Skip to content

GCP

Integrating GCP with Escape's ASM enhances visibility and management of deployments across GCP services.

Discovered Resources

The GCP integration automatically discovers and inventories the following resources from your GCP project:

  • API Gateway Schemas: OpenAPI specifications and API schemas registered in GCP API Gateway
  • API Gateway Services: API services and their configurations exposed through GCP API Gateway
  • GCP Hosts: Compute Engine instances, load balancers, and other host resources with public endpoints

These discovered resources are automatically classified as Assets (APIs, DNS records, WebApps) in Escape's ASM, enabling continuous security monitoring and testing.

Supported GCP Services

GCP API Gateway: Managed API gateway for creating, securing, and monitoring APIs.

Compute Engine: Virtual machines and load balancers exposing services.

Generate GCP OAuth Credentials (for a project)

Create your API Credentials in GCP for a project:

  1. Navigate to your API Credentials page
  2. Click Create Service Account and follow the setup instructions
  3. Assign the Viewer role from Basic roles
  4. Click Done to create the account
  5. Open the newly created service account
  6. Go to the Keys tab and click Add Key
  7. Select Create new key, choose JSON format, and click Create
  8. Save the downloaded JSON file and copy its contents
  9. Paste the JSON contents into the designated text area

Important: Enable the following APIs in the GCP console:

Generating GCP OAuth Credentials (for an organization)

Create your API Credentials in GCP for an organization:

  1. Navigate to the GCP IAM Admin Console at the organization level (requires organization owner access)

  2. Ensure you have the following roles:

    • Organization Administrator
    • Organization Role Administrator (Add roles using the edit button next to your user)

  3. Go to organization-level roles and click Create Role

  4. Configure the role:

    • Title: Escape Integration Role
    • ID: escape_integration_role
    • Role Launch Stage: General availability

  5. Add the following permissions:

        # API Gateway Permissions
    apigateway.apiconfigs.get
    apigateway.apiconfigs.list
    apigateway.apis.get
    apigateway.apis.list
    apigateway.gateways.get
    apigateway.gateways.list
    apigateway.locations.get
    apigateway.locations.list
    apigateway.operations.get
    apigateway.operations.list

    # Apigee & Registry Permissions
    apigee.apiproducts.get
    apigee.apiproducts.list
    apigee.organizations.get
    apigee.organizations.list
    apigeeregistry.specs.get
    apigeeregistry.specs.list

    # Compute Engine Permissions
    compute.addresses.get
    compute.addresses.list
    compute.backendServices.get
    compute.backendServices.list
    compute.firewallPolicies.get
    compute.firewallPolicies.list
    compute.instances.get
    compute.instances.list
    compute.networks.get
    compute.networks.list

    # DNS & Resource Manager Permissions
    dns.managedZones.get
    dns.managedZones.list
    dns.policies.get
    dns.policies.list
    resourcemanager.folders.get
    resourcemanager.folders.list
    resourcemanager.organizations.get
    resourcemanager.projects.list

Creating and Configuring the Service Account

  1. Create a new GCP Project or use an existing one for the Escape service account
  2. Visit the Service Accounts page and configure:
    • Name: Escape Integration Service Account
    • ID: escape-integration-service-acc (or your preferred naming convention)
  3. Create a service account key:
    • Navigate to the service account details
    • Go to Keys tab and click Add Key
    • Create a new key in JSON format
    • Save the downloaded JSON file
  4. Grant organization-level access:
    • Copy the service account email: escape-integration-service-acc@<yourprojectid>.iam.gserviceaccount.com
    • Go to Organization IAM
    • Click Grant Access
    • Paste the service account email and select the custom role created earlier
  5. Complete the integration by pasting the JSON key into Escape's GCP integration page

Info

You can alternatively use predefined roles like roles/compute.networkViewer and roles/iam.securityReviewer for a simplified setup.

This integration enables comprehensive monitoring of your GCP resources and ensures thorough security and compliance assessment of all endpoints.