Skip to content

GCP

Integrating GCP with Escape's Inventory enhances visibility and management of GKE deployments across GCP services. The integration enriches your inventory with detailed data from GKE Clusters:

Supported GCP Services

GKE: Google-managed Kubernetes platform. Escape uses the Kubernetes API to monitor cluster resources and configurations.

Generating a GCP OAuth Credentials (for a project)

Create your API Credentials in GCP for a project:

  1. Navigate to your API Credentials page
  2. Click Create Service Account and follow the setup instructions
  3. Assign the Viewer role from Basic roles
  4. Click Done to create the account
  5. Open the newly created service account
  6. Go to the Keys tab and click Add Key
  7. Select Create new key, choose JSON format, and click Create
  8. Save the downloaded JSON file and copy its contents
  9. Paste the JSON contents into the designated text area

Important: Enable the following APIs in the GCP console:

Generating a GCP OAuth Credentials (for an organization)

Create your API Credentials in GCP for an organization:

  1. Navigate to the GCP IAM Admin Console at the organization level (requires organization owner access)

  2. Ensure you have the following roles:

    • Organization Administrator
    • Organization Role Administrator (Add roles using the edit button next to your user)

  3. Go to organization-level roles and click Create Role

  4. Configure the role:

    • Title: Escape Integration Role
    • ID: escape_integration_role
    • Role Launch Stage: General availability

  5. Add the following permissions:

        # API Gateway Permissions
    apigateway.apiconfigs.get
    apigateway.apiconfigs.list
    apigateway.apis.get
    apigateway.apis.list
    apigateway.gateways.get
    apigateway.gateways.list
    apigateway.locations.get
    apigateway.locations.list
    apigateway.operations.get
    apigateway.operations.list

    # Apigee & Registry Permissions
    apigee.apiproducts.get
    apigee.apiproducts.list
    apigee.organizations.get
    apigee.organizations.list
    apigeeregistry.specs.get
    apigeeregistry.specs.list

    # Compute Engine Permissions
    compute.addresses.get
    compute.addresses.list
    compute.backendServices.get
    compute.backendServices.list
    compute.firewallPolicies.get
    compute.firewallPolicies.list
    compute.instances.get
    compute.instances.list
    compute.networks.get
    compute.networks.list

    # DNS & Resource Manager Permissions
    dns.managedZones.get
    dns.managedZones.list
    dns.policies.get
    dns.policies.list
    resourcemanager.folders.get
    resourcemanager.folders.list
    resourcemanager.organizations.get
    resourcemanager.projects.list

Creating and Configuring the Service Account

  1. Create a new GCP Project or use an existing one for the Escape service account
  2. Visit the Service Accounts page and configure:
    • Name: Escape Integration Service Account
    • ID: escape-integration-service-acc (or your preferred naming convention)
  3. Create a service account key:
    • Navigate to the service account details
    • Go to Keys tab and click Add Key
    • Create a new key in JSON format
    • Save the downloaded JSON file
  4. Grant organization-level access:
    • Copy the service account email:\ escape-integration-service-acc@<yourprojectid>.iam.gserviceaccount.com
    • Go to Organization IAM
    • Click Grant Access
    • Paste the service account email and select the custom role created earlier
  5. Complete the integration by pasting the JSON key into Escape's GCP integration page

Info

You can alternatively use predefined roles like roles/compute.networkViewer and roles/iam.securityReviewer for a simplified setup.

This integration enables comprehensive monitoring of your GCP resources and ensures thorough security and compliance assessment of all endpoints.