Skip to main content

Setup GCP credential for scanning

Create Security Audit Role

  1. Log into your Google Cloud console and "Activate" your Cloud Shell.
  2. Create a new file called security-audit-role.yaml. You can use: nano meghops-security-scanner-role.yaml.
  3. Copy and paste the following yaml code in the file on your Cloud Shell, press Ctrl + X and type "Y" to save the file.
name: roles/MeghOpsSecScanRole
title: MeghOps Security Scanner Role
includedPermissions:
  - cloudasset.assets.listResource
  - cloudkms.cryptoKeys.list
  - cloudkms.keyRings.list
  - cloudsql.instances.list
  - cloudsql.users.list
  - compute.autoscalers.list
  - compute.backendServices.list
  - compute.disks.list
  - compute.firewalls.list
  - compute.healthChecks.list
  - compute.instanceGroups.list
  - compute.instances.getIamPolicy
  - compute.instances.list
  - compute.networks.list
  - compute.projects.get
  - compute.securityPolicies.list
  - compute.subnetworks.list
  - compute.targetHttpProxies.list
  - container.clusters.list
  - dns.managedZones.list
  - iam.serviceAccountKeys.list
  - iam.serviceAccounts.list
  - logging.logMetrics.list
  - logging.sinks.list
  - monitoring.alertPolicies.list
  - resourcemanager.folders.get
  - resourcemanager.folders.getIamPolicy
  - resourcemanager.folders.list
  - resourcemanager.hierarchyNodes.listTagBindings
  - resourcemanager.organizations.get
  - resourcemanager.organizations.getIamPolicy
  - resourcemanager.projects.get
  - resourcemanager.projects.getIamPolicy
  - resourcemanager.projects.list
  - resourcemanager.resourceTagBindings.list
  - resourcemanager.tagKeys.get
  - resourcemanager.tagKeys.getIamPolicy
  - resourcemanager.tagKeys.list
  - resourcemanager.tagValues.get
  - resourcemanager.tagValues.getIamPolicy
  - resourcemanager.tagValues.list
  - storage.buckets.getIamPolicy
  - storage.buckets.list
stage: GA

  1. Run the following command to create the role, use your Organization Id to create the Role at the Org Level: gcloud iam roles create MeghOpsSecScanRole --organization=YOUR_ORGANIZATION_ID --file=meghops-security-scanner-role.yaml

    OR - If you don't have access to the GCP cloud shell then manually create the role with the above permission

    1. Goto Google cloud console and select the project you want to use
    2. From the left navigation menu select IAM & Admin -> Roles
    3. Now click on Create Role
    4. Then put Title, Description, and ID then click on Add Permissions it'll open a dialog to select the available permissions
    5. Select all the permission mentioned above, after adding these permission click on Create to create the role.

Create Service Account

  1. Log into your Google Cloud console and navigate to IAM Admin > Service Accounts.
  2. Click on "Create Service Account".
  3. Enter a name in the "Service account name" and description.
  4. Click on Continue.
  5. Select the role: Custom > MeghOps Security Scanner Role.
  6. Click on Continue.
  7. Click on "Create Key".
  8. Leave the default JSON selected.
  9. Click on "Create".
  10. The key will be downloaded to your computer.

Now let's add this credential to MeghOps

  1. Goto https://app.meghops.com/auth/login and login with your account
  2. Now go to settings by clicking top right corner ( Profile avatar) then Settingsimage
  3. From the settings page go to Cloud accounts then click on Add credential.
    imageimage
  4. Now from this dialog select GCP and checkmark on Scan or if you want to use the same account for scan and cost then checkmark these two, now paste your GCP credential JSON then click on Submitimage
  5. Done!