GCP On-Premise Connector

This topic describes how to onboard the GCP (Google Cloud Platform) Connector, which involves the following steps:

• • Understanding the GCP connector
  • License utilization
  • Completing prerequisites
  • Onboarding the GCP connector
  • Performing next steps

Understanding the GCP connector

The GCP connector enables you to gather data about the following GCP resources:

• IAM
• Networks
• Virtual Machines
• ServiceAccountKeys
• DNS
• KMS
• Projects
• GKE

License utilization

The following resources consume a product license:

• Google Compute Engine
• Google Cloud Kubernetes/Google Kubernetes Engine

Completing prerequisites

• Go to to IAM 
• Click on service account page 
• Create a Service Account 
• Assign the role having minimum permissions for GCP on-premise connector created from Minimum-Permissions-for-GCP-Connector.
• Refer to the following screenshot:
• 
• While creating the service account, create a key and download the json file.[This json file would be needed while onboarding the connector]
• Also enable API services for below mentioned modules. 
  • Cloud Resource API
  • IAM API
  • Cloud SQL API

Onboarding the GCP connector

1. Log in to Cloud Security with your registered credentials.
2. Select Configure icon > Connectors.
3. Click Add Connector.
4. Under Connector Type > On Premise Connectors (Installable), click GCP Connector and then click Continue.
   
5. In the Name your connector field, specify a name for the connector.
   This name must be unique and must not have already been created.
   If the name entered is not already displayed on the Manage Connectors page, a green check mark and available label appear next to the field.
6. Specify the GCP key file path for the project to be scanned. Here you have to specify the location of json file which was downloaded while creating the service account. 

7. Select the method for triggering collection cycles from the Collection Mode menu:

   1. On Demand. Enables on-demand scanning.
   2. Scheduled. Specifies the hours or minutes for which GCP resources will be periodically collected and evaluated.

   Download Size

   Around 200 MB free space is required for unzipping the downloaded connector.

8. Click Continue.
   
9. If the download does not start automatically, click Download Connector setup and unzip the GCP Connector.zip file using any standard compression tool.
   The zip file will have the name that you specified for the connector in Step 4.
   
   1. (Windows) Double-click run.bat to run the connector in your target environment.
   2. (Linux) Execute the command chmod +x run.sh to grant execute permissions to the run.sh file. Then run the connector using the run.sh command.
   3. Leave the command window open to allow data collection.

Click Continue.

1. Clear the policies that you will not use to evaluate your GCP account.
   To update a policy that you have selected, if an update is available, click Update in the information banner to the right of the selected policy and then click Update Policy on the confirmation message that appears..
   

2. Click Continue.

   The connector is available in Cloud Security and the policies can be evaluated on the schedule or on-demand you have set.   

   As soon as the connector begins sending data, it displays in the green 'Running' state. It then collects the data and begins publishing it back to Cloud Security.

           If you select GCP On-Premise Connector, filter for Resource Types and there you will get a drop down to find Resource Types.

           Please refer to the below screenshot.

 Resource Types:

Below are the resource types that are supported for GCP on-premise Connector:

• 
  
  • IAM
  • Networks
  • Virtual Machines
  • ServiceAccountKeys
  • DNS
  • KMS
  • Projects
  • GKE

Performing next steps

To manage connector configuration and settings, see Managing-connectors.

To assess the resources including why a rule failed, see Managing-resources.

^{_{Back to top}}