Google Cloud Platform (GCP)

Where do I find my Google Cloud credentials?

To scan Google Cloud, the following IDs from your account are required:

  • Project
  • Client email
  • Private key

To find these requirements within your Google Cloud environment, please do the following:

  1. Log into your Google Cloud console and "Activate" your Cloud Shell.
  2. Create a new file called holm-security-cloud-scan.yaml. You can use: `nano holm-security-cloud-scan.yaml`.
  3. Copy and paste the following yaml code in the file on your Cloud Shell, press Ctrl + X, and type Y to save the file.
    name: roles/HolmSecurityAudit
    title: Holm Security Audit
    - cloudasset.assets.listResource
    - cloudkms.cryptoKeys.list
    - cloudkms.keyRings.list
    - cloudsql.instances.list
    - cloudsql.users.list
    - compute.autoscalers.list
    - compute.backendServices.list
    - compute.disks.list
    - compute.firewalls.list
    - compute.healthChecks.list
    - compute.instanceGroups.list
    - compute.instances.getIamPolicy
    - compute.instances.list
    - compute.networks.list
    - compute.projects.get
    - compute.securityPolicies.list
    - compute.subnetworks.list
    - compute.targetHttpProxies.list
    - container.clusters.list
    - dns.managedZones.list
    - iam.serviceAccountKeys.list
    - iam.serviceAccounts.list
    - logging.logMetrics.list
    - logging.sinks.list
    - monitoring.alertPolicies.list
    - resourcemanager.folders.get
    - resourcemanager.folders.getIamPolicy
    - resourcemanager.folders.list
    - resourcemanager.hierarchyNodes.listTagBindings
    - resourcemanager.organizations.get
    - resourcemanager.organizations.getIamPolicy
    - resourcemanager.projects.get
    - resourcemanager.projects.getIamPolicy
    - resourcemanager.projects.list
    - resourcemanager.resourceTagBindings.list
    - resourcemanager.tagKeys.get
    - resourcemanager.tagKeys.getIamPolicy
    - resourcemanager.tagKeys.list
    - resourcemanager.tagValues.get
    - resourcemanager.tagValues.getIamPolicy
    - resourcemanager.tagValues.list
    - storage.buckets.getIamPolicy
    - storage.buckets.list
    stage: GA
  4.  Run the following command to create the role; use your Organization Id to create the Role at the Org Level: `gcloud iam roles create HolmMSecurityAudit --organization=YOUR_ORGANIZATION_ID --file=holm-security-cloud-scan.yaml`

Now you will need to create a Service Account:

  1. Log into your Google Cloud console and navigate to IAM Admin > Service Accounts.
  2. Click on Create Service Account.
  3. Enter "HolmSecurity" in the "Service account name", then enter "HolmSecurity API Access" in the description.
  4. Click on Continue.
  5. Select the role: Custom > Holm Security Audit.
  6. Click on Continue.
  7. Click on Create Key.
  8. Leave the default JSON selected.
  9. Click on Create.
  10. The key will be downloaded to your machine.
  11. Open the JSON key file in a text editor and copy the Project IdClient Email and Private Key values and paste it into the Authentication section of Holm Security Cloud Scan Configuration window.

  12. Click on Submit.
  13. Done!