Add a Google Cloud Platform account
When you add a Google Cloud Platform (GCP) account to Workload Security, all GCP VM instances associated with that account are imported into Workload Security and become visible in the Workload Security console in Computers > your_GCP_service_account > your_GCP_project
Once imported, the GCP VM instances can be managed like any other computer.
Adding a GCP account to Workload Security is equivalent to adding a GCP connector through the Workload Security API.
- What are the benefits of adding a GCP account?
- Configure a proxy setting for the GCP account
- Add a GCP account to Workload Security
- Remove a Google Cloud Platform account
- Synchronize a GCP account
The benefits of adding a GCP account (through Computers > Add GCP Account) instead of adding individual GCP VMs (through Computers > Add Computer), are:
- Changes in your GCP VM inventory are automatically reflected in the Workload Security console. For example, if you delete a number of VM instances in GCP, those instances disappear automatically from the manager. By contrast, if you use Computers > Add Computer, GCP instances that you've deleted remain visible in the manager until you manually delete them.
- VMs are organized into projects in the manager, which lets you easily see which GCP VMs are protected and which are not. Without the GCP account, all your GCP VMs appear at the same root level under Computers.
- Your smaller-sized GCP instances will be billed at a lower rate (if you are using metered billing). By contrast, if you use Computers > Add Computer, all your GCP instances regardless of size are billed at the highest 'Data Center' rate. For details on billing, see About billing and pricing.
Optionally, you can configure Workload Security to use a proxy server to access resources in GCP service accounts. For details, see Connect to cloud accounts via proxy.
To add a GCP account to Workload Security:
- If you have not done so already, Create a Google Cloud Platform service account for Workload Security.
- In the Workload Security console, go to Computers > Add > Add GCP Account.
- Enter a Display Name. We recommend using the GCP service account name. Examples: GCP Workload Security, Finance GCP Workload Security, Marketing GCP Workload Security.
- Choose the Service Account Key. The key is a JSON file that you saved earlier, when creating the GCP service account. See Create a Google Cloud Platform service account for details.
- Click Next.
- Review the summary information, and then click Close.
The following occurs:
- DThe Workload Security console displays your GCP service account and its associated projects in their own branch on the left side of the Computers page (see image below). Associated VMs are displayed in the main pane. You can right-click your GCP service account name and select Synchronize Now to see the latest set of GCP VMs.
- If you previously added VM instances from this service account through the Computers > Add Computers option (instead of the Computers > Add GCP Account option described here), these VMs are moved to the correct project under the service account you just added. This move occurs only for VMs that have Deep Security Agent 12.0 or later installed. VMs with pre-12.0 agents remain listed under the root Computers folder.
The following image shows the imported GCP service account, projects, and a VM.
- Repeat the steps in this procedure for each GCP service account you want to add.
You have now added a GCP service account to Workload Security. Proceed to Install the agent on Google Cloud Platform VMs if you have not done so already.
Removing a GCP account from the Workload Security console is permanent, but it does not affect the GCP account. VM instances with Deep Security Agents continue to be protected, but do not receive security updates. If you later reactivate Deep Security Agents on these VM instances, the Deep Security Agents will download the latest security updates at the next scheduled update.
To remove a GCP account:
- In the Workload Security console, click Computers at the top.
- Right-click the GCP account in the tree view on the left, and select Remove Cloud Account.
- Confirm that you want to remove the account.
The account is removed from Workload Security.
When you synchronize (sync) a GCP account, Workload Security connects to the GCP API to obtain and display the latest set of GCP VMs.
To force a sync immediately:
- In the Workload Security console, click Computers.
- On the left, right-click your GCP account and select Synchronize Now.
There is also a background sync that occurs every 10 minutes, and this interval is not configurable. If you force a sync, the background sync is unaffected and continues to occur according to its original schedule.