Onboarding Google Cloud Projects using Service Account (SA)

Customer Prerequisites - Creating SA

Customer must follow bellow requirements and prepare SA with required roles and permissions to proceed on onboarding to PULSE platform:

or

Important! Take note that with new functionality we may require new permissions


a. Create a Role definition on organisation level. If the cloud doesn’t have organisation, roles will have to be created per project. Alternatively, a combination of roles can be used, so long as result has all of the permissions listed below.


b. Add permissions (39) to created role:


cloudasset.assets.searchAllResources

recommender.bigqueryCapacityCommitmentsRecommendations.list

recommender.bigqueryPartitionClusterRecommendations.list

recommender.cloudDeprecationGeneralRecommendations.list

recommender.cloudFunctionsPerformanceRecommendations.list

recommender.cloudRecentChangeRecommendations.list

recommender.cloudSecurityGeneralRecommendations.list

recommender.cloudsqlIdleInstanceRecommendations.list

recommender.cloudsqlInstanceOutOfDiskRecommendations.list

recommender.cloudsqlInstancePerformanceRecommendations.list

recommender.cloudsqlInstanceReliabilityRecommendations.list

recommender.cloudsqlOverprovisionedInstanceRecommendations.list

recommender.cloudsqlUnderProvisionedInstanceRecommendations.list

recommender.computeAddressIdleResourceRecommendations.list

recommender.computeDiskIdleResourceRecommendations.list

recommender.computeImageIdleResourceRecommendations.list

recommender.computeInstanceGroupManagerMachineTypeRecommendations.list

recommender.computeInstanceIdleResourceRecommendations.list

recommender.computeInstanceMachineTypeRecommendations.list

recommender.containerDiagnosisRecommendations.list

recommender.errorReportingRecommendations.list

recommender.gmpProjectManagementRecommendations.list

recommender.iamPolicyChangeRiskRecommendations.list

recommender.iamPolicyRecommendations.list

recommender.iamServiceAccountChangeRiskRecommendations.list

recommender.loggingProductSuggestionContainerRecommendations.list

recommender.resourcemanagerProjectChangeRiskRecommendations.list

recommender.resourcemanagerProjectUtilizationRecommendations.list

recommender.resourcemanagerServiceLimitRecommendations.list

recommender.runServiceCostRecommendations.list

recommender.runServiceIdentityRecommendations.list

recommender.runServiceSecurityRecommendations.list

recommender.usageCommitmentRecommendations.list

resourcemanager.hierarchyNodes.listEffectiveTags

resourcemanager.organizations.get

resourcemanager.projects.get

resourcemanager.projects.list

securitycenter.findings.list

securitycenter.sources.list


c. Assign a created role to organisation (if applicable) or all of the projects that you wish to onboard. 

Important! API's must be enabled on the project where Service Account is created.

Customer Prerequisites - Creating Cost Export

Customer must follow bellow requirements and prepare cost export to proceed on onboarding to PULSE platform. To start collecting your Cloud Billing data, you must enable Cloud Billing data export to BigQuery following this guide steps you need to do:

PULSE Configuration - Onboarding SA

{

     "type": "service_account",

     "project_id": "nice-text-id",

     "private_key_id": "long-key",

     "private_key": "long-text",

     "client_email": "email@nice-text-id.iam.gserviceaccount.com",

     "client_id": "685746216876518",

     "auth_uri": "https://accounts.google.com/o/oauth2/auth ",

     "token_uri": "https://oauth2.googleapis.com/token ",

     "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs ",

     "client_x509_cert_url": "https://www.googleapis.com/.../email%40nice-text-id.iam.gserviceaccount.com "

}

PULSE Configuration - Onboarding Cost Export