Page tree
Skip to end of metadata
Go to start of metadata

Google Cloud Platform (GCP) is offered by Google, is a suite of cloud computing services that runs on the same infrastructure that Google uses internally for its end-user products, such as Google Search and YouTube. Alongside a set of management tools, it provides a series of modular cloud services including computing, data storage, data analytics and machine learning.

Node changes in Technology Knowledge Update TKU 2019-Dec-1

TKU December 2019 enhances the model for Cloud Regions and Cloud Services to be segregated by account. If you discover more than one AWS Account, more than one Azure Subscription or more than one GCP Project, all the data from Cloud Region through to individual nodes within services will be clearly separated, where before it was intermingled.

As a result, the keys of all CloudRegion and CloudService nodes, and many contained nodes will change, even if you only discover a single account. If you synchronize to a CMDB, the identities of the corresponding CIs will also change.

The existing nodes are not deleted automatically with the application of the TKU. To remove the old nodes from the BMC Discovery model, you can delete the patterns that were deactivated by the new patterns in the TKU. However, the old CIs in the CMDB will not be deleted automatically. The simplest way to remove them is to perform a resynchronization.

Discovering Google Cloud Platform

You access and configure all of your services, using the Cloud Console. This section describes the settings and procedures required to discover services running in GCP.


Services and regulatory domains discovered

BMC Discovery enables you to discover your cloud services running in GCP. The following set of GCP services can be discovered with the latest product content update:


Create a credential

To perform discovery on GCP, you must provide an access key (credential) with which BMC Discovery can access the GCP cloud. You create the access key using the GCP Identity and Access Management (IAM) console. You then add the cloud discovery credential, using the access key created in the IAM console, to BMC Discovery. 

Create an Access Key in the IAM console

  1. Create a new service account user for discovery user with the following role:
    • Project → Viewer  (Read access to all resources)
  2. Choose to furnish a new private key in json format. The access keys are used to make secure queries to the GCP APIs.
  3. You can download the Access Private Key as a json file and then import it when you create a cloud credential in BMC Discovery.

    If you lose the secret access key, you cannot retrieve it from the IAM console, you must create a new access key and use the new key in the BMC Discovery cloud credential. You should keep a note of the secret access key until you have successfully tested the cloud credential.

  4. (Optional) If you want to use one service account to scan multiple Google Projects, then add this service account to needed Google Projects with role (Project → Viewer) in cloud resource manager:

Create a cloud credential in BMC Discovery 

Create the cloud credential in the same way as any other credential. The cloud credential uses the Access keys/IDs/passwords as the equivalent of a username and password combination.

  1. From the BMC Discovery Device Credentials page, click Add and select 'Cloud Provider' from the drop-down list.
    The Add Credential page is displayed.
  2. Click the 'plus icon' next to 'Credential Types' to see the available Cloud Providers. Select Google Cloud Platform from the drop-down list.
  3. Add the usual credential information:
    • Label
    • Description
  4. Add the Service Account Key
  5. Optionally specify a proxy to use to access. To use a proxy you must specify the following:
    • Hostname
    • Port
    • Username (only for authenticating proxies)
    • Password (only for authenticating proxies)
  6. Click Apply to save the credential.

Test the credential 

Time synchronization is essential

You must ensure that your appliance time is synchronized using NTP. If you do not use NTP, you must ensure that the time is no further than five minutes from the time GCP is using. GCP uses timestamped authentication and any discrepancy will result in authentication failures.

Once you have created the credential, you should test it to ensure that it works.

  1. From the credentials page, click Devices.

  2. Filter the list to show cloud credentials.
  3. Click Actions for the GCP cloud credential you added, and then click Test.
  4. The default region is US East 1 (S. Carolina)
  5. Click Test.
    The screen below shows a successful test.

If the credential test was unsuccessful, click on the 'Failure' status to see the details. Ensure that you copied the secret access key correctly. Also, you should ensure that the appliance time is no further than five minutes of the time GCP is using. See Time setting for more information.

The BMC Discovery appliance must be able to access GCP using https (port 443).

Time setting

Time synchronization is essential

You must ensure that your appliance time is synchronized using NTP. If you do not use NTP, you must ensure that the time is no further than five minutes from the time GCP is using. GCP  uses timestamped authentication and any discrepancy will result in authentication failures.


Run a cloud scan

To perform cloud discovery, from the Discovery Status page, use the Add New run control.

  1. Click Add New run
    The Add a Cloud Run dialog is displayed.


  2. Enter a Label for the cloud discovery run.
  3. To add a scheduled cloud run, select Scheduled and fill in the scheduling information as with normal scheduled discovery runs.
  4. Select Cloud.
  5. Select the provider from the drop-down list. Select Google Cloud Platform
  6. Select the appropriate cloud credential. If none are available, you must add one.
  7. Select the region to scan, for example, for GCPUS East 1 (S. Carolina). You can also select all regions by clicking the All button.
  8. Click OK.

Examine results

Once you have scanned, you can examine the results.

Scan the hosts running the VMs in the cloud

Perform a normal scan on the hosts running the VMs discovered in the cloud scan. Use the Unscanned Cloud Hosts report on the Cloud Overview dashboard to find these.

Scanning the hosts assumes that the appliance or proxy has network access to hosts running in the cloud, for example, using a VPN.

Public IP addresses do not respond to ICMP pings. You must disable "Ping before scanning", otherwise all scans are dropped reporting no response.

Database discovery

You can discover all supported databases in GCP. At the time of release of BMC Discovery 11.3, the following are supported:

  • MySQL
  • PostgreSQL

The following information is required to discover databases in GCP:

  • Endpoint – you can identify the database endpoint using the RDS Dashboard in the GCP Console. 
  • Security groups
    • If the endpoint is publicly accessible, you still must set up a security group with a rule to allow access from the IP address from which BMC Discovery connects.
    • If the database is not publicly accessible, discovery must be running in GCP. You must set up security to allow access from the Virtual Private Cloud (VPC) in which BMC Discovery is running, and be part of a security group with a rule to allow access from the IP address from which BMC Discovery connects.

      In GCP, all security groups prevent access by default, you must enable access ports in a security group before any access is allowed.

    • To summarize, you must configure security groups which enable the BMC Discovery appliance to access the database. This is entirely dependent on the manner in which you have configured your GCP cloud services.

  • Incoming connections – you must permit incoming connections with a rule for an IP address or set of IP addresses. For example, to permit access to a MySQL database, from a single IP address, you would add a rule with the following parameters:
    • Type - MySQL
    • Protocol - TCP
    • Port Range - 3306
    • Source - 77.168.1.100/32

Then the database can be discovered as any MySQL database in your estate.

GCP discovery patterns

The GCP discovery patterns are available on the Manage > Knowledge page. They are located in the Pattern modules list, under Cloud > Google Cloud Platform.

GCP labels discovery

GCP labels are modeled as tags attributes, more information can found here

Timeout issue

'timeout' error could happen during scan of all Google regions when IPv6 is enabled on VM machine but IPv6 addresses are not working in your network.

1. How to check if IPv6 is enabled

Run command:  ifconfig

lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>

2. How to check if IPv6 is working

[root@centos ~]# ping6 accounts.google.com
PING accounts.google.com(muc11s02-in-x0d.1e100.net (2a00:1450:4016:801::200d)) 56 data bytes
64 bytes from muc11s02-in-x0d.1e100.net (2a00:1450:4016:801::200d): icmp_seq=1 ttl=55 time=7.31 ms

[root@centos ~]# ping6 www.googleapis.com
PING www.googleapis.com(fra16s14-in-x0a.1e100.net (2a00:1450:4001:81a::200a)) 56 data bytes
64 bytes from fra16s14-in-x0a.1e100.net (2a00:1450:4001:81a::200a): icmp_seq=1 ttl=58 time=0.848 ms

3. Solution

if accounts.google.com and www.googleapis.com  are not accessible then IPv6 should be disabled using commands:

sysctl -w net.ipv6.conf.all.disable_ipv6=1

sysctl -w net.ipv6.conf.default.disable_ipv6=1



  • No labels