These docs are for v4.3. Click to read the latest docs for v4.5.

GCP prerequisites for CoreStack Assessments

Learn about the onboarding prerequesites for onboarding GCP cloud accounts for CoreStack Assessments.

Introduction

There are certain prerequisites that need to be set up in your GCP account before it can be onboarded into CoreStack and used for CoreStack Assessments.

While the specific steps vary depending on which type of cloud account you want to onboard from GCP, in general for GCP Projects you will have to create either a user account or service account for CoreStack and then provide appropriate roles for the user account or service account for the Assessment + Governance option.

In this user guide, we'll cover the different steps you need to follow to properly configure the prerequisites in your GCP cloud account(s) based on which type of account(s) you're onboarding.

Prerequisites for GCP Billing Accounts

GCP Projects can be onboarded as a Billing Account in CoreStack. Onboarding a Billing Account allows you to discover the cost information of all its linked GCP Projects.

However, before your GCP project can be onboarded into CoreStack, there are certain prerequisites that need to be met.

Set Up Cloud Billing Data Export to BigQuery:

To enable your Cloud Billing usage costs and/or pricing data to be exported to BigQuery, please do the following:

  1. in the Google Cloud console, go to the Billing export page.

  2. Click to select the cloud Billing account for which you would like to export the billing data. The Billing export page opens for the selected billing account.

  3. On the BigQuery export tab, click Edit settings for each type of data you'd like to export. Each type of data is configured separately.

  4. From the Projects list, select the project that you set up which will contain your BigQuery dataset.

    The project you select is used to store the exported Cloud Billing data in the BigQuery dataset.

  5. From the Dataset ID field, select the dataset that you set up which will contain your exported Cloud Billing data.

    For all types of Cloud Billing data exported to BigQuery, the following applies:

    • The BigQuery API is required to export data to BigQuery. If the project you selected doesn't have the BigQuery API enabled, you will be prompted to enable it. Click Enable BigQuery API to enable the API.

    • If the project you selected doesn't contain any BigQuery datasets, you will be prompted to create one. If necessary, follow these steps to create a new dataset.

    • If you use an existing dataset, review the limitations that might impact exporting your billing data to BigQuery, such as being unable to export data to datasets configured to use customer-managed key encryption.

      For pricing data export, the BigQuery Data Transfer Service API is required to export the data to BigQuery. If the project you selected doesn't have the BigQuery Data Transfer Service API enabled, you are prompted to enable it. If necessary, follow these steps to enable the API.

  6. Click Save.

GCP Project Permissions

The following permissions must be configured in your GCP Project before onboarding.

User Account Permissions:

  • A user account must be created in GCP with the following permissions:
    • Project Editor (View and Modify.)
    • Billing Account Admin (This is required for exporting the billing data to a BigQuery dataset. If the data is already exported, then this permission is not required.)
    • BigQuery Admin (If the BigQuery dataset exported is in a different project, you need this access to retrieve the BigQuery dataset name. )

    API Access:

    • In GCP, enable API Access for the Cloud Resource Manager API, Recommender API, Cloud Billing API, and Compute Engine API in the API & Services – Library screen.

    📘

    Automated Approach for GCP Billing Account Onboarding:

    Service Account Permissions:

    • A service account must be created in GCP with the following permissions:
      • Project Viewer (Read only).

      Billing Account Prerequisites:

      • Schedule queries must be created in the GCP BigQuery console.
      • Create a Bucket for a BigQuery data transfer (under the same GCP Project where BigQuery exists).

      📘

      Note:

      The Bucket, Dataset and Scheduled Query created should be in the same location for the schedule query to execute successfully.

      Bucket Name:

      1. Login to the GCP console.
      2. Navigate to the Storage - Browser screen.
      3. Click Create bucket. The Create bucket screen appears.
      4. Provide a unique value in the Name your bucket field along with the other details required to create the bucket.
      5. Click the Create button.
      6. Copy the value provided in the Name your bucket field.

      Schedule Queries in GCP

      Next, you need to schedule some queries in GCP. Navigate to the Schedule Query Page in the GCP console then follow the steps below:

      1. Login to the GCP console.
      2. Navigate to the GCP BigQuery console.
      3. On the left menu, click Schedule Queries. The schedule queries list appears.

      1. Click Create Schedule Queries located at the top of the page.

      1. Copy each schedule query (Daily Schedule Query, Monthly Schedule Query, and On-demand Schedule Query).
      2. For the Daily Schedule Query, schedule it on an hourly basis.

      1. For the Monthly Schedule Query, schedule it on the fifth of every month.

      1. For On-demand Schedule Query, run it in real time.

      1. Select the Data location for the query to be executed.

      📘

      Note:

      The Data location selected should be the same as what was selected for Bucket and the Dataset.

      🚧

      Note:

      For the code snippets below, you need to insert your table id and bucket name.

      Daily Schedule Query

      DECLARE
      unused STRING;
      DECLARE
      current_month_date DATE DEFAULT DATE_SUB(@run_date, INTERVAL 0 MONTH);
      DECLARE
      cost_data_invoice_month NUMERIC DEFAULT EXTRACT(MONTH
      FROM
      current_month_date);
      DECLARE
      cost_data_invoice_year NUMERIC DEFAULT EXTRACT(YEAR
      FROM
      current_month_date);
      EXPORT DATA
      OPTIONS ( uri = CONCAT('gs://<your bucket name>/', CAST(cost_data_invoice_year AS STRING), '-', CAST(current_month_date AS STRING FORMAT('MM')), '/', CAST(DATE(CURRENT_DATE()) as STRING FORMAT('YYYY-MM-DD')), '/*.csv'),
      format='JSON',
      overwrite=False) AS
      SELECT
      *, (SELECT STRING_AGG(display_name, '/') FROM B.project.ancestors) organization_list
      FROM
      `<complete table id>` as B
      WHERE
      B.invoice.month = CONCAT(CAST(cost_data_invoice_year AS STRING), CAST(current_month_date AS STRING FORMAT('MM'))) AND B.cost != 0.0
      

      Monthly Schedule Query

      DECLARE
      unused STRING;
      DECLARE
      current_month_date DATE DEFAULT DATE_SUB(@run_date, INTERVAL 1 MONTH);
      DECLARE
      cost_data_invoice_month NUMERIC DEFAULT EXTRACT(MONTH
      FROM
      current_month_date);
      DECLARE
      cost_data_invoice_year NUMERIC DEFAULT EXTRACT(YEAR
      FROM
      current_month_date);
      EXPORT DATA
      OPTIONS ( uri = CONCAT('gs://<your bucket name>/', CAST(cost_data_invoice_year AS STRING), '-', CAST(current_month_date AS STRING FORMAT('MM')), '_backfill/*.csv'),
      format='JSON',
      overwrite=True) AS
      SELECT
      *, (SELECT STRING_AGG(display_name, '/') FROM B.project.ancestors) organization_list
      FROM
      `<complete table id>` as B
      WHERE
      B.invoice.month = CONCAT(CAST(cost_data_invoice_year AS STRING), CAST(current_month_date AS STRING FORMAT('MM')))
      AND B.cost != 0.0
      

      On-Demand Scheduled Query

      DECLARE
      unused STRING;
      DECLARE
      current_month_date DATE DEFAULT DATE_SUB(@run_date, INTERVAL 1 MONTH);
      DECLARE
      cost_data_invoice_month NUMERIC DEFAULT EXTRACT(MONTH
      FROM
      current_month_date);
      DECLARE
      cost_data_invoice_year NUMERIC DEFAULT EXTRACT(YEAR
      FROM
      current_month_date);
      EXPORT DATA
      OPTIONS ( uri = CONCAT('gs://<your bucket name>/', CAST(cost_data_invoice_year AS STRING), '-', CAST(current_month_date AS STRING FORMAT('MM')), '/*.csv'),
      format='JSON',
      overwrite=True) AS
      SELECT
      *, (SELECT STRING_AGG(display_name, '/') FROM B.project.ancestors) organization_list
      FROM
      `<Your complete Table Id goes here>` as B
      WHERE
      B.invoice.month = CONCAT(CAST(cost_data_invoice_year AS STRING), CAST(current_month_date AS STRING FORMAT('MM')))
      AND B.cost != 0.0
      
      DECLARE
      unused STRING;
      DECLARE
      current_month_date DATE DEFAULT DATE_SUB(@run_date, INTERVAL 2 MONTH);
      DECLARE
      cost_data_invoice_month NUMERIC DEFAULT EXTRACT(MONTH
      FROM
      current_month_date);
      DECLARE
      cost_data_invoice_year NUMERIC DEFAULT EXTRACT(YEAR
      FROM
      current_month_date);
      EXPORT DATA
      OPTIONS ( uri = CONCAT('gs://<your bucket name>/', CAST(cost_data_invoice_year AS STRING), '-', CAST(current_month_date AS STRING FORMAT('MM')), '/*.csv'),
      format='JSON',
      overwrite=True) AS
      SELECT
      *, (SELECT STRING_AGG(display_name, '/') FROM B.project.ancestors) organization_list
      FROM
      `<your Complete Table id goes here>` as B
      WHERE
      B.invoice.month = CONCAT(CAST(cost_data_invoice_year AS STRING), CAST(current_month_date AS STRING FORMAT('MM')))
      AND B.cost != 0.0
      
      DECLARE
      unused STRING;
      DECLARE
      current_month_date DATE DEFAULT DATE_SUB(@run_date, INTERVAL 3 MONTH);
      DECLARE
      cost_data_invoice_month NUMERIC DEFAULT EXTRACT(MONTH
      FROM
      current_month_date);
      DECLARE
      cost_data_invoice_year NUMERIC DEFAULT EXTRACT(YEAR
      FROM
      current_month_date);
      EXPORT DATA
      OPTIONS ( uri = CONCAT('gs://<your bucket name>/', CAST(cost_data_invoice_year AS STRING), '-', CAST(current_month_date AS STRING FORMAT('MM')), '/*.csv'),
      format='JSON',
      overwrite=True) AS
      SELECT
      *, (SELECT STRING_AGG(display_name, '/') FROM B.project.ancestors) organization_list
      FROM
      `Your complete Table Id goes here` as B
      WHERE
      B.invoice.month = CONCAT(CAST(cost_data_invoice_year AS STRING), CAST(current_month_date AS STRING FORMAT('MM')))
      AND B.cost != 0.0
      

      Retrieving Onboarding Information from the GCP Console

      Based on the authentication protocol being used in CoreStack (refer to the options below for guidance), certain information must be retrieved from the GCP console.

      Service Account protocol:

      A service account must be created in your GCP Project. Then, you need to create a service account key and download it as a JSON file. Also, the Project ID must be retrieved from your GCP Project.

      How to Download the Credentials File (JSON):

      1. Navigate to the Credentials screen.
      2. Click Create credentials and select Service account. The Create service account page appears.
      3. Provide the necessary details to create a service account: Name, ID, and Description.
      4. Click the Create button.
      5. Click Select a role to select the required roles.
      6. Click the Continue button.
      7. Click Create key.
      8. Select JSON as the Key type.
      9. Click the Create button. A JSON key file will be downloaded.
      10. Click Done.

      Project ID:

      Refer to the steps in the Project ID topic of the OAuth2 Based section above.

      Provide the JSON and Project ID while onboarding the GCP Project in CoreStack when using the Service Account option.

      OAuth2 protocol:

      The following values must be generated/copied from your GCP Project and configured in CoreStack.

      Client ID & Client Secret:

      1. Login to the GCP console.
      2. Navigate to the Credentials screen.
      3. Click Create credentials and select OAuth client ID.
      4. Select Web application in the Application type field.
      5. Specify the following URI in the Authorized redirect URIs by clicking the Add URI button:
      https://corestack.io/
      
      1. Click the Create button. The Client ID and Client secret values will be displayed.

      Scope:

      The OAuth 2.0 scope information for a GCP project can be found at: https://www.googleapis.com/auth/cloud-platform.

      Project ID:

      The project ID is a unique identifier for a project and is used only within the GCP console.

      1. Navigate to the Projects screen in the GCP console.
      2. The Project ID will be displayed next to your GCP project in the project list.

      Redirect URI:

      The following redirect URI that is configured while creating the Client ID and Client Secret must be used:

      https://corestack.io/
      

      Authorization Code:

      The authorization code must be generated with user consent and required permissions.

      1. Construct a URL in the following format:
      https://accounts.google.com/o/oauth2/auth?response_type=code&client_id=<Client ID>&redirect_uri=<Redirect URI>&scope=https://www.googleapis.com/auth/cloud-platform&prompt=consent&access_type=offline
      
      1. Open a browser window in private mode (e.g. InPrivate, Incognito) and use it to access the above URL.
      2. Login using your GCP credentials.
      3. The page will be redirected to the Redirect URI, but the address bar will have the Authorization Code specified after code=.

      📘

      Note:

      The values retrieved in the earlier steps can be used instead of <Client ID> and <Redirect URI> specified in the URL format.

      Copy these details and provide them while onboarding your GCP Project into CoreStack when using the OAuth2 option.

      Prerequisites for GCP Parent Billing Accounts

      GCP Projects can be onboarded as a parent billing account. Onboarding a parent billing account allows you to discover the cost information for a parent account and all linked GCP Projects.

      However, before your GCP project can be onboarded into CoreStack there are certain prerequisites that need to be set up.

      GCP Project Permissions

      The following permissions must be configured in your GCP Project before onboarding.

      API access:

      • Enable API Access for Cloud Resource Manager API, Cloud Billing API, Security Command Center API in the API & Services – Library screen.

      User account permissions:

      A user account must be created with the following permissions:

      • For Assessment: Project Viewer (Read only).
      • For Assessment + Governance: Project Editor (View and Modify).
      • Security Command Center Access: Either Security Center Admin or Security Center Admin Viewer role is required for security vulnerability and compliance.
      • Operations Governance: Logging Admin & Pub/Sub Admin.

      Service account permissions:

      A service account must be created with the following permissions:

      • For Assessment: Project Viewer (Read only).
      • For Assessment + Governance: Project Editor (View and Modify).
      • Security Command Center Access: Either Security Center Admin or Security Center Admin Viewer role is required for security vulnerability and compliance.
      • Operations Governance: Logging Admin & Pub/Sub Admin.

      Parent Billing Account Prerequisites:

      • Schedule queries in the GCP BigQuery console.
      • Create a Bucket for BigQuery data transfer (under the same GCP Project where BigQuery exists).

      📘

      Note:

      If threats and advanced security health analytic policies are required then the Security Command Center premium tier needs to be enabled.

      Retrieve Onboarding Information from the GCP Console

      Based on the authentication protocol being used in CoreStack (refer to the options below for guidance), certain information must be retrieved from the GCP console.

      OAuth2 Protocol:

      The following values must be generated/copied from your GCP Project and configured in CoreStack:

      Client ID & Client Secret:

      1. Login to the GCP console.
      2. Navigate to the Credentials screen.
      3. Click Create credentials and select OAuth client ID.
      4. Select Web application in the Application type field.
      5. Specify the following URI in the Authorized redirect URIs field by clicking the Add URI button:
      https://corestack.io/
      
      1. Click theCreate button. The Client ID and Client Secret values will be displayed.

      Scope:

      The OAuth 2.0 scope information for a GCP project can be found here: https://www.googleapis.com/auth/cloud-platform.

      Project ID:

      The project ID is a unique identifier for a project and is used only within the console.

      1. Navigate to the Projects screen in the GCP console.
      2. The Project ID will be displayed next to your GCP project in the project list.

      Redirect URI:

      The following redirect URI that is configured while creating the Client ID and Client Secret must be used:

      https://corestack.io/
      

      Authorization Code:

      The authorization code must be generated with user consent and required permissions.

      1. Construct a URL in the following format:
      https://accounts.google.com/o/oauth2/auth?response_type=code&client_id=<Client ID>&redirect_uri=<Redirect URI>&scope=https://www.googleapis.com/auth/cloud-platform&prompt=consent&access_type=offline
      
      1. Open a browser window in private mode (e.g. InPrivate, Incognito) and use it to access the above URL.
      2. Login using your GCP credentials.
      3. The page will be redirected to the Redirect URI, but the address bar will have the Authorization Code specified after code=.

      📘

      Note:

      The values retrieved in the earlier steps can be used instead of <Client ID> and <Redirect URI> specified in the URL format.

      Copy these details and provide them while onboarding your GCP Project into CoreStack when using the OAuth2 protocol option.

      Service Account Protocol:

      A service account must be created in your GCP Project. Then, you need to create a service account key and download it as a JSON file. Also, the Project ID must be retrieved from your GCP Project.

      How to Download the Credentials File (JSON):

      1. Navigate to the Credentials screen.
      2. Click Create credentials and select Service account. The Create service account page appears.
      3. Provide the necessary details to create a service account: Name, ID, Description.
      4. Click the Create button.
      5. Click Select a role to select the required roles.
      6. Click the Continue button.
      7. Click Create key.
      8. Select JSON as the Key type.
      9. Click the Create button. A JSON key file will be downloaded.
      10. Click Done.

      Project ID:

      Refer to the steps in the Project ID topic in the previous OAuth2 Based section.

      Provide the JSON and Project ID while onboarding the GCP Project in CoreStack when using the Service Account protocol option.

      Additional Values from the Parent Billing Account:

      In addition to the prerequisites explained earlier, there are a few additional values that must be generated/copied from your GCP Parent Billing Account and configured in CoreStack.

      Bucket Name:

      1. Login to the GCP console.
      2. Navigate to the Storage - Browser screen.
      3. Click Create bucket. The Create bucket screen appears.
      4. Provide a unique value in the Name your bucket field along with the other details required to create the bucket.
      5. Click the Create button.
      6. Copy the value provided in the Name your bucket field.

      Billing Account ID:

      1. Login to the GCP console.
      2. Navigate to the Manage Billing Accounts screen.
      3. Click My Projects. A list of projects will be displayed.
      4. Copy the Billing Account ID for the required projects.

      Set Up Cloud Billing Data Export to BigQuery:

      To enable Cloud Billing data export to BigQuery, refer to the GCP configuration guide.

      Provide these details in CoreStack for your Parent Billing Account onboarding, along with either the OAuth2 or Service Account information explained above, based on your Authentication Protocol selection.

      Schedule Queries in GCP

      Navigate to the Schedule Query Page in GCP, then follow the below steps:

      1. Login to the GCP console.
      2. Navigate to the GCP BigQuery console.
      3. On the left menu, click Schedule Queries. The schedule queries list appears.

      1. Click Create Schedule Queries located at the top of the page.

      1. Copy each schedule query (Daily Schedule Query, Monthly Schedule Query and On-demand Schedule Query).
      2. For the Daily Schedule Query, schedule it on an hourly basis.

      1. For the Monthly Schedule Query, schedule it on the fifth of every month.

      1. For the On-demand Schedule Query, run the query in real time.

      🚧

      Note:

      You need to insert your own dataset id and bucket name into the code snippets below.

      Daily Schedule Query

      DECLARE
        unused STRING;
      DECLARE
        current_month_date DATE DEFAULT DATE_SUB(@run_date, INTERVAL 0 MONTH);
      DECLARE
        cost_data_invoice_month NUMERIC DEFAULT EXTRACT(MONTH
        FROM
          current_month_date);
      DECLARE
        cost_data_invoice_year NUMERIC DEFAULT EXTRACT(YEAR
        FROM
          current_month_date);
      EXPORT DATA
        OPTIONS ( uri = CONCAT('gs://<your_bucket_name>/', CAST(cost_data_invoice_year AS STRING), '-', CAST(current_month_date AS STRING FORMAT('MM')), '/*.csv'),
          format='JSON',
          overwrite=True) AS
      SELECT
        *, (SELECT STRING_AGG(display_name, '/') FROM B.project.ancestors) organization_list
      FROM
        `<Your Complete Data setDataset ID>` as B
      WHERE
        B.invoice.month = CONCAT(CAST(cost_data_invoice_year AS STRING), CAST(current_month_date AS STRING FORMAT('MM')))
        AND B.cost != 0.0
      

      Monthly Schedule Query

      DECLARE
        unused STRING;
      DECLARE
        current_month_date DATE DEFAULT DATE_SUB(@run_date, INTERVAL 1 MONTH);
      DECLARE
        cost_data_invoice_month NUMERIC DEFAULT EXTRACT(MONTH
        FROM
          current_month_date);
      DECLARE
        cost_data_invoice_year NUMERIC DEFAULT EXTRACT(YEAR
        FROM
          current_month_date);
      EXPORT DATA
        OPTIONS ( uri = CONCAT('gs://<your_bucket_name>/', CAST(cost_data_invoice_year AS STRING), '-', CAST(current_month_date AS STRING FORMAT('MM')), '/*.csv'),
          format='JSON',
          overwrite=True) AS
      SELECT
        *, (SELECT STRING_AGG(display_name, '/') FROM B.project.ancestors) organization_list
      FROM
        `<Your Complete Data setDataset ID>` as B
      WHERE
        B.invoice.month = CONCAT(CAST(cost_data_invoice_year AS STRING), CAST(current_month_date AS STRING FORMAT('MM')))
        AND B.cost != 0.0
      

      On-demand Schedule Query

      DECLARE
        unused STRING;
      DECLARE
        current_month_date DATE DEFAULT DATE_SUB(@run_date, INTERVAL <Change the Period> MONTH);
      DECLARE
        cost_data_invoice_month NUMERIC DEFAULT EXTRACT(MONTH
        FROM
          current_month_date);
      DECLARE
        cost_data_invoice_year NUMERIC DEFAULT EXTRACT(YEAR
        FROM
          current_month_date);
      EXPORT DATA
        OPTIONS ( uri = CONCAT('gs://<your_bucket_name>/', CAST(cost_data_invoice_year AS STRING), '-', CAST(current_month_date AS STRING FORMAT('MM')), '/*.csv'),
          format='JSON',
          overwrite=True) AS
      SELECT
        *, (SELECT STRING_AGG(display_name, '/') FROM B.project.ancestors) organization_list
      FROM
        `<Your Complete Data setDataset ID>` as B
      WHERE
        B.invoice.month = CONCAT(CAST(cost_data_invoice_year AS STRING), CAST(current_month_date AS STRING FORMAT('MM')))
        AND B.cost != 0.0
      

      🚧

      Note:

      In the Period column, you need to update the interval range from 1 to 3 and create a schedule 3 times.

      Prerequisites for GCP Linked Projects

      There are certain prerequisites that need to be set up in your GCP Linked project before it can be onboarded into CoreStack.

      1. We need to onboard a GCP Billing account before proceeding to onboard the Linked project.
      2. All the costs will be fetched from the billing account and the metadata sync for all the projects linked to this billing account will take 24 hours to be completed.

      📘

      Note:

      • The sync of the cost data will take 24 hours to reflect in CoreStack.
      • We will be able to onboard the linked project account only after the sync is completed.

      Permissions

      The following permissions must be configured in your GCP Project before onboarding:

      API access:

      • Enable API Access for Cloud Resource Manager API, Security Command Center API, Recommender API, Cloud Pub/Sub API, Organization Policy API, Compute Engine API, Cloud SQL Admin API, and Monitoring API in the API & Services – Library screen.

      User account permissions:

      • A user account must be created with the following permissions:
        • For Assessment: Project Viewer (Read only).
        • For Assessment + Governance: Project Owner (View and Modify).
        • Security Command Center Access: Either Security Center Admin or Security Center Admin Viewer role is required for security vulnerability and compliance.
        • Operations Governance: Logging Admin & Pub/Sub Admin.

      Service account permissions:

      A service account must be created with the following permissions:

      For Assessment: Project Viewer (Read only).

      For Assessment + Governance:

      • Project Viewer (Read only)
      • Security Center admin editor
      • Pub/Sub Admin
      • Monitoring editor
      • Logs Configuration writer
      • Compute Admin

      Security Command Center Access is required for configuring security vulnerabilities assessment and compliance.

      Operations and Inventory Access is required for creating activity templates and alerting configurations through logging and pub/sub based on the utilization data.

      Compute Admin Access is required for running most of the templates and blueprints from CoreStack marketplace.

      📘

      Note:

      In the future, if there are any operations-related activities which need more permissions, please grant the service account the necessary permissions.

      📘

      Note:

      If threats and advanced security health analytics policies are required, then the Security Command Center premium tier needs to be enabled.

      Retrieving Onboarding Information from GCP Console

      Based on the authentication protocol being used in CoreStack, the following information must be retrieved from the GCP console:

      1. Service Account Based:

      A service account must be created in your GCP Project. You need to create a service account key and download it as a JSON file. Also, Project ID / Folder ID must be retrieved to onboard a GCP Project or GCP folder.

      How to Download the Credentials File (JSON):

      1. Navigate to the Credentials screen.
      2. Click Create credentials and select Service account. The Create service account page appears.
      3. Provide the necessary details to create a service account: Name, ID, Description.
      4. Click Create button.
      5. Click Select a role to select the required roles.
      6. Click the Continue button.
      7. Click Create key.
      8. Select JSON as the Key type.
      9. Click the Create button. A JSON key file will be downloaded.
      10. Click Done.

      Project ID:

      Refer to the steps in the Project ID topic of the OAuth2 Based section above.

      Provide the JSON and Project ID while onboarding the GCP Project in CoreStack when using the Service Account option.

      2. OAuth2 Based:

      The following values must be generated/copied from your GCP Project and configured in CoreStack:

      Client ID & Client Secret:

      1. Login to the GCP console.
      2. Navigate to the Credentials screen.
      3. Click Create credentials and select OAuth client ID.
      4. Select Web application in the Application type field.
      5. Specify the following URI in the Authorized redirect URIs by clicking the Add URI button: <https://corestack.io/>.
      6. Click the Create button. The Client ID and Client secret values will be displayed.

      Scope:

      The OAuth 2.0 scope information for GCP project is: <https://www.googleapis.com/auth/cloud-platform>.

      Project ID:

      The project ID is a unique identifier for a project and is used only within the console.

      1. Navigate to the Projects screen in the GCP console.
      2. The Project ID will be displayed next to your GCP project in the project list.

      Redirect URI:

      The following redirect URI that is configured while creating the client ID and client secret must be used: <https://corestack.io/>.

      Authorization Code:

      The authorization code must be generated with user consent and required permissions.

      1. Construct a URL in the following format: <https://accounts.google.com/o/oauth2/auth?response_type=code&client_id=><Client ID>&redirect_uri=<Redirect URI>&scope=<https://www.googleapis.com/auth/cloud-platform&prompt=consent&access_type=offline>
      2. Open an InPrivate or Incognito/Private mode browser window then access the above URL.
      3. Login using your GCP credentials.
      4. The page will be redirected to the Redirect URI, but the address bar will have the Authorization Code specified after code=.

      📘

      Note:

      The values retrieved in the earlier steps can be used instead of <Client ID> and <Redirect URI> specified in the URL format.

      Copy these details and provide them while onboarding your GCP Project into CoreStack using the OAuth2 option.

      Project ID/Folder ID:

      The Project ID or Folder ID is a unique identifier for a project or folder in GCP respectively. To retrieve a Project ID or Folder ID, perform the following steps:

      1. Login to the GCP console.
      2. Click the Select from drop-down menu at the top of the console. The Select from screen appears.
      3. Search for the project or folder that you want to onboard in the Search projects and folders field. The required project or folder will be displayed in the list.
      4. The Project ID or Folder ID will be displayed next to your GCP project or folder in the list.

      Provide the JSON and Project / Folder ID while onboarding the GCP Project in CoreStack using the Service Account option.

      Prerequisites for GCP Linked Projects - Organization/Folder Scope

      There are certain prerequisites that need to be set up in your GCP project before it can be onboarded into CoreStack.

      1. We need to onboard a GCP Billing account before proceeding to onboard the Linked project.
      2. All the costs will be fetched from the billing account and the metadata sync for all the projects linked to this billing account will take 24 hours to be completed.

      📘

      Note:

      • The sync of the cost data will take 24 hours to reflect in CoreStack.
      • We will be able to onboard the linked project account only after the sync is completed.

      Permissions

      The following permissions must be configured in your GCP Project before onboarding.

      API access:

      • Enable API Access for Cloud Resource Manager API, Security Command Center API, Recommender API, Cloud Pub/Sub API, Organization Policy API, Compute Engine API, Cloud SQL Admin API, and Monitoring API in the API & Services – Library screen.

      User account permissions:

      • A user account must be created with the following permissions:
        • For Assessment: Viewer (Read only).
        • For Assessment + Governance: Organization Administrator/Security Admin (View and Modify).

      Service account permissions:

      Assign the following permissions at the Organization level for the service account which was created earlier as part of onboarding of a billing account.

      For Assessment: Viewer at Organization level (Read only).

      For Assessment + Governance:

      • Viewer (Read only)
      • Security Center admin editor
      • Pub/Sub Admin
      • Monitoring editor
      • Logs Configuration writer
      • Compute Admin

      Security Command Center Access is required for configuring security vulnerabilities assessment and compliance.

      Operations and Inventory Access is required for creating activity templates and alerting configurations through logging and pub/sub based on the utilization data.

      Compute Admin Access is required for running most of the templates and blueprints from the CoreStack marketplace.

      📘

      Note:

      In the future, if there are any operations-related activities which need more permissions, please grant the service account the necessary permissions.

      📘

      Note:

      If threats and advanced security health analytics policies are required then the Security Command Center premium tier needs to be enabled.

      Retrieving Onboarding Information from GCP Console

      Based on the authentication protocol being used in CoreStack, the following information must be retrieved from the GCP console:

      1. Service Account Based:

      A service account must be created in your GCP Project. You need to create a service account key and download it as a JSON file. Also, Project ID / Folder ID must be retrieved to onboard a GCP Project or GCP folder.

      How to Download the Credentials File (JSON):

      1. Navigate to the Credentials screen.
      2. Click Create credentials and select Service account. The Create service account page appears.
      3. Provide the necessary details to create a service account: Name, ID, Description.
      4. Click the Create button.
      5. Click Select a role to select the required roles.
      6. Click the Continue button.
      7. Click Create key.
      8. Select JSON as the Key type.
      9. Click the Create button. A JSON key file will be downloaded.
      10. Click Done.

      Project ID:

      Refer to the steps in the Project ID topic of the OAuth2 Based section above.

      Provide the JSON and Project ID while onboarding the GCP Project in CoreStack when using the Service Account option.

      2. OAuth2 Based:

      The following values must be generated/copied from your GCP Project and configured in CoreStack.

      Client ID & Client Secret:

      1. Login to the GCP console.
      2. Navigate to the Credentials screen.
      3. Click Create credentials and select OAuth client ID.
      4. Select Web application in the Application type field.
      5. Specify the following URI in the Authorized redirect URIs by clicking the Add URI button: <https://corestack.io/>.
      6. Click the Create button. The Client ID and Client secret values will be displayed.

      Scope:

      The OAuth 2.0 scope information for GCP project is: <https://www.googleapis.com/auth/cloud-platform>.

      Project ID:

      The project ID is a unique identifier for a project and is used only within the console.

      1. Navigate to the Projects screen in the GCP console.
      2. The Project ID will be displayed next to your GCP project in the project list.

      Redirect URI:

      The following redirect URI that is configured while creating the client ID and client secret must be used: <https://corestack.io/>.

      Authorization Code:

      The authorization code must be generated with user consent and required permissions.

      1. Construct an URL in the following format: <https://accounts.google.com/o/oauth2/auth?response_type=code&client_id=><Client ID>&redirect_uri=<Redirect URI>&scope=<https://www.googleapis.com/auth/cloud-platform&prompt=consent&access_type=offline>
      2. Open an InPrivate or Incognito/Private mode browser window and access the above URL.
      3. Login using your GCP credentials.
      4. The page will be redirected to the Redirect URI, but the address bar will have the Authorization Code specified after code=.

      📘

      Note:

      The values retrieved in the earlier steps can be used instead of <Client ID> and <Redirect URI> specified in the URL format.

      Copy these details and provide them while onboarding your GCP Project into CoreStack using OAuth2 option.

      Project ID/Folder ID:

      The Project ID or Folder ID is a unique identifier for a project or folder in GCP respectively. To retrieve a Project ID or Folder ID, perform the following steps:

      1. Login to the GCP console.
      2. Click the Select from drop-down menu at the top of console. The Select from screen appears.
      3. Search for the project or folder that you want to onboard in the Search projects and folders field. The required project or folder will be displayed in the list.
      4. The Project ID or Folder ID will be displayed next to your GCP project or folder in the list.

      Provide the JSON and Project / Folder ID while onboarding the GCP Project in CoreStack using Service Account option.

      Next steps

      Now that you understand how to create the necessary roles and permissions in your GCP environment to onboard your GCP cloud account(s) into CoreStack so that you can fully utilize CoreStack assessments, you can proceed to the GCP onboarding for CoreStack Assessments user guide.