GCP
Integrating GCP with Escape's Inventory enhances visibility and management of your GKE deployments across GCP services. This integration not only supports general API management but also enriches the inventory with detailed data from GKE Clusters:
Supported GCP Services
- GKE: GKE is a Google-managed implementation of the Kubernetes open source container orchestration platform. We use Kubernetes API to interact with your clusters and gather information about the resources running on them.
Generating a GCP OAuth Credentials (for a project)
Follow these steps to create your API Credentials in GCP for a project:
- Go to your API Credentials page to generate a service account.
- Click on Create Service Account and follow instructions to create a service account.
- Add on role of Viewer from Basic roles in the permissions.
- Click on Done to create the service account.
- After creating, open the service account by clicking on it.
- Go to Keys tab and click on Add Key to create a new key.
- Click on Create new key and select JSON and click on Create.
- This will download a JSON file with the key details. Open the file and copy the contents.
- Copy the contents of the JSON file and paste it in the text area above.
- Important: enable the following APIs in the GCP console:
Generating a GCP OAuth Credentials (for an organization)
Follow these steps to create your API Credentials in GCP for an organization:
- Go to your GCP IAM Admin Console on the organization-level (you need to be an organization owner).
- Ensure your user has the
Organization Administrator
andOrganization Role Administrator
roles. (You can add your roles via the edit button (pencil icon) next to your user). - Click on organization-level roles to create a new custom role.
- Click on
Create Role
and fill with those details:- Title: Escape Integration Role
- ID: escape_integration_role
- Role Launch Stage:
General availability
- Permissions: Add the following permissions by checking the boxes:
apigateway.apiconfigs.get
apigateway.apiconfigs.list
apigateway.apis.get
apigateway.apis.list
apigateway.gateways.get
apigateway.gateways.list
apigateway.locations.get
apigateway.locations.list
apigateway.operations.get
apigateway.operations.list
apigee.apiproducts.get
apigee.apiproducts.list
apigee.organizations.get
apigee.organizations.list
apigeeregistry.specs.get
apigeeregistry.specs.list
appengine.applications.get
appengine.instances.get
appengine.services.get
appengine.versions.list
cloudasset.assets.exportApigatewayApi
cloudasset.assets.exportApigatewayApiConfig
cloudasset.assets.exportApigatewayGateway
cloudasset.assets.exportIamPolicy
cloudasset.assets.exportResource
cloudasset.assets.list
cloudasset.assets.listApigatewayApi
cloudasset.assets.listApigatewayApiConfig
cloudasset.assets.listApigatewayGateway
cloudasset.assets.searchAllIamPolicies
cloudasset.assets.searchAllIamPolicies
cloudasset.assets.searchAllResources
compute.addresses.get
compute.addresses.list
compute.backendBuckets.get
compute.backendBuckets.list
compute.backendServices.get
compute.backendServices.list
compute.firewallPolicies.get
compute.firewallPolicies.getIamPolicy
compute.firewallPolicies.list
compute.firewallPolicies.listEffectiveTags
compute.firewallPolicies.listTagBindings
compute.firewalls.get
compute.firewalls.list
compute.firewalls.listEffectiveTags
compute.firewalls.listTagBindings
compute.forwardingRules.get
compute.forwardingRules.get
compute.forwardingRules.list
compute.forwardingRules.list
compute.forwardingRules.listEffectiveTags
compute.forwardingRules.listTagBindings
compute.globalAddresses.get
compute.globalAddresses.list
compute.globalForwardingRules.get
compute.globalForwardingRules.list
compute.globalNetworkEndpointGroups.get
compute.globalNetworkEndpointGroups.list
compute.globalNetworkEndpointGroups.listEffectiveTags
compute.globalNetworkEndpointGroups.listTagBindings
compute.healthChecks.get
compute.healthChecks.list
compute.healthChecks.listEffectiveTags
compute.healthChecks.listTagBindings
compute.httpHealthChecks.get
compute.httpHealthChecks.list
compute.httpHealthChecks.listEffectiveTags
compute.httpHealthChecks.listTagBindings
compute.httpsHealthChecks.get
compute.httpsHealthChecks.list
compute.httpsHealthChecks.listEffectiveTags
compute.httpsHealthChecks.listTagBindings
compute.instanceGroups.get
compute.instanceGroups.list
compute.instances.get
compute.instances.list
compute.networks.get
compute.networks.list
compute.routes.get
compute.routes.list
compute.subnetworks.get
compute.subnetworks.list
compute.urlMaps.get
compute.urlMaps.get
compute.urlMaps.list
compute.urlMaps.list
dns.managedZoneOperations.get
dns.managedZoneOperations.list
dns.managedZones.get
dns.managedZones.list
dns.policies.get
dns.policies.list
dns.resourceRecordSets.get
dns.resourceRecordSets.list
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager.organizations.get
resourcemanager.organizations.getIamPolicy
resourcemanager.projects.get
resourcemanager.projects.list
run.locations.list
run.services.get
run.services.list
Now, we are going to create the Service Account, Keys, and Associating the Role
Create a new GCP Project or use an existing project to create the new Service Account used by Escape.
Visit this link and fill the following details:
Name:
Escape Integration Service Account
ID: should be
escape-integration-service-acc
, but feel free to use your naming convention.Add a Service Account Key by navigating to the newly created SA Details, going to Keys, clicking on Add Key, and creating a new key in JSON format.
The key file should be downloaded to your computer; ensure that it was downloaded. You will have to simply paste this JSON into the Escape UI.
Copy the email of the service account you just created; it should be
escape-integration-service-acc@<yourprojectid>.iam.gserviceaccount.com
.The last step is to grant access to your Service Account by associating the org-level role with it. Navigate back to this link and view the Organization-level IAM (by ensuring the Organization is selected in the top-left).
Click on Grant Access, paste the Service Account email in the principals, and select the custom role previously created (search for Escape).
You can also use GCP predefined roles such as
roles/compute.networkViewer
androles/iam.securityReviewer
to simplify the process.Save, you're done! Simply paste the JSON into Escape's GCP integration setup page here.
By setting up this integration, you ensure that all endpoints are accounted for in Escape's Inventory, aiding in thorough security and compliance assessments.