Integrate Google Cloud using a service account key

Procedure

Creating a service account

1. Go to your Google Cloud service account, and select + CREATE SERVICE ACCOUNT.

2. Enter the Service account details, and select CREATE AND CONTINUE.

3. Add the roles below:

   • viewer

   • iam.securityReviewer

   • logging.configWriter (to enable event-driven integration)

   • storage.objectViewer conditional to tfstate suffix

     1. To add the tfstate condition that enables Firefly to scan only files with a tfstate suffix, select + ADD IAM CONDITION.

     2. Enter the Title and Condition type > Resource > Name.

     3. Operator > Ends with

     4. Under Value, enter tfstate > SAVE > DONE.

4. At the organization level, create a custom role that allows Firefly to discover the project folder tree. Attach this role to your service account.

   1. Select your organization level.

   2. Select Roles > + CREATE ROLE.

   3. Enter a Title and ID.

   4. Under Role launch stage, select General Availability.

   5. Select + ADD PERMISSIONS and add the permissions below:

      • resourcemanager.folders.get

      • resourcemanager.folders.list

   6. Select ADD > CREATE.

   7. Select IAM > GRANT ACCESS.

   8. Under New principals, enter Firefly's principal.

   9. Under Assign roles, select the role you just created > SAVE.

5. At the project level, select Service Accounts and select the Firefly service account.

6. Select the kebab > Manage keys > ADD KEY > Create new key.

   1. Select JSON > CREATE. Selecting CREATE downloads a service account key file.

   2. In Firefly, paste or upload the account key file into the Service Account Key field.

Enabling APIs

To allow Firefly to scan your projects and present your assets in the Inventory, enable the APIs below:

• Logging API (to enable event-driven integration)

• Admin SDK API

• App Engine Admin API

• BigQuery API

• Cloud Billing API

• Cloud Functions API

• Cloud Scheduler API

• Cloud Dataproc API

• Cloud DNS API

• Cloud Resource Manager API

• Compute Engine API

• IAM API

• Kubernetes Engine API

• Service Management API

• Service Usage API

• Cloud Asset API

• Google Cloud Memorystore for Redis API

• Cloud Storage API

• Groups Settings API

• Cloud Spanner API

• Google Cloud Filestore API

• Recommender API

Discovering multiple projects in this integration

Use the same service account key to simultaneously integrate multiple Google Cloud projects.

Procedure

1. Log in to the Google Cloud console.

2. Select IAM & Admin > Service Accounts.

3. Copy the principal of the Service account you created in "Creating a service account" (associated email address).

4. Select a resource - the desired project you would like to integrate or the organization if you want Firefly to discover all the projects in your organization.

5. Select IAM > GRANT ACCESS.

6. In the New principals field, paste the principal you copied in step 3.

7. In the role field, select the following roles and SAVE:

   • roles/iam.securityReviewer

   • roles/storage.objectViewer (conditional to tfstate suffix)

   • roles/viewer

   • roles/logging.configWriter

• To exclude projects under this service account, enter the rules in the Regex rules field.

• For all integrated projects, verify the Enabling APIs are activated.

Google Cloud Insights

After integrating your Google Cloud account, we retrieve Google Cloud Insights directly from your projects. These insights identify potential risks in your asset configurations, enhance your security posture, and reveal significant patterns in resource usage. To utilize this feature, verify you have enabled the Recommender API.