How to Onboard a GCP Linked Project

This topic guides you to onboard a Google Cloud Platform (GCP) Linked Project into CoreStack.

Pre-onboarding

There are certain prerequisites that need to be set up in your GCP project before it can be onboarded into CoreStack.

Permissions

The following permissions must be configured in your GCP Project before onboarding.

API access:

  • Enable API Access for Cloud Resource Manager API, Cloud Services API, Cloud Billing API, Security Command Center API in the API & Services – Library screen.

User account permissions:

  • A user account must be created with the following permissions.
    • For Assessment: Project Viewer (Read only).
    • For Assessment + Governance: Project Editor (View and Modify).
    • Security Command Center Access: Either Security Center Admin or Security Center Admin Viewer role is required for security vulnerability and compliance.
    • Operations Governance: Logging Admin & Pub/Sub Admin.

Service account permissions:

  • A service account must be created with the following permissions.
    • For Assessment: Project Viewer (Read only).
    • For Assessment + Governance: Project Editor (View and Modify).
    • Security Command Center Access: Either Security Center Admin or Security Center Admin Viewer role is required for security vulnerability and compliance.
    • Operations Governance: Logging Admin & Pub/Sub Admin.

Retrieving Onboarding Information from GCP Console

Based on the authentication protocol to be used in CoreStack, the following information must be retrieved from the GCP console.

1. OAuth2 Based:

The following values must be generated/copied from your GCP Project and configured in CoreStack.

Client ID & Client Secret:

  1. Login to the GCP console.
  2. Navigate to Credentials screen.
  3. Click Create credentials and select OAuth client ID.
  4. Select Web application in the Application type field.
  5. Specify the following URI in the Authorized redirect URIs by clicking the Add URI button: https://corestack.io/.
  6. Click Create button. The Client ID and Client secret values will be displayed.

Scope:

The OAuth 2.0 scope information for GCP project is: https://www.googleapis.com/auth/cloud-platform.

Project ID:

The project ID is a unique identifier for a project and is used only within the console.

  1. Navigate to Projects screen in the GCP console.
  2. The Project ID will be displayed next to your GCP project in the project list.

Redirect URI:

The following redirect URI that is configured while creating the client ID and client secret must be used: https://corestack.io/.

Authorization Code:

The authorization code must be generated with user consent and required permissions.

  1. Construct an URL in the following format: https://accounts.google.com/o/oauth2/auth?response_type=code&client_id=<Client ID>&redirect_uri=<Redirect URI>&scope=https://www.googleapis.com/auth/cloud-platform&prompt=consent&access_type=offline
  2. Open an InPrivate or Incognito mode of browser window and access the above URL.
  3. Login using your GCP credentials.
  4. The page will be redirected to the Redirect URI, but the address bar will have the Authorization Code specified after code=.

📘

Note: The values retrieved in the earlier steps can be used instead of <Client ID> and <Redirect URI> specified in the URL format.

Copy these details and provide them while onboarding your GCP Project into CoreStack using OAuth2 option.

2. Service Account Based:

A service account must be created in your GCP Project. You need to create a service account key and download it as a JSON file. Also, Project ID / Folder ID must be retrieved as well to onboard a GCP Project or GCP folder.

How to Download the Credentials File (JSON):

  1. Navigate to Credentials screen.
  2. Click Create credentials and select Service account. The Create service account page appears.
  3. Provide the necessary details to create a service account: Name, ID, Description.
  4. Click Create button.
  5. Click Select a role to select the required roles.
  6. Click Continue button.
  7. Click Create key.
  8. Select JSON as Key type.
  9. Click Create button. A JSON key file will be downloaded.
  10. Click Done.

Project ID/Folder ID:

The project ID or folder ID is a unique identifier for a project or folder in GCP respectively. To retrieve a Project ID or Folder ID, perform the following steps:

  1. Login to the GCP console.
  2. Click the Select from dropdown menu at the top of console. The Select from screen appears.
  3. Search for the project or folder that you want to onboard in the Search projects and folders field. The required project or folder will be displayed in the list.
  4. The Project ID or Folder ID will be displayed next to your GCP project or folder in the list.

Provide the JSON and Project / Folder ID while onboarding the GCP Project in CoreStack using Service Account option.

Onboarding

The following steps need to be performed to onboard a GCP Linked Project.

  1. Click Add New button in the CoreStack dashboard and select Single Account.
  2. Click Start Now.
  3. Select GCP option in the Public Cloud field.
  4. Click Get Started button.
  5. Select the required option in the Access Type field. The options are: Assessment and Assessment + Governance.
  6. Select the Linked Project Account option in the Account Type field.
  7. Select the required option in the Authentication Protocol field. The options are: OAuth2 and Service Account.
  8. Click Next.
  9. Provide the necessary details (Client ID, Client Secret, Scope, Project ID, Redirect URI, and Authorization Code OR Hierarchy Scope, Project ID/Folder ID, Credentials File (JSON)) explained in the Pre-onboarding section based on the option selected in the Authentication Protocol field.

If Service Account option is selected in the Authentication Protocol field, the Hierarchy Scope field will be available and must be configured as follows.

  1. In the Hierarchy Scope field, select the required option based on your need as explained below. The options are: Project, Folder, and Organization.
    1. Project: This option will enable a specific GCP project to be onboarded. Specify the ID of the GCP Project in the Project ID field.
    2. Folder: This option will enable the GCP projects that are available within a Folder (departments or teams within an organization) in GCP to be onboarded. Specify the ID of the GCP folder in the Folder ID field.
    3. Organization: This option will enable all the GCP projects that are available within an Organization in GCP to be onboarded.

📘

Note: GCP Projects must have access to the specified service account. While onboarding a Folder or Organization from GCP, only the GCP Projects that have access to the specified service account will be onboarded.

  1. Click Validate button.
  2. The Advanced Settings section will be displayed with additional fields (Name, Master Account, and Scope).
  3. Modify the prepopulated name of the account in the Name field, if required.
  4. Select the required account in the Master Account dropdown list.
  5. Select the required option in the Scope field. The options are: Account, Private, and Tenant.
  6. Click I'm Done button.

The GCP Project will be onboarded successfully into CoreStack. Relevant insights and information about the resources available in the GCP Project will be populated under each cloud governance pillars in CoreStack.


Did this page help you?