Google Cloud Platform

Professional Community Platform

The Google Cloud Platform (GCP) integration provides visibility into your cloud assets by synchronizing your GCP cloud inventories with runZero. runZero also integrates with other cloud providers, such as Microsoft Azure and Amazon AWS. Similarly to other integrations, you will need to add the credentials needed to authenticate to GCP and set up a connector in runZero. runZero will pull in GCP compute instance VMs, pulling in GCP attributes that will be viewable from each asset.

The following GCP asset types are supported:

• Compute Engine instances
• Load balancers
• Cloud SQL

Requirements

• Verify you have a Google Cloud service account with the Compute Network Viewer and Cloud SQL Viewer roles.
  • This service account will need to be granted access to each project that you want the integration to gather data from.
• Download a key for the GCP service account.
• Verify you have these GCP APIs enabled on each project:
  • Compute Engine
  • Cloud SQL Admin

How to set up the Google Cloud Platform integration

Here are the high-level steps to set up the Google Cloud Platform integration:

• Create a Google Cloud Platform credential in runZero.
• Choose whether to configure the integration as a scan probe or connector task.
• Activate the integration for Google Cloud Platform.
• View your GCP assets.

Step 1: Create Google Cloud Platform credentials

1. Go to the Credentials page and click Add Credential.
2. From the Credentials type dropdown, choose GCP Service Account Key.
3. Provide a name for the credential, like GCP.
4. Set the Include all projects toggle to Yes if you want runZero to gather asset data from all GCP projects that the service account has access to. If set to No, the integration will only gather asset data from the project specified in the key file.
5. Click Choose file to upload the service account key file you downloaded from GCP.
6. If you want other organizations to be able to use this credential, select the Make this a global credential option. Otherwise, you can configure access on a per-organization basis.
7. Save the credential. You’re now ready to set up and activate the connection to bring in data from Google Cloud Platform.

Step 2: Choose how to configure the GCP integration

The GCP integration can be configured as either a scan probe or a connector task. Scan probes gather data from integrations during scan tasks. Connector tasks run independently from either the cloud or one of your Explorers, only performing the integration sync.

Step 3: Activate the Google Cloud Platform integration

After you add your GCP credential, you’ll need to set up a connector task or scan probe to sync your data.

Step 3a: Configure the GCP integration as a connector task

1. Activate a connection to GCP. You can access all available third-party connections from the integrations page, your inventory, or the tasks page.
2. Choose the credential you added earlier. If you don’t see the credential listed, make sure the credential has access to the organization you are currently in.
3. Enter a name for the task, like Google Cloud Platform sync.
4. Schedule the sync. A sync can be set to run on a recurring schedule or run once. The schedule will start on the date and time you have set.
5. To organize your assets logically, choose the site you’d like to use to add your assets to. You can choose an existing site or add them to a new site when the sync occurs. Assigning your assets to a site helps organize and group your assets. You can automatically generate a new site per GCP project by selecting this option from the task configuration.
6. If you want to exclude assets that have not been scanned by runZero from your integration import, switch the Exclude unknown assets toggle to Yes. By default, the integration will include assets that have not been scanned by runZero.
7. Activate the connection when you are done. The sync will run on the defined schedule. You can check the Scheduled tasks to see when the next sync will occur.

Step 3b: Configure the GCP integration as a scan probe

1. Create a new scan task or select a future or recurring scan task from your Tasks page.
2. Add or update the scan parameters based on any additional requirements.
3. On the Probes and SNMP tab, choose which additional probes to include, set the GCP toggle to Yes, and change any of the default options if needed.
4. On the Credentials tab, set the GCP toggle for the credential you wish to use to Yes.
5. Click Initialize scan to save the scan task and have it run immediately or at the scheduled time.

Step 4: View your Google Cloud Platform assets

After a successful sync, you can go to your inventory to view your GCP assets. These assets will have a Google icon listed in the Source column.

To filter by GCP assets, consider running the following queries:

• View all GCP assets:

source:gcp

Click into each asset to see its individual attributes. runZero will show you the attributes returned by GCP.

Troubleshooting

If you are having trouble using this integration, the questions and answers below may assist in your troubleshooting.

Why is the Google Cloud Platform integration unable to connect?

1. Are you getting any data from the GCP integration?
   • Make sure to query the inventory rather than look at the task details to review all the data available from this integration.
   • In some cases, integrations have a configuration set that limits the amount of data that comes into the runZero console.
2. Some integrations require very specific actions that are easy to overlook. If a step is missed when setting up the intergration, it may not work correctly. Please review this documentation and follow the steps exactly.
3. If the GCP integration is unable to connect be sure to check the task log for errors. Some common errors include:
   • 500 - server error, unable to connect to the endpoint
   • 404 - hitting an unknown endpoint on the server
   • 403 - not authorized, likely a credential issue