Connect to Google Cloud Platform

Required Permissions

 

ControlMap connects to resources in a your Google Cloud Project by impersonating a Service Account  in the project which has at least Security Viewer and Viewer Roles. ControlMap creates short lived READ ONLY connections to the resources in the Google Cloud Project for scanning. 

 

Steps to connect ControlMap to your Google Cloud

 

Step 1 : Login to your project and record the projectId*

 

Go to Google Cloud project's home page and capture the ID of that project. The easiest way to find the ID is from the Project Info section of the project dashboard. Provide this ID in your ControlMap settings.

 

0KrGDlVFQ2ELFI6Oqw876h1QAzwgthBXyg.png

 

 

Step 2: Enable the required APIs in your project.

 

These APIs are used by ControlMap to connect and scan the Google Cloud project's resources. Google requires that these APIs are explicitly enabled.

  • bigquery.googleapis.com 
  • bigquerydatatransfer.googleapis.com 
  • cloudkms.googleapis.com 
  • compute.googleapis.com 
  • container.googleapis.com 
  • dns.googleapis.com 
  • iam.googleapis.com 
  • logging.googleapis.com 
  • monitoring.googleapis.com 
  • redis.googleapis.com 
  • sqladmin.googleapis.com
  • cloudresourcemanager.googleapis.com

 

You can follow these steps to enable the required APIs.

 

1. Activate Cloud Shell from your Google Cloud Console

zytTItk2DpQLSsD3aM4_4fNNHTXoHj4gWw.png

2. Execute the following command in the Cloud shell to enable all the required APIs

 

gcloud services enable cloudkms.googleapis.com \
  compute.googleapis.com \
  container.googleapis.com \
  dns.googleapis.com \
  iam.googleapis.com \
  logging.googleapis.com \
  monitoring.googleapis.com \
  sqladmin.googleapis.com \
  cloudresourcemanager.googleapis.com \
  bigquery.googleapis.com \
  bigquerydatatransfer.googleapis.com \
  redis.googleapis.com 
Generic

 

 

Step 3: Create a Service Account in your project

 

ControlMap impersonates a service account in your project to connect for short durations of period to scan your project' resource. The service account that you create must at least have Security Viewer and Viewer Roles in your project. 

 

Execute the following commands to create a service account with the correct roles in your project. This command 

1. Creates a service account in the project

2. Gives the service account Security Viewer and Viewer roles

3. Enables impersonation of this service account by ControlMap scanner account.

sa=$(gcloud iam service-accounts create controlmap-compliance-scanner  \
  --display-name "ControlMap Scan Service Account"  \
  --description "ControlMap uses this service account to scan your project resources for compliance best practices"  \
  --format="value(email)") && project=$(gcloud config get-value project) && \
gcloud projects add-iam-policy-binding ${project} \
  --member serviceAccount:${sa} \
  --role roles/iam.securityReviewer \
  --format none --condition None && \
gcloud projects add-iam-policy-binding ${project} \
  --member serviceAccount:${sa} \
  --role roles/viewer \
  --format none --condition None && \
gcloud iam service-accounts add-iam-policy-binding ${sa} \
  --member serviceAccount:controlmap-scanner@controlmap-compliance-scanner.iam.gserviceaccount.com \
  --role roles/iam.serviceAccountTokenCreator \
  --format none --condition None && \
echo "Your service account email: ${sa}"
HTML

 

Record the email address printed in the result of this command to provide it in ControlMap settings.