GCP
Integrating GCP with Escape's Inventory enhances visibility and management of GKE deployments across GCP services. The integration enriches your inventory with detailed data from GKE Clusters.
Supported GCP Services¶
GKE: Google-managed Kubernetes platform. Escape uses the Kubernetes API to monitor cluster resources and configurations.
Generate GCP OAuth Credentials (for a project)¶
Create your API Credentials in GCP for a project:
- Navigate to your API Credentials page
- Click Create Service Account and follow the setup instructions
- Assign the Viewer role from Basic roles
- Click Done to create the account
- Open the newly created service account
- Go to the Keys tab and click Add Key
- Select Create new key, choose JSON format, and click Create
- Save the downloaded JSON file and copy its contents
- Paste the JSON contents into the designated text area
Important: Enable the following APIs in the GCP console:
Generating GCP OAuth Credentials (for an organization)¶
Create your API Credentials in GCP for an organization:
-
Navigate to the GCP IAM Admin Console at the organization level (requires organization owner access)
-
Ensure you have the following roles:
Organization Administrator
Organization Role Administrator
(Add roles using the edit button next to your user)
-
Go to organization-level roles and click Create Role
-
Configure the role:
- Title: Escape Integration Role
- ID: escape_integration_role
- Role Launch Stage: General availability
-
Add the following permissions:
# API Gateway Permissions apigateway.apiconfigs.get apigateway.apiconfigs.list apigateway.apis.get apigateway.apis.list apigateway.gateways.get apigateway.gateways.list apigateway.locations.get apigateway.locations.list apigateway.operations.get apigateway.operations.list # Apigee & Registry Permissions apigee.apiproducts.get apigee.apiproducts.list apigee.organizations.get apigee.organizations.list apigeeregistry.specs.get apigeeregistry.specs.list # Compute Engine Permissions compute.addresses.get compute.addresses.list compute.backendServices.get compute.backendServices.list compute.firewallPolicies.get compute.firewallPolicies.list compute.instances.get compute.instances.list compute.networks.get compute.networks.list # DNS & Resource Manager Permissions dns.managedZones.get dns.managedZones.list dns.policies.get dns.policies.list resourcemanager.folders.get resourcemanager.folders.list resourcemanager.organizations.get resourcemanager.projects.list
Creating and Configuring the Service Account¶
- Create a new GCP Project or use an existing one for the Escape service account
- Visit the Service Accounts page and configure:
- Name: Escape Integration Service Account
- ID: escape-integration-service-acc (or your preferred naming convention)
- Create a service account key:
- Navigate to the service account details
- Go to Keys tab and click Add Key
- Create a new key in JSON format
- Save the downloaded JSON file
- Grant organization-level access:
- Copy the service account email:
escape-integration-service-acc@<yourprojectid>.iam.gserviceaccount.com
- Go to Organization IAM
- Click Grant Access
- Paste the service account email and select the custom role created earlier
- Copy the service account email:
- Complete the integration by pasting the JSON key into Escape's GCP integration page
Info
You can alternatively use predefined roles like roles/compute.networkViewer
and roles/iam.securityReviewer
for a simplified setup.
This integration enables comprehensive monitoring of your GCP resources and ensures thorough security and compliance assessment of all endpoints.