Required Permissions
ControlMap connects to resources in a your Google Cloud Project by impersonating a Service Account in the project which has at least Security Viewer and Viewer Roles. ControlMap creates short lived READ ONLY connections to the resources in the Google Cloud Project for scanning.
Steps to connect ControlMap to your Google Cloud
Step 1 : Login to your project and record the projectId*
Go to Google Cloud project's home page and capture the ID of that project. The easiest way to find the ID is from the Project Info section of the project dashboard. Provide this ID in your ControlMap settings.
Step 2: Enable the required APIs in your project.
These APIs are used by ControlMap to connect and scan the Google Cloud project's resources. Google requires that these APIs are explicitly enabled.
- bigquery.googleapis.com
- bigquerydatatransfer.googleapis.com
- cloudkms.googleapis.com
- compute.googleapis.com
- container.googleapis.com
- dns.googleapis.com
- iam.googleapis.com
- logging.googleapis.com
- monitoring.googleapis.com
- redis.googleapis.com
- sqladmin.googleapis.com
- cloudresourcemanager.googleapis.com
You can follow these steps to enable the required APIs.
1. Activate Cloud Shell from your Google Cloud Console
2. Execute the following command in the Cloud shell to enable all the required APIs
Step 3: Create a Service Account in your project
ControlMap impersonates a service account in your project to connect for short durations of period to scan your project' resource. The service account that you create must at least have Security Viewer and Viewer Roles in your project.
Execute the following commands to create a service account with the correct roles in your project. This command
1. Creates a service account in the project
2. Gives the service account Security Viewer and Viewer roles
3. Enables impersonation of this service account by ControlMap scanner account.
Record the email address printed in the result of this command to provide it in ControlMap settings.