|
| 1 | +--- |
| 2 | +applies_to: |
| 3 | + stack: preview |
| 4 | + serverless: |
| 5 | + security: preview |
| 6 | +--- |
| 7 | + |
| 8 | +# Set up Cloud Asset Discovery for GCP |
| 9 | + |
| 10 | +## Overview [cad-overview-gcp] |
| 11 | + |
| 12 | +This page explains how to set up the Cloud Asset Discovery integration (CAD) to inventory assets in GCP. |
| 13 | + |
| 14 | +::::{admonition} Requirements |
| 15 | +* The user who gives the integration GCP permissions must be a GCP project `admin`. |
| 16 | +* CAD is available to all {{ecloud}} users. On-premise deployments require an [Enterprise subscription](https://www.elastic.co/pricing). |
| 17 | +* CAD is supported only on GCP, not Google Public Sector. [Click here to request support](https://github.com/elastic/kibana/issues/new/choose). |
| 18 | +:::: |
| 19 | + |
| 20 | + |
| 21 | + |
| 22 | +## Set up CAD for GCP [cad-setup-gcp] |
| 23 | + |
| 24 | +You can set up CAD for GCP either by enrolling a single project, or by enrolling an organization containing multiple projects. Either way, you need to first add the integration, then enable cloud account access. Two deployment technologies are available: agentless, and agent-based. [Agentless deployment](/solutions/security/cloud/asset-disc-gcp.md#cad-aws-agentless) allows you to collect cloud posture data without having to manage the deployment of {{agent}} in your cloud. [Agent-based deployment](/solutions/security/cloud/asset-disc-gcp.md#cad-aws-agent-based) requires you to deploy and manage {{agent}} in the cloud account you want to monitor. |
| 25 | + |
| 26 | + |
| 27 | +## Agentless deployment [cad-gcp-agentless] |
| 28 | + |
| 29 | +1. Find **Integrations** in the navigation menu or use the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md). |
| 30 | +2. Search for `Cloud asset discovery`, then click on the result. |
| 31 | +3. Click **Add Cloud Asset Discovery**. |
| 32 | +4. Select **GCP**, then either **GCP Organization** to onboard your whole organization, or **Single Project** to onboard an individual account. |
| 33 | +5. Give your integration a name that matches the purpose or team of the GCP subscription/organization you want to monitor, for example, `dev-gcp-account`. |
| 34 | +6. Under **Deployment Options**, select **Agentless**. |
| 35 | +7. Next, you’ll need to authenticate to GCP. Expand the **Steps to Generate GCP Account Credentials** section, then follow the instructions that appear to automatically create the necessary credentials using Google Cloud Shell. |
| 36 | +8. Once you’ve provided the necessary credentials, click **Save and continue** to finish deployment. Your data should start to appear within a few minutes. |
| 37 | + |
| 38 | +## Agent-based deployment [cad-gcp-agent-based] |
| 39 | + |
| 40 | + |
| 41 | +### Add the Cloud Asset Discovery integration [cad-add-and-name-integration-gcp] |
| 42 | + |
| 43 | +1. Find **Integrations** in the navigation menu or use the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md). |
| 44 | +2. Search for `Cloud asset discovery`, then click on the result. |
| 45 | +3. Click **Add Cloud Asset Discovery**. |
| 46 | +4. Under **Configure integration**, select **GCP**, then either **GCP Organization** (recommended) or **Single Project**. |
| 47 | +5. Give your integration a name that matches the purpose or team of the GCP account you want to monitor, for example, `dev-gcp-project`. |
| 48 | + |
| 49 | + |
| 50 | +### Set up cloud account access [cad-set-up-cloud-access-section-gcp] |
| 51 | + |
| 52 | +::::{note} |
| 53 | +To set up CAD for a GCP project, you need admin privileges for the project. |
| 54 | +:::: |
| 55 | + |
| 56 | + |
| 57 | +For most users, the simplest option is to use a Google Cloud Shell script to automatically provision the necessary resources and permissions in your GCP account. This method, as well as two manual options, are described below. |
| 58 | + |
| 59 | + |
| 60 | +## Cloud Shell script setup (recommended) [cad-set-up-cloudshell] |
| 61 | + |
| 62 | +1. Under **Setup Access**, select **Google Cloud Shell**. Enter your GCP Project ID, and for GCP Organization deployments, your GCP Organization ID. |
| 63 | +2. Under **Where to add this integration**: |
| 64 | + |
| 65 | + 1. Select **New Hosts**. |
| 66 | + 2. Name the {{agent}} policy. Use a name that matches the purpose or team of the cloud account or accounts you want to monitor. For example, `dev-gcp-account`. |
| 67 | + 3. Click **Save and continue**, then **Add {{agent}} to your hosts**. The **Add agent** wizard appears and provides {{agent}} binaries, which you can download and deploy to a VM in your GCP account. |
| 68 | + |
| 69 | +3. Click **Save and continue**. |
| 70 | +4. Copy the command that appears, then click **Launch Google Cloud Shell**. It opens in a new window. |
| 71 | +5. Check the box to trust Elastic’s `cloudbeat` repo, then click **Confirm** |
| 72 | +6. In Google Cloud Shell, execute the command you copied. Once it finishes, return to {{kib}} and wait for the confirmation of data received from your new integration. Then you can click **View Assets** to see your data. |
| 73 | + |
| 74 | +::::{note} |
| 75 | +If you encounter any issues running the command, return to {{kib}} and navigate again to Google Cloud Shell. |
| 76 | +:::: |
| 77 | + |
| 78 | + |
| 79 | +::::{note} |
| 80 | +During Cloud Shell setup, CAD adds roles to Google’s default service account, which enables custom role creation and attachment of the service account to a compute instance. After setup, these roles are removed from the service account. If you attempt to delete the deployment but find the deployment manager lacks necessary permissions, consider adding the missing roles to the service account: [Project IAM Admin](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.projectIamAdmin), [Role Administrator](https://cloud.google.com/iam/docs/understanding-roles#iam.roleAdmin). |
| 81 | +:::: |
| 82 | + |
| 83 | + |
| 84 | + |
| 85 | +## Manual authentication (GCP organization) [cad-set-up-manual-gcp-org] |
| 86 | + |
| 87 | +To authenticate manually to monitor a GCP organization, you’ll need to create a new GCP service account, assign it the necessary roles, generate credentials, then provide those credentials to your integration. |
| 88 | + |
| 89 | +Use the following commands, after replacing `<SA_NAME>` with the name of your new service account, `<ORG_ID>` with your GCP organization’s ID, and `<PROJECT_ID>` with the GCP project ID of the project where you want to provision the compute instance that will run CAD. |
| 90 | + |
| 91 | +Create a new service account: |
| 92 | + |
| 93 | +``` |
| 94 | +gcloud iam service-accounts create <SA_NAME> \ |
| 95 | + --description="Elastic agent service account for CAD" \ |
| 96 | + --display-name="Elastic agent service account for CAD" \ |
| 97 | + --project=<PROJECT_ID> |
| 98 | +``` |
| 99 | + |
| 100 | +Assign the necessary roles to the service account: |
| 101 | + |
| 102 | +``` |
| 103 | +gcloud organizations add-iam-policy-binding <ORG_ID> \ |
| 104 | + --member=serviceAccount:<SA_NAME>@<PROJECT_ID>.iam.gserviceaccount.com \ |
| 105 | + --role=roles/cloudasset.viewer |
| 106 | +
|
| 107 | +gcloud organizations add-iam-policy-binding <ORG_ID> \ |
| 108 | + --member=serviceAccount:<SA_NAME>@<PROJECT_ID>.iam.gserviceaccount.com \ |
| 109 | + --role=roles/browser |
| 110 | +``` |
| 111 | + |
| 112 | +::::{important} |
| 113 | +If running this command results in a warning related to conditions, try running it again with `--condition=None`. |
| 114 | +:::: |
| 115 | + |
| 116 | +::::{note} |
| 117 | +The `Cloud Asset Viewer` role grants read access to cloud asset metadata. The `Browser` role grants read access to the project hierarchy. |
| 118 | +:::: |
| 119 | + |
| 120 | + |
| 121 | +Download the credentials JSON (first, replace `<KEY_FILE>` with the location where you want to save it): |
| 122 | + |
| 123 | +``` |
| 124 | +gcloud iam service-accounts keys create <KEY_FILE> \ |
| 125 | + --iam-account=<SA_NAME>@<PROJECT_ID>.iam.gserviceaccount.com |
| 126 | +``` |
| 127 | + |
| 128 | +Keep the credentials JSON in a secure location; you will need it later. |
| 129 | + |
| 130 | +Provide credentials to the CAD integration: |
| 131 | + |
| 132 | +1. On the CAD setup screen under **Setup Access**, select **Manual**. |
| 133 | +2. Enter your GCP **Organization ID**. Enter the GCP **Project ID** of the project where you want to provision the compute instance that will run CAD. |
| 134 | +3. Under **Credential**, select **Credentials JSON** and enter the value you generated earlier. |
| 135 | +4. Under **Where to add this integration**, select **New Hosts**. |
| 136 | +5. Name the {{agent}} policy. Use a name that matches the purpose or team of the cloud account or accounts you want to monitor. For example, `dev-gcp-account`. |
| 137 | +6. Click **Save and continue**, then follow the instructions to install {{agent}} in your chosen GCP project. |
| 138 | + |
| 139 | +Wait for the confirmation that {{kib}} received data from your new integration. Then you can click **View Assets** to see your data. |
| 140 | + |
| 141 | + |
| 142 | +## Manual authentication (GCP project) [cad-set-up-manual-gcp-project] |
| 143 | + |
| 144 | +To authenticate manually to monitor an individual GCP project, you’ll need to create a new GCP service account, assign it the necessary roles, generate credentials, then provide those credentials to the CAD integration. |
| 145 | + |
| 146 | +Use the following commands, after replacing `<SA_NAME>` with the name of your new service account, and `<PROJECT_ID>` with your GCP project ID. |
| 147 | + |
| 148 | +Create a new service account: |
| 149 | + |
| 150 | +``` |
| 151 | +gcloud iam service-accounts create <SA_NAME> \ |
| 152 | + --description="Elastic agent service account for CAD" \ |
| 153 | + --display-name="Elastic agent service account for CAD" \ |
| 154 | + --project=<PROJECT_ID> |
| 155 | +``` |
| 156 | + |
| 157 | +Assign the necessary roles to the service account: |
| 158 | + |
| 159 | +``` |
| 160 | +gcloud projects add-iam-policy-binding <PROJECT_ID> \ |
| 161 | + --member=serviceAccount:<SA_NAME>@<PROJECT_ID>.iam.gserviceaccount.com \ |
| 162 | + --role=roles/cloudasset.viewer |
| 163 | +
|
| 164 | +gcloud projects add-iam-policy-binding <PROJECT_ID> \ |
| 165 | + --member=serviceAccount:<SA_NAME>@<PROJECT_ID>.iam.gserviceaccount.com \ |
| 166 | + --role=roles/browser |
| 167 | +``` |
| 168 | + |
| 169 | +::::{important} |
| 170 | +If running this command results in a warning related to conditions, try running it again with `--condition=None`. |
| 171 | +:::: |
| 172 | + |
| 173 | +::::{note} |
| 174 | +The `Cloud Asset Viewer` role grants read access to cloud asset metadata. The `Browser` role grants read access to the project hierarchy. |
| 175 | +:::: |
| 176 | + |
| 177 | + |
| 178 | +Download the credentials JSON (first, replace `<KEY_FILE>` with the location where you want to save it): |
| 179 | + |
| 180 | +``` |
| 181 | +gcloud iam service-accounts keys create <KEY_FILE> \ |
| 182 | + --iam-account=<SA_NAME>@<PROJECT_ID>.iam.gserviceaccount.com |
| 183 | +``` |
| 184 | + |
| 185 | +Keep the credentials JSON in a secure location; you will need it later. |
| 186 | + |
| 187 | +Provide credentials to the CAD integration: |
| 188 | + |
| 189 | +1. On the CAD setup screen under **Setup Access**, select **Manual**. |
| 190 | +2. Enter your GCP **Project ID**. |
| 191 | +3. Under **Credential**, select **Credentials JSON**, and enter the value you generated earlier. |
| 192 | +4. Under **Where to add this integration**, select **New Hosts**. |
| 193 | +5. Name the {{agent}} policy. Use a name that matches the purpose or team of the cloud account or accounts you want to monitor. For example, `dev-gcp-account`. |
| 194 | +6. Click **Save and continue**, then follow the instructions to install {{agent}} in your chosen GCP project. |
| 195 | + |
| 196 | +Wait for the confirmation that {{kib}} received data from your new integration. Then you can click **View Assets** to see your data. |
0 commit comments