/
Setting up a GCP account

Setting up a GCP account

Setting up a GCP account

Create a GCP account and set up API activation and costs for using that account with CloudXper Management Platform.

Step 1. Create an account

Go to the GCP website and create an account.

Step 2. Create a Service Account

Create a Service account for your GCP account credentials.

  • GCP Console > Identity > Service Accounts

    image-20240726-013515.png

Step 2.1. Granting permission

Option 1. Single Account

When creating a service account viewer permissionGrants.

image-20240726-013603.png

If you want to grant only the minimum required permissions instead of the Viewer role, create a custom role using the Permission List below and assign that role.

Inventory Permission List

bigquery.capacityCommitments.list bigquery.datasets.get bigquery.transfers.get cloudscheduler.jobs.list cloudscheduler.locations.list cloudsql.instances.list compute.addresses.list compute.backendServices.list compute.commitments.list compute.disks.list compute.firewalls.list compute.forwardingRules.list compute.healthChecks.list compute.images.list compute.instanceGroups.get compute.instanceGroups.list compute.instanceTemplates.list compute.instances.list compute.interconnects.list compute.networks.list compute.routers.list compute.routes.list compute.snapshots.list compute.subnetworks.list compute.targetHttpProxies.list compute.targetHttpsProxies.list compute.targetPools.list compute.targetSslProxies.list compute.targetTcpProxies.list compute.targetVpnGateways.list compute.urlMaps.list compute.vpnGateways.list compute.vpnTunnels.list container.clusters.list container.nodes.list dns.managedZones.list dns.resourceRecordSets.list file.backups.list file.instances.list iam.roles.list iam.serviceAccounts.list logging.views.access memcache.instances.list monitoring.timeSeries.list pubsub.snapshots.list pubsub.subscriptions.list pubsub.topics.list recommender.bigqueryCapacityCommitmentsRecommendations.list recommender.computeImageIdleResourceRecommendations.list redis.instances.list resourcemanager.projects.getIamPolicy storage.buckets.list storagetransfer.agentpools.list storagetransfer.jobs.list

Option 2. Add members within the organization

If you manage your account by Organization, you can select Organization on the Project selection screen as shown in the image below.

image-20240726-013643.png

 

If it is a Service Account belonging to an Organization, use 'ADD Another Role' and select Editor, Folder Viewer, or Organization Viewer for 'Role'.

image-20240726-013712.png

Step 2.2. Authentication Settings

In order for the CloudXper application to perform authorized tasks, such as collecting resources from cloud accounts,

Set up the authentication and authorization required for the created service account.

Two authentication methods are supported, selected considering security and management.

  • [Service account key] Generate and share an authentication key

  • [Workload Identity Pool/Provider] Authentication Federation with AWS STS

  • [Service account impersonation] CloudXper’s service account is impersonated
    This is a security vulnerability and is not recommended in the guide, so it will be deleted.


Service account key

Once a service account has been created, generate a key from that account.

  1. After clicking the More button in the Service account row for which you want to generate a key, Create a keySelect .

    image-20240726-013157.png

  2. When you create a key in JSON format, the generated key file is downloaded.


    image-20240726-013301.png

  3. Send the json file generated along with the CloudXper application to your CloudXper administrator.

Workload Identity Pool/Provider

You can set Identity Pool/AWS Provider in the Workload Identity Federation menu in IAM & Admin.

  1. Create New Workload Identity Pool
    You can create Identity Pool information for cross-authentication of AWS Workloads that you want to allow access to Google Cloud.

    그림7.png

  2. AWS Provider Settings
    You can set up AWS as the authentication provider for your workloads.

    CloudXper’s AWS Account ID “611495371442

    그림9.png

  3. AWS Authentication Property Mapping Settings
    The default mapping (attribute.aws_role) is sufficient and no additions/changes are required.

    그림10.png

    •Sets the AWS Credentials attribute to map ex) attribute.aws_role

    •mapped properties are used in Grant Access.

  4. Add service account role
    You can create a service account for an externally authenticated workload to impersonate and set permissions.
    You add Workload Identity User for short-term token exchange other than roles such as Viewer for collection to the created service account.

    그림12.png

  5. AWS authentication role settings to allow service account access
    You can set Grant Access for the service account created in the Identity Pool in the Workloa Identity Federation menu in IAM & Admin.

    그림13.png


    You can set Service Account and AWS Principal mapped to aws_role

    • CloudXper Role: arn:aws:sts::611495371442:assumed-role/CX-PROD-EKS-NODEGROUP-NodeInstanceRole-1HYC11PY1OT07

    그림14.png

    •You can find attribute.aws_role mapping in 3. AWS Authentication Property Mapping Settings

  6. Federation Configure Json File Download
    After saving, download the federation configure file and deliver it to the CloudXper operations manager.

    • There is no sensitive information such as authentication information due to the AWS authentication subject information and token exchange method required for authentication token exchange processing in the Google SDK.

    그림15.png

  7. Check Connected Service Accounts

    그림17.png

  8. Audit Log
    You can check the details of requests made to the identity pool in Logs Explores by clicking Logs View on the Workload Identity Pool details screen.
    (If the Audit Log is not viewed, refer to the activation section below)

    그림21.png

    •AWS Credentials

    •Principal mapped

    How to activate Audit Log?
    1) Enable Admin read in Security Token Service API in Audit Logs in IAM & Admin
    2) Users viewing logs need roles/viewer or roles/logging.viewer permission.

    그림20.png

Service Account Impersonation

CloudXper's Service Account accesses by impersonating the Service Account created above. It has the following advantages over the service account key method.

  • It is a short-term authentication (1hr) token and does not require creating/sharing a Service Account Key, making it safer than the permanent key method.

  • In the Service Account Impersonation, access records can be checked/audited in GCP.

  1. Select the service account and click the MANAGE ACCESS menu at the top.
    In the Manage Access window, click the ADD PRINCIPAL button to allow access to the CloudXper service account.


    image-20240813-075902.png

  2. Add the CloudXper service account (Add principals) and add a role that can issue 1hr short-term tokens (Assign Role).

    • CloudXper service account: cloudxper-collector-sa@pjt-cloudxper-master.iam.gserviceaccount.com

    • Assign Role: Service Account Token Creator

    image-20240813-080145.png

 

  1. Send the service account (email address) created along with the CloudXper application form to the CloudXper administrator.

 

Step 3. Set CSR automation permissions (optional)

To automate CSR in New ITSM, you need to set up the permissions required to change services/resources.

Step 3.1. Create CSR Automation Role

Create a Role to set permissions in the IAM & Admin screen.

image-20240726-012741.png

 

Step 3.2. Setting Role Permissions

image-20240726-013902.png


①ID is a Role identifier and can only contain numbers, English letters, _, and .

②Role launch stage selects General Availability as the Lifecycle for policy application. For reference, the Lifecycle is Alpha > Beta > General Availability > Disabled.

③ Click the “ADD PERMISSIONS” button to add the required Action permissions.

image-20240726-013939.png

④ In the Add Permissions pop-up window, search for the permissions you want to add to the filter, check them, and then click the “ADD” button.
For reference, if you know the predefined roles of GCP, you can check and add the permissions of the predefined role in “Filter permissions by role” at the top.


There are 32 permissions required for CSR automation, as follows:

csr permission list
compute.disks.create compute.disks.setLabels compute.disks.delete compute.disks.use compute.disks.useReadOnly compute.firewalls.create compute.firewalls.get compute.firewalls.update compute.globalOperations.get compute.images.useReadOnly compute.instances.attachDisk compute.instances.delete compute.instances.setDeletionProtection compute.instances.get compute.instances.start compute.instances.startWithEncryptionKey compute.instances.stop compute.networks.updatePolicy compute.snapshots.useReadOnly compute.zoneOperations.get iam.roles.create iam.roles.get iam.roles.list iam.roles.update resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.setIamPolicy serviceusage.services.use storage.buckets.create storage.buckets.delete storage.buckets.get storage.buckets.update storage.objects.delete storage.objects.list

 

Step 3.3. Assign Role

Grant a Role to the Service Account used in the CloudXper application.
If you want to create a new Service Account, please refer to Step 2.

image-20240726-014532.png


⑤ Click the Edit member button on the right side of the Service Account.
A pop-up window on the right will open, allowing you to set the Custom Role you created earlier.

image-20240726-014611.png

⑥ Add the Custom Role you created earlier in the Role list and save it.

Step 4. Activate GCP API

Go to API Library and make sure the API for the service you want to collect is enabled. 
If it is not activated, it must be activated for collection to proceed normally.

Here is a list of services to be collected. Please search for the service in the search box and activate the API.

For WIF authentication, API requests are made using an impersonated service account, and the project associated with that service account is treated as the quota project, where API enablement and quota are managed.

If your setup uses an impersonated service account in a separate project (the quota project) to collect resources from another project, the relevant API must be enabled in both projects.

Our operations team is checking the impersonated service account used for collection and the API URL that needs to be enabled. However, since only the project ID can be identified from this error message, we would appreciate it if you verify the above information and whether the API is enabled in both projects.

  • Compute Engine API: instance, disk, vpc, firewall, load balancer, etc. 

  • Cloud DNS API: zone, record set

  • Cloud SQL Admin API: sql instance

  • Cloud Storage : buckets 

  • Cloud Resource Manager API: iam

  • Kubernetes Engine API: cluster, node pool
    * Resources such as deployments and pods within k8s are collected by the k8s client, and network access must be allowed.

  • Recommender API: recommender


Go to the API Library page.

image-20240726-014654.png
image-20240726-014718.png

 

Activate the API in the service list. (Below is an example of the Cloud Resource Manager API screen)

image-20240726-014752.png

Enable the Recommender API.

image-20240726-014816.png

 

Step 5. Set the cost

To be updated later

 

Step 6. Guide for CUD Inquiry