Google Onboarding

Onboarding Google Cloud Projects using Service Account (SA)

Customer Prerequisites - Creating SA

Customer must follow bellow requirements and prepare SA with required roles and permissions to proceed on onboarding to PULSE platform:

1. Login to Cloud portal

2. Create one Service Account in any existing project How to create a service account , then add Key, JSON type, download key for later use.

3. Assign built-in 'Viewer' role for created SA per organisation or specific projects for PULSE access scope How to grant a single role 

or

Important! Take note that with new functionality we may require new permissions

a. Create a Role definition on organisation level. If the cloud doesn’t have organisation, roles will have to be created per project. Alternatively, a combination of roles can be used, so long as result has all of the permissions listed below.

b. Add permissions (39) to created role:

cloudasset.assets.searchAllResources

recommender.bigqueryCapacityCommitmentsRecommendations.list

recommender.bigqueryPartitionClusterRecommendations.list

recommender.cloudDeprecationGeneralRecommendations.list

recommender.cloudFunctionsPerformanceRecommendations.list

recommender.cloudRecentChangeRecommendations.list

recommender.cloudSecurityGeneralRecommendations.list

recommender.cloudsqlIdleInstanceRecommendations.list

recommender.cloudsqlInstanceOutOfDiskRecommendations.list

recommender.cloudsqlInstancePerformanceRecommendations.list

recommender.cloudsqlInstanceReliabilityRecommendations.list

recommender.cloudsqlOverprovisionedInstanceRecommendations.list

recommender.cloudsqlUnderProvisionedInstanceRecommendations.list

recommender.computeAddressIdleResourceRecommendations.list

recommender.computeDiskIdleResourceRecommendations.list

recommender.computeImageIdleResourceRecommendations.list

recommender.computeInstanceGroupManagerMachineTypeRecommendations.list

recommender.computeInstanceIdleResourceRecommendations.list

recommender.computeInstanceMachineTypeRecommendations.list

recommender.containerDiagnosisRecommendations.list

recommender.errorReportingRecommendations.list

recommender.gmpProjectManagementRecommendations.list

recommender.iamPolicyChangeRiskRecommendations.list

recommender.iamPolicyRecommendations.list

recommender.iamServiceAccountChangeRiskRecommendations.list

recommender.loggingProductSuggestionContainerRecommendations.list

recommender.resourcemanagerProjectChangeRiskRecommendations.list

recommender.resourcemanagerProjectUtilizationRecommendations.list

recommender.resourcemanagerServiceLimitRecommendations.list

recommender.runServiceCostRecommendations.list

recommender.runServiceIdentityRecommendations.list

recommender.runServiceSecurityRecommendations.list

recommender.usageCommitmentRecommendations.list

resourcemanager.hierarchyNodes.listEffectiveTags

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

securitycenter.findings.list

securitycenter.sources.list

c. Assign a created role to organisation (if applicable) or all of the projects that you wish to onboard. 

4. Ensure Services and APIs are enabled on the same project holding Service account created for onboarding purposes:

• Cloud Resource Manager API

• Recommender API

• Cloud Asset API

• Security Command Center API

Important! API's must be enabled on the project where Service Account is created.

Customer Prerequisites - Creating Cost Export

Customer must follow bellow requirements and prepare cost export to proceed on onboarding to PULSE platform. To start collecting your Cloud Billing data, you must enable Cloud Billing data export to BigQuery following this guide steps you need to do:

• Login to Cloud portal

• Select to use to create billing export

• Verify that billing is enabled

• Enable the BigQuery Data Transfer Service API for the project

• Create a BigQuery dataset

• Enable Cloud Billing export to the BigQuery dataset [Detailed usage cost]

• Grand Service account permissions for the project used for cost export:

  • Open IAM and admin

  • Select Roles. Create custom role named like 'PULSE Cost Export Viewer' for this project and add this permission: bigquery.tables.getData. Press Create Role.

  • Go to IAM and grant access for already created Service Account by adding new role 'PULSE Cost Export Viewer'. Press Save.

• Ensure APIs are enabled on the project for the project used for cost export:

  • BigQuery API

PULSE Configuration - Onboarding SA

1. Login to PULSE platform

2. Open Cloud Management menu under Administration

3. Add Google Organisation using SA credentials, example:

{

     "type": "service_account",

     "project_id": "nice-text-id",

     "private_key_id": "long-key",

     "private_key": "long-text",

     "client_email": "email@nice-text-id.iam.gserviceaccount.com",

     "client_id": "685746216876518",

     "auth_uri": "https://accounts.google.com/o/oauth2/auth ",

     "token_uri": "https://oauth2.googleapis.com/token ",

     "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs ",

     "client_x509_cert_url": "https://www.googleapis.com/.../email%40nice-text-id.iam.gserviceaccount.com "

}

4. Save [done]

PULSE Configuration - Onboarding Cost Export

• Login to PULSE platform

• Open Cloud Management menu under Administration

• Add Billing Export Configuration

  • Project Name [Project name where cost export data set is located]

  • Cost Export Table ID [projectname.datasetname.tablename], can be copied from: BigQuery->SQLWorkspace->Project->DataSet->Table->Details->TableID

• Save [done]