Google Cloud Platform (GCP)

Connect the VSM workspace to your Google Cloud Platform environment

The Public Cloud Integration needs a service account equipped with certain permissions to be able to scan your GCP projects. The following guide explains the setup process in detail.

Prerequisites

  • User within GCP with administrative privileges on level of an organization/folder/project and billing accounts
  • Active project linked to a billing account

Step by Step Guide

Create Service Account

  1. Follow the official Google documentation to create a service account with the following details:
    Name: LeanIX Scanner
    ID: will be auto-generated
    Description: Used by LeanIX to call the GCP API
546546

Service Account Creation

  1. Generate a JSON key for the newly created service account which will be downloaded automatically
498498

Activate the "Cloud Asset API" and "BigQuery API"

The Cloud Asset and BigQuery APIs need to be activated for the GCP project that contains the previously created scanner service account.

  1. Open the API Library and make sure that the correct project is selected

  2. Click “enable” to activate the API

692692
  1. Open the API Library and make sure that the correct project is selected

  2. Click “enable” to activate the API

629629

Add Permissions

  1. Go to the GCP console IAM page and select the organization/folder or project you plan to add to LeanIX
  2. Click “add” to add a new user to your organization/folder or project
554554
  1. Add the newly created LeanIX scanner service account to your organization/folder or project, select the roles “Cloud Asset Viewer” and “Viewer”, and click save
531531

Cloud Spend Setup

GCP makes detailed billing information available via billing account exports to Big Query. These exports need to be enabled manually for each billing account. LeanIX VSM will query this information and match them to cloud resources and Software Artifacts.

If you need to configure multiple billing accounts, export the data to the same BigQuery dataset to keep the permission handling simple.

Enable Billing Exports

  1. Open https://console.cloud.google.com/billing and select your billing account
  2. Click on “billing export” and “edit settings” for the “Standard usage cost”
810810
  1. Select a destination “Project name” and “Data set name” for your billing export
778778
  1. Open the BigQuery Explorer and select the project that contains your export data

    The dataset creation is linked to the initial billing export. This may take some time.

  2. Open the dataset details and click “SHARING”

955955
  1. Click "ADD PRINCIPAL"
569569
  1. Assign the role “BigQuery Data Viewer” to your previously created service account and click “save”
594594

📘

Multiple Billing Accounts

If you have multiple billing accounts configured for your projects, repeat the previous steps for the other billing accounts. Writing all billing exports to the same BigQuery dataset will make the permission setup simpler (Steps 4-7 need to be performed only once).

Configure LeanIX VSM

  1. Open the “Administration” page for your LeanIX VSM workspace:
503503
  1. Select the “Integrations” configuration on the left panel and scroll down to select the "Public Cloud Integration". There you have to click the "Configure" button:
28702870
  1. Add an additional “gcp” entry to the json configuration that must contain:
  • organizationalId: The id of the organization, folder or project you would like to scan - e.g., “organizations/my-organization-id”, “folders/my-folder-id” or “projects/my-project-id”
  • serviceAccountJson: The previously created and downloaded service account json
  • billing: A list of billing account export targets
    • accountId: ID of the billing account (XXXXXX-XXXXXX-XXXXXX)
    • projectId: ID of the billing export destination project
    • datasetName: Name of the billing export target BigQuery dataset
"gcp": {
        "organizationalId": "organizations/org-id",
        "serviceAccountJson": {
            "type": "service_account",
            "project_id": "project-id",
            "private_key_id": "*********",
            "private_key": "*********",
            "client_email": "[email protected]********.iam.gserviceaccount.com",
            "client_id": "123456789012345677889",
            "auth_uri": "https://accounts.google.com/o/oauth2/auth",
            "token_uri": "https://oauth2.googleapis.com/token",
            "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
            "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/scanner%40helios-tst01-32942.iam.gserviceaccount.com"
        },
        "billing": [
            {
                "accountId": "XXXXXX-XXXXXX-XXXXXX",
                "projectId": "project-id-a",
                "datasetName": "billing_export_data"
            },
            {
                "accountId": "YYYYYY-YYYYYY-YYYYYY",
                "projectId": "project-id-b",
                "datasetName": "billing_export_data"
            }
        ]
    }

📘

Multiple Billing Accounts

Since the billing part of the configuration is a json list, a multi billing account entry looks as follows:

    "billing": [
        {
            "accountId": "XXXXXX-XXXXXX-XXXXXX",
            "projectId": "project-id-a",
            "datasetName": "billing_export_data"
        },
        {
            "accountId": "YYYYYY-YYYYYY-YYYYYY",
            "projectId": "project-id-b",
            "datasetName": "billing_export_data"
        }
    ]
  1. Click the “Overwrite all configurations” button to save the configuration

  2. Click the “Scan now” button to confirm the configuration to be working


Did this page help you?