These docs are for v4.3. Click to read the latest docs for v4.4.

Onboarding for GCP Linked Project Accounts

❗️

Please read first:

Before proceeding with onboarding for this type of cloud account, you must ensure the required pre-onboarding steps have been completed first.

For more information on what these prerequisites are and how to address them, please refer to the Pre-Onboarding for GCP Linked Project Accounts user guide.

Introduction

A GCP Linked Project Account is an individual Google Cloud project that is associated with a billing account to manage its costs. The linked project account allows the billing account to record and report the expenses incurred by that specific project, ensuring accurate financial tracking and resource management within the broader cloud infrastructure.

The account onboarding process follows a step-by-step flow with five steps, described in the list below. Users must complete every step by filling in the appropriate details so that they can proceed to the next step.

The onboarding flow for GCP cloud accounts covers the following main steps:

  1. GCP Cloud Account Type: Select the type of GCP cloud account that needs to be onboarded.
  2. Prerequisites: Select the cloud account scope, access type, and product(s).
  3. Add & Validate Credentials: Select the authentication type and provide the required GCP account credentials.
  4. Basic Settings: Select and/or input the basic settings for the cloud account.
  5. Advanced Settings (optional): This optional step allows users to add tags and set up any required governance configurations. Account governance configurations can also be done after the onboarding steps.

As users add all necessary details for each step in the onboarding flow, it will be marked as completed and no longer appears greyed out in the left sidebar.

Detailed onboarding steps are explained in the sections below.

📘

Note:

Before starting the onboarding process on the platform, make sure that you have followed and completed all the prerequisite steps in the GCP cloud portal. Refer to the PRE-ONBOARDING user guides for more information on how to complete these steps.

Onboarding Steps

Perform the following steps to onboard a GCP Linked Project Account:

  1. Log in to the platform and on the left menu bar, go to Settings > Onboard Accounts.

    The Onboard Cloud Accounts starting page will appear. Here, users can select which cloud provider to onboard a new account for based on the available options.

📘

Note:

Users can also use the Dashboard button in the upper right corner of the page to go directly to the Account Governance Dashboard (Cloud Accounts) as a shortcut.

  1. To start the onboarding process, hover over the GCP option under Public Cloud Providers, and an Onboard button should appear. Select Onboard to proceed.

  2. The page for the first step of the onboarding workflow should appear – GCP Cloud Account Type. In this step, users must select the specific GCP cloud account type to onboard. You can select one of the following account types to be onboarded:

    • Billing Account
    • Linked Project Account
    • Parent Cloud Billing Account

In this case, select Linked Project Account.

  1. Click Next. The Prerequisites section appears.

  2. In the Select Cloud Account Scope field, select one of the following options:

    • Tenant: This scope allows the cloud account to be available only in the tenant it is onboarded to. This option is selected by default.
    • Account: This scope allows the cloud account to be available in all tenants.
  3. In the Select Access Type field, select one of the following options:

    • Read-Only: This option provides viewing access without the ability to make changes.

    • Read-Write: This option allows the users to view, modify, and manage resources.

  4. In the Select Product(s) field, select the products that will be accessible through this account. The available products are shown based on the product bundle that was chosen during the account master creation. For example, the Governance product bundle includes: FinOps, SecOps, and CloudOps.

  5. Click Next. The Add & Validate Credentials section appears.

  6. In the Select Authentication Protocol field, select either Service Account or OAuth2. The Service Account option facilitates secure access to your Google Cloud resources by providing service account keys and the OAuth2 option allows users to grant third-party applications secure access to their Google Cloud resources.

    • If you select Service Account, fill in the following fields and then click Validate.

      • Project ID

      • In the Upload Credentials File (JSON) field, click Select File, and select a JSON file to upload it.

    • If you select OAuth2, fill in the following fields and click Validate.

      • Client ID

      • Client Secret

      • Redirect URI

      • Authorization Code

      • Project ID

If the validation is successful, then a success message will be displayed. If the validation fails, then an error message will be displayed along with an option for View Log. You can click View Log to view the error details and then click Re-Validate to retry the validation.

📘

Note:

After the completion of successful validation, the Validate button turns to Re-Validate. You can click Re-Validate to validate the account again.

  1. Click Next. The Basic Settings section appears.

  2. Fill the following basic details:

    • In the Account Name box, the GCP account name will be pre-filled. Based on your needs, you can modify the name as desired.

    • In the Currency list, click to select a currency in which the billing data will be downloaded from the cloud provider.

    • Select the Privacy Policy checkbox to accept the terms and continue with the onboarding process.

📘

Note:

The Account Name field should not exceed the maximum character limit of 50 characters including special characters.

  1. You can click Next to set up advanced settings or click Finish to complete the account onboarding. Please note that the step for configuring advanced settings is not mandatory and can be skipped.

  2. If you click Next, then the Advanced Settings section will be displayed.

    • In the Add/Import Cloud Account Tags section, do any of the following to fill in the tag details:
      In the Custom Tags field:

      • In the Key box, type the tag key.
      • In the Value box, type the tag value.
      • Lastly, click Add Tag. The added tag appears below.
        After clicking View Master Account/Tenant Tags:
      • This opens the Custom Tags dialog box where you can select the required tags and click Add Selected Tags. The selected tags will now show up for the account to be onboarded.
    • In the Governance Configuration field, click Edit to configure the required settings. Refer to Governance Configuration for detailed steps.

  3. Click Finish.

The Onboarding Status dialog box appears that shows the progress of account onboarding. You can click Go to the Dashboard to return to the Account Governance Dashboard.

Governance Configuration

The Governance Configuration page includes many sections where configurations can be made. You need to select the configuration you want to apply to your onboarded account. All the available configuration sections are explained below. Refer to the relevant configuration and follow the steps. These governance configurations can be made while onboarding the account or can be done post onboarding.

FinOps

The configurations that can be done for FinOps are explained below.

🚧

Note:

The Sync Status for Reserved Instance Utilization is not applicable to GCP.

Cost Anomaly

Perform the following steps to configure cost anomaly:

  1. Expand the Cost Anomaly section.

  2. Ensure that Anomaly Detection Sensitivity field is enabled (the slider is on the right side).

  3. In the Resource Category Sensitivity box, the settings are applied by default. If you want to edit the default setting, add the sensitivity based on which anomaly would be detected.

  4. In the Notification section, click Configure. The Notifications Settings dialog box appears.

    1. Select the Enable Notification checkbox. The Email Address, Webhook, and Microsoft Teams Webhook fields are displayed.
    2. In the Email Address box, type the email address of the user(s) and click Add.
    3. In the Webhook box, type the webhook link(s) and click Add.
    4. In the Microsoft Teams Webhook box, type the URL(s) for Microsoft Teams Webhook and click Add.
    5. Click Save & Apply.

SecOps

The configurations that can be done for SecOps are explained below.

Threat Management

To make configuration for threat detection, perform the following steps:

  1. Click to expand the Threat Management section.
  2. Enable the following fields:

    • In the Event Threat Detection field, move slider towards right to enable this field.
    • In the Container Threat Detection field, move slider towards right to enable this field.
  3. Click Save.

To configure notifications related to threat management, perform the following steps:

  1. In the Notification section, click Configure. The Notifications Settings dialog box appears.
  2. Select the Enable Notification checkbox. The Email Address, Webhook, and Microsoft Teams Webhook fields are displayed.
  3. In the Email Address box, type the email address of the user(s) and click Add.
  4. In the Webhook box, type the webhook link(s) and click Add.
  5. In the Microsoft Teams Webhook box, type the URL(s) for Microsoft Teams Webhook and click Add.
  6. Click Save & Apply.

Vulnerability Assessments

To make configuration for vulnerability assessments, perform the following steps:

  1. Click to expand the Vulnerability Assessments section.
  2. Enable the following fields:
    • In the Security Health Analytics field, move slider towards right to enable this field.
    • In the Web Security Scanner field, move slider towards right to enable this field.
  3. Click Save.

To configure notifications for Vulnerability Assessments, perform the following:

  1. Click to expand the section, and then click Configure. The Notifications Settings dialog box appears.
  2. Select the Enable Notification checkbox. The Email Address, Webhook, and Microsoft Teams Webhook fields are displayed.
  3. In the Email Address box, type the email address of the user(s) and click Add.
  4. In the Webhook box, type the webhook link(s) and click Add.
  5. In the Microsoft Teams Webhook box, type the URL(s) for Microsoft Teams Webhook and click Add.
  6. Click Save & Apply.

CloudOps

The configurations that can be done for CloudOps are explained below.

Activity

Perform the following steps to configure activity log for an account:

  1. Expand the Activity feature. In the Activity Log Configuration section, click Configure.
  2. In the Sink Router Name box, type an appropriate sink router name.
  3. In the Topic Name box, type an appropriate name.
  4. In the Subscription Name box, type the name of the subscription.
  5. Select the Apply Default Template checkbox to apply default template for activities to monitor your GCP logging setup.
  6. Click Validate.
  7. After the validation is complete, click Save & Exit.

To configure notifications for activity:

  1. In the Notification section, click Configure. The Notifications Settings dialog box appears.
  2. Select the Enable Notification checkbox. The Email Address, Webhook, and Microsoft Teams Webhook fields are displayed.
  3. In the Email Address box, type the email address of the user(s) and click Add.
  4. In the Webhook box, type the webhook link(s) and click Add.
  5. In the Microsoft Teams Webhook box, type the URL(s) for Microsoft Teams Webhook and click Add.
  6. Click Save & Apply.

Assessments

The configurations that can be done for Assessments are explained below.

Assessments Functionality

When a cloud account is onboarded, users can configure the auto-assessment functionality based on their requirements. Users can choose to either enable or disable the option for auto-assessment while an account is being onboarded (as part of account governance configurations). By default, the option to run an auto-assessment is disabled.

If a user disables the option for auto-assessment, no assessment will be triggered on the onboarded account. If a user enables the setting, it will be triggered automatically on the onboarded account.

If a cloud account is onboarded with auto-assessment disabled at first, but later the auto-assessment option is enabled, then the assessment will proceed to be triggered for that account.

  • If the auto-assessment option is already enabled, users can disable it before the auto-assessment gets triggered.
  • If the auto-assessment option is enabled and then the assessment is triggered, then after that point it cannot be disabled.

To enable auto assessments:

  1. Expand the Assessments Functionality section.
  2. In the Trigger Auto Assessment field, move the slider to right to enable it.
  3. Click Save.

Shared Functionality and Integrated Tools

The configurations that can be done for Shared Functionality and Integrated Tools (common across all products) are explained below.

Policy Engine

To configure the policy engine for an account, perform the following steps:

  1. Expand the Policy Engine section.
  2. In the Policy Engine list, click to select the policy engine for the account and click Ok.
  3. Click Save.

Monitoring

To configure monitoring of accounts, perform the following:

  1. Expand the Monitoring section.
  2. In the Metric Data Collection Interval field, select the frequency in which the metric data needs to be collected and click Save. The available options are 24 Hours (Daily), 8 Hours Once, and 4 Hours Once.
  3. Click Save.

To enable alerts, click Enable Alerts and to delete alert configuration, click Delete. To apply default template to monitor CloudWatch setup, select the Apply Default Template checkbox.

To configure notifications for monitoring alerts, perform the following:

  1. Click to expand the section, and then click Configure. The Notifications Settings dialog box appears.
  2. Select the Enable Notification checkbox. The Email Address, Webhook, and Microsoft Teams Webhook fields are displayed.
  3. In the Email Address box, type the email address of the user(s) and click Add.
  4. In the Webhook box, type the webhook link(s) and click Add.
  5. In the Microsoft Teams Webhook box, type the URL(s) for Microsoft Teams Webhook and click Add.
  6. Click Save & Apply.