GCP

Integrating GCP with Escape's Inventory enhances visibility and management of GKE deployments across GCP services. The integration enriches your inventory with detailed data from GKE Clusters:

Supported GCP Services¶

• GKE: Google-managed Kubernetes platform. Escape uses the Kubernetes API to monitor cluster resources and configurations.

Generating a GCP OAuth Credentials (for a project)¶

Create your API Credentials in GCP for a project:

1. Navigate to your API Credentials page
2. Click Create Service Account and follow the setup instructions
3. Assign the Viewer role from Basic roles
4. Click Done to create the account
5. Open the newly created service account
6. Go to the Keys tab and click Add Key
7. Select Create new key, choose JSON format, and click Create
8. Save the downloaded JSON file and copy its contents
9. Paste the JSON contents into the designated text area

Important: Enable the following APIs in the GCP console: - GKE API - DNS API

Generating a GCP OAuth Credentials (for an organization)¶

Create your API Credentials in GCP for an organization:

1. Navigate to the GCP IAM Admin Console at the organization level (requires organization owner access)

2. Ensure you have the following roles:

   • Organization Administrator
   • Organization Role Administrator (Add roles using the edit button next to your user)

3. Go to organization-level roles and click Create Role

4. Configure the role:

   • Title: Escape Integration Role
   • ID: escape_integration_role
   • Role Launch Stage: General availability

5. Add the following permissions:

   API Gateway Permissions:

   apigateway.apiconfigs.get
   apigateway.apiconfigs.list
   apigateway.apis.get
   apigateway.apis.list
   apigateway.gateways.get
   apigateway.gateways.list
   apigateway.locations.get
   apigateway.locations.list
   apigateway.operations.get
   apigateway.operations.list
   

   Apigee & Registry Permissions:

   apigee.apiproducts.get
   apigee.apiproducts.list
   apigee.organizations.get
   apigee.organizations.list
   apigeeregistry.specs.get
   apigeeregistry.specs.list
   

   Compute Engine Permissions:

   compute.addresses.get
   compute.addresses.list
   compute.backendServices.get
   compute.backendServices.list
   compute.firewallPolicies.get
   compute.firewallPolicies.list
   compute.instances.get
   compute.instances.list
   compute.networks.get
   compute.networks.list
   

   DNS & Resource Manager Permissions:

   dns.managedZones.get
   dns.managedZones.list
   dns.policies.get
   dns.policies.list
   resourcemanager.folders.get
   resourcemanager.folders.list
   resourcemanager.organizations.get
   resourcemanager.projects.list
   

Creating and Configuring the Service Account¶

1. Create a new GCP Project or use an existing one for the Escape service account

2. Visit the Service Accounts page and configure:

   • Name: Escape Integration Service Account
   • ID: escape-integration-service-acc (or your preferred naming convention)

3. Create a service account key:

   • Navigate to the service account details
   • Go to Keys tab and click Add Key
   • Create a new key in JSON format
   • Save the downloaded JSON file

4. Grant organization-level access:

   • Copy the service account email: escape-integration-service-acc@<yourprojectid>.iam.gserviceaccount.com
   • Go to Organization IAM
   • Click Grant Access
   • Paste the service account email and select the custom role created earlier

Note: You can alternatively use predefined roles like roles/compute.networkViewer and roles/iam.securityReviewer for a simplified setup.

1. Complete the integration by pasting the JSON key into Escape's GCP integration page

This integration enables comprehensive monitoring of your GCP resources and ensures thorough security and compliance assessment of all endpoints.