Skip to main content

Cloud Security Posture Management Manual (Google Cloud Platform)

Go to > Cyber Incident Monitoring


For Manual authentication GCP organization

To authenticate manually to monitor a GCP organization, you’ll need to create a new GCP service account, assign it the necessary roles, generate credentials, then provide those credentials to the CSPM integration. 

 

Use the following commands, after replacing <SA_NAME> with the name of your new service account, <ORG_ID> with your GCP organization’s ID, and <PROJECT_ID> with the GCP project ID of the project where you want to provision the compute instance that will run CSPM.


Go to Google Cloud Console.

In the top-right corner, click on the Cloud Shell Icon 

Screenshot_20250212_185652-3.png

You should be seeing the image below
Screenshot_20250212_191818.png

Set Your Active Project
 Run this command to select the GCP project where you want to create the service account:
  gcloud config set project <PROJECT_ID>


Set up cloud account access 

 

Note: To set up CSPM for a GCP project, you need admin privileges for the project. 

For Manual authentication (GCP organization)   

To authenticate manually to monitor a GCP organization, you’ll need to create a new GCP service account, assign it the necessary roles, generate credentials, then provide those credentials to the CSPM integration. 

 

Use the following commands, after replacing <SA_NAME> with the name of your new service account, <ORG_ID> with your GCP organization’s ID, and <PROJECT_ID> with the GCP project ID of the project where you want to provision the compute instance that will run CSPM. 

 

 

Create a new service account: 

gcloud iam service-accounts create <SA_NAME> \ 

    --description="Elastic agent service account for CSPM" \ 

    --display-name="Elastic agent service account for CSPM" \ 

    --project=<PROJECT_ID> 

 

Assign the necessary roles to the service account at Organization Level: 

 

gcloud organizations add-iam-policy-binding <ORG_ID> \ 

    --member=serviceAccount:<SA_NAME>@<PROJECT_ID>.iam.gserviceaccount.com \ 

    --role=roles/cloudasset.viewer 

gcloud organizations add-iam-policy-binding <ORG_ID> \ 

    --member=serviceAccount:<SA_NAME>@<PROJECT_ID>.iam.gserviceaccount.com \ 

    --role=roles/browser 

 



Note: The Cloud Asset Viewer role grants read access to cloud asset metadata. The Browser role grants read access to the project hierarchy. 

 

Download the credentials JSON (first, replace <KEY_FILE> with the location where you want to save it): 

 

gcloud iam service-accounts keys create <KEY_FILE> \ 

    --iam-account=<SA_NAME>@<PROJECT_ID>.iam.gserviceaccount.com 

 

Provide CyTech the following values: 


  • Organization ID 

  • Project ID (the project where you want to provision the compute instance that will run CSPM) 

  • Credentials JSON values 


 

 

Assign the necessary roles to the service account at the Project Level: 

 

gcloud projects add-iam-policy-binding <PROJECT_ID> \ 

    --member=serviceAccount:<SA_NAME>@<PROJECT_ID>.iam.gserviceaccount.com \ 

    --role=roles/cloudasset.viewer 

 

gcloud projects add-iam-policy-binding <PROJECT_ID> \ 

    --member=serviceAccount:<SA_NAME>@<PROJECT_ID>.iam.gserviceaccount.com \ 

    --role=roles/browser 

 

 

 

 

 

 

Provide CyTech the following values: 


  • Project ID (the project where you want to provision the compute instance that will run CSPM) 

  • Credentials JSON values 




Back to top