Table of contents

Add A GCP Account

Location

Main Dashboard>Select Add an account

User Access

User Role Can Access
Administrator
Power User
Custom - Full Access
Read Only
Custom - Read Only

Set up access to Conformity GCP

You need a GCP service account to enable access to Conformity GCP. The GCP Service Account provides the necessary read-only permissions to run the rule checks against the subscription resources to be added to your Conformity organization.

What is a Service Account? A service account is a special type of Google account that is associated with an application, instead of an individual end-user. Conformity assumes the identity of the service account to call Google APIs so that users aren't directly involved.

To set up a GCP Service Account, go to your GCP console and complete the following steps.

  1. Prerequisite Enable Google APIs
  2. Create a Custom Role
  3. Create a GCP Service Account for Conformity
  4. Assign access to the Service Account for Projects
  5. Add a GCP account to Conformity

Prerequisite: Enable Google APIs

Before you can create a GCP service account for Conformity, you'll need to enable Google APIs under your existing GCP account within every project.

  1. Log in to your existing GCP account. Ensure that this account has access to all the GCP projects that you want to protect with Conformity.
  2. Select the project that you want to add to Conformity. If you have multiple projects, you can select them later. For example **Cloud Conformity Project 01
    create-custom-role
  3. Click Google Cloud Platform make sure you're on the Home screen.
  4. From the tree view on the left, select APIs & Services > Dashboard.
  5. Click + ENABLE APIS AND SERVICES.
  6. In the search box, enter the Cloud Resource Manager API and then click the Cloud Resource Manager API box.
  7. Click ENABLE. Repeat steps 5 – 7 and add more API & Services currently supported by Conformity as per the table below:
Service APIs & Services
ApiGateway API Gateway API
ArtifactRegistry Artifact Registry API
BigQuery BigQuery API
CloudAPI API Keys API
CloudIAM Cloud Resource Manager API
Identity and Access Management (IAM) API
Access Approval API
CloudKMS Cloud Key Management Service (KMS) API
CloudVPC Compute Engine API
CloudStorage Cloud Storage API
ComputeEngine Compute Engine API
CloudSQL Cloud SQL Admin API
CloudLoadBalancing Compute Engine API
CloudDNS Cloud DNS API
Dataproc Cloud Dataproc API
Firestore Cloud Firestore API
GKE Kubernetes Engine API
CloudLogging Cloud Logging API
PubSub Cloud Pub/Sub API
ResourceManager Cloud Resource Manager API
CertificateManager Certificate Manager API
NetworkConnectivity Compute Engine API

Repeat steps 1 – 9 to add more projects to Conformity. For more information, see this help page from Google on how to enable or disable APIs in GCP..

Create a Custom Role

You will need to Create a Custom Role for every GCP Project if you wish to add multiple projects to Conformity.

  1. From your GCP account, go to the IAM & Admin Roles page.
  2. From the top drop-down list, select the organization or project for which you want to create a role.
  3. Click Create Role. create-custom-role
  4. Enter a Title, Description, and Role launch stage. For example:
    • Title: Cloud One Conformity Access
    • Description: Project level Custom Role for Cloud One Conformity access
    • Role launch stage: Alpha
      create-custom-role
  5. Click +ADD PERMISSIONS.
  6. Add the list of permissions to enable Conformity Bot and Click CREATE.

Repeat the steps from 2-7 for each GCP Project in Conformity you wish to associate a Custom Role to.

Service Require Permission
ApiGateway
apigateway.gateways.list

apigateway.gateways.getIamPolicy

apigateway.locations.get
ArtifactRegistry
artifactregistry.repositories.getIamPolicy

artifactregistry.repositories.list
BigQuery
bigquery.datasets.get

bigquery.tables.get
CloudAPI
apikeys.keys.list

serviceusage.services.list
CloudIAM
resourcemanager.projects.get

resourcemanager.projects.getIamPolicy

iam.serviceAccounts.get

accessapproval.settings.get

iam.roles.list

iam.serviceAccounts.list

iam.serviceAccountKeys.list
CloudKMS
cloudkms.keyRings.list

cloudkms.cryptoKeys.list

cloudkms.cryptoKeys.getIamPolicy

cloudkms.locations.list
CloudVPC
compute.firewalls.list

compute.networks.list

compute.subnetworks.list
CloudStorage
storage.buckets.list

storage.buckets.getIamPolicy
ComputeEngine
compute.disks.getIamPolicy

compute.disks.list

compute.machineImages.getIamPolicy

compute.machineImages.list

compute.instances.list

compute.images.list

compute.images.getIamPolicy

compute.projects.get

compute.instanceGroups.list

compute.vpnGateways.list

compute.zones.list
CloudSQL
cloudSql.instances.list

cloudsql.instances.listServerCas
CloudLoadBalancing
compute.backendServices.list

compute.globalForwardingRules.list

compute.targetHttpsProxies.list

compute.targetSslProxies.list

compute.sslPolicies.list

compute.urlMaps.list

compute.regionBackendServices.list
CloudDNS
dns.managedZones.list

dns.policies.list
Dataproc dataproc.clusters.list
Firestore datastore.databases.list
GKE container.clusters.list
CloudLogging
logging.sinks.list

logging.logMetrics.list

monitoring.alertPolicies.list
PubSub pubsub.topics.list
ResourceManager
resourcemanager.projects.get

orgpolicy.policy.get
CertificateManager
certificatemanager.certs.list
NetworkConnectivity
compute.routers.list

create-custom-role

Alternative: Create a custom role using a YAML file:

  1. To create a custom role at the project level, execute the following command:

    gcloud iam roles create (role-id) --project=(project-id) --file=(yaml-file-path)

  2. To create a custom role at the organization level, execute the following command:

    gcloud iam roles create (role-id) --organization=(organization-id) --file=(yaml-file-path)

The example YAML file demonstrates Conformity Bot required permissions:

title: "Cloud One Conformity Bot Access" 
description: "Project level Custom Role for Cloud One Conformity access " 
stage: "ALPHA" 

includedPermissions: 
- accessapproval.settings.get
- apigateway.gateways.list
- apigateway.gateways.getIamPolicy
- apigateway.locations.get
- apikeys.keys.list
- artifactregistry.repositories.getIamPolicy
- artifactregistry.repositories.list
- bigquery.datasets.get
- bigquery.tables.get
- cloudkms.cryptoKeys.getIamPolicy 
- cloudkms.cryptoKeys.list 
- cloudkms.keyRings.list 
- cloudkms.locations.list 
- cloudsql.instances.list 
- cloudsql.instances.listServerCas 
- compute.backendServices.list
- compute.disks.getIamPolicy
- compute.disks.list
- compute.machineImages.getIamPolicy
- compute.machineImages.list
- compute.regionBackendServices.list
- compute.firewalls.list 
- compute.globalForwardingRules.list 
- compute.images.getIamPolicy 
- compute.images.list 
- compute.instances.list 
- compute.networks.list 
- compute.subnetworks.list 
- compute.projects.get
- compute.targetHttpsProxies.list
- compute.targetSslProxies.list
- compute.sslPolicies.list
- compute.urlMaps.list
- compute.instanceGroups.list
- compute.vpnGateways.list
- compute.zones.list
- container.clusters.list 
- dataproc.clusters.list
- datastore.databases.list
- dns.policies.list
- dns.managedZones.list
- iam.serviceAccounts.get
- iam.serviceAccounts.list
- iam.serviceAccountKeys.list
- iam.roles.list
- logging.sinks.list 
- logging.logMetrics.list
- monitoring.alertPolicies.list
- orgpolicy.policy.get
- pubsub.topics.list 
- resourcemanager.projects.get 
- resourcemanager.projects.getIamPolicy 
- serviceusage.services.list
- storage.buckets.getIamPolicy 
- storage.buckets.list 
- certificatemanager.certs.list
- compute.routers.list

Create a Service Account

Before you begin, make sure you've enabled the GCP APIs. See Prerequisite: Enable the Google APIs and Create a Custom Role.

  1. Select any Project from your existing GCP account, For example: Cloud Conformity Project 01.
  2. Click Google Cloud Platform at the top to make sure you're on the home screen.
  3. From the tree view on the left, select IAM & admin > Service accounts.
  4. Click + CREATE SERVICE ACCOUNT.
  5. Enter the Service account details, I.e., Service account name, ID, and description.
    For Example:

    • Service account name: Cloud One Conformity Bot
    • Service account ID: cloud-one-conformity-bot[@.iam.gserviceaccount.com] *(mailto:gcp-deep-security@%3Cyour_project_ID%3E.iam.gserviceaccount.com)
    • Service account description: _GCP service account for connecting Cloud One Conformity Bot to GCP.

    create-service-account

  6. Click CREATE AND CONTINUE.
    create-service-account

  7. From the Select a role drop-down list, select the Custom > Cloud One Conformity Access role, or click inside the Type to filter area and enter Cloud One Conformity Access to find it. create-service-account

  8. Click CONTINUE.

  9. Click DONE to grant users access to this service account. Your service account will be listed under the “Service accounts’ tab. create-service-account

  10. Select and click the Project name from the Service Accounts page. create-service-account

  11. Go to the KEYS tab and click ADD KEY to create new key.
    create-service-account

  12. Select JSON and click CREATE. create-service-account

  13. Save the key (JSON file) to a safe place. Important: Place the JSON file in a location that is accessible for later upload. If you need to move or distribute the file, make sure you do so by using secure methods.

  14. Click CLOSE.

You have now created a GCP service account with necessary roles, as well as a service account key in JSON format. The service account is created under the selected project (Project01) and it can be associated with additional projects. For details, see the following section.

Assign Access to the Service Account for Projects

If you have multiple projects in GCP, you must associate them with a service account you just created. Once you assign access to the service account, all your projects will be visible in the Conformity.

Important: Before you begin, make sure you have completed Prerequisite: Enable the Google APIs and Create a GCP service account.

  1. Determine the email of the GCP service account you just created:
  2. From your GCP account, select the project under which you created the GCP service account (in our example, Cloud Conformity Project 01).
  3. On the left, expand IAM & Admin > Service accounts.
  4. In the main pane, look under the Email column to find the GCP service account email. For example: cloud-one-conformity-bot@cloud-conformity-project-01.iam.gserviceaccount.com
  5. The service account email includes the name of the project under which it was created.
  6. Note this address or copy it to the clipboard.
  7. Go to another project by selecting it from the drop-down list at the top. For example: Cloud Conformity Project 02.
  8. Click Google Cloud Platform at the top to make sure you're on the home screen.
  9. From the tree view on the left, click IAM & Admin > IAM. assign-access-to-service-account

  10. Click ADD at the top of the main pane.

  11. In the New members field, paste the Cloud Conformity Project 01 GCP service account email address. For example: cloud-one-conformity-bot@cloud-conformity-project-01.iam.gserviceaccount.com
  12. From the Select a role drop-down list, select the Custom > Conformity Bot role, or click inside the Type to filter area and enter Conformity Bot to find it.
  13. Click SAVE. assign-access-to-service-account

  14. Repeat steps 1 - 8 for each project you want to associate with the GCP service account.

For more information, see this help page from Google on how to create a service account.

You are now ready to add the GCP account you just created to Conformity.

Add a GCP account to Conformity

  1. If you have not done so already, create a Google Cloud Platform service account for Conformity.
  2. In the Conformity console, go to Add an account.
  3. Select GCP Project.
  4. Enter a Service Account display Name. Examples: GCP Conformity.
  5. Click Browse to upload the Google Service Account key JSON. The key is the JSON file that you saved earlier, when creating the GCP service account. See Create a service account for details.
  6. Click Next.
  7. Select the GCP Projects you wish to add to Conformity and click Next.
  8. Review the summary information and click Finish.

Once your GCP Project is successfully added to Conformity, you will be able to view the following updates: * Conformity Bot will begin scanning the newly added accounts. * The Conformity console displays your GCP service account and its associated projects in their group on the menu. * Repeat the steps in this procedure for each GCP service account you want to add.

Remove Service Accounts from Conformity

  1. From your Conformity account, go to Administration.
  2. Select Subscriptions.
  3. Click Delete… on the existing Service Account.
    Note: Service Accounts can only be deleted once all their Projects have been removed.