayed in the below image.

Now, navigate to IAM > Service Accounts. 

Please download the key file from the service account which you created from the onboarding script. Once the key file is downloaded you can use the same process to onboard it from the CoreStack UI.

Once the key is downloaded we can proceed with GCP Onboarding in the CoreStack portal. Please follow the below image for the next steps.

Please find the bucket name from the GCP Cloud console.

Please find the billing account ID from the billing section underneath the Billing Account > Manage page.

Please find the Dataset Name in the billing data export to bigquery.

Please find the Project ID from the hierarchy.

Next, please upload the key file (.json) which was downloaded earlier.

And with that, you're done! You have successfully completed the onboarding of a GCP billing account and have onboarded all the cloud accounts (projects) from the organization.