Skip to main content

AQUILA CSPM - GCP Integration

 

Authentication

To use this CSPM Google Cloud Platform (GCP) integration, you need to set up a Service Account with a Role and a Service Account Key to access data on your GCP project.

1. Service Account

First, you need to create a Service Account. A Service Account (SA) is a particular type of Google account intended to represent a non-human user who needs to access the GCP resources.

The AQUILA Agent uses the SA to access data on Google Cloud Platform using the Google APIs.

2. Required IAM Service Account Roles:

For CSPM-GCP Integration

  • Browser: This role grants read access to the project hierarchy.

  • Cloud Asset Viewer: Can view asset metadata across GCP services.

Click here --> GCP - How to Add a Role

3. Enable API Services

  • Cloud Asset API: Provides metadata inventory and history of GCP resources and IAM policies for security analysis, audit, and compliance.

Click here --> GCP - How to enable Cloud Asset API

4. Service Account Key  

Next, with the Service Account (SA) with access to Google Cloud Platform (GCP) resources setup, you need some credentials to associate with it: a Service Account Key.  

From the list of SA (Service Accounts):  

  1. Go to IAM & Admin > Service Accounts in the GCP Console.
  2. Click the service account you created.
  3. Under the "Keys" section, click "Add Key" > "Create new key".
  4. Choose JSON as the key type.
  5. Download and securely store the generated private key (it cannot be retrieved again from GCP if lost).

Please provide the following information to CyTech Support: 

  • Project ID  - The Project ID is the Google Cloud project ID where your resources exist. 

  • Credentials File - Save the JSON file with the private key in a secure location of the file system, and make sure that the Log Collector Agent has at least read-only privileges to this file. Specify the file path in the Log Collector Agent integration UI in the "Credentials File" field. For example: /home/ubuntu/credentials.json.

  • Pub/Sub Topic Name of the topic where the logs are written to.

  • Subscription - Use the short subscription name here, not the full-blown path with the project ID. You can find it as "Subscription ID" on the Google Cloud Console. 

 

 

If you need further assistance, kindly contact our support at support@cytechint.com for prompt assistance and guidance.

Back to top