Skip to content

Pre-requisite for GCP Cloud Account Onboarding

CSPM Pre-requisite for GCP

When the AccuKnox control plane is hosted in a cloud environment, scanning is performed using Cloud account Readonly Access permissions.

image

Note: Make sure the Below API Library is enabled in your GCP Account for onboarding into AccuKnox SaaS:

  1. Compute Engine API
  2. Identity and Access Management (IAM) API
  3. Cloud Resource Manager API
  4. Cloud Functions API
  5. KMS API
  6. Kubernetes API
  7. Cloud SQL Admin API

For GCP there is a requirement for IAM Service Account Access.

Step 1: Log into your Google Cloud console and navigate to IAM & Admin choose “Roles“ and Click “Create Role“

image

Step 2: Name the “Role” and Click “Add Permission”

image

Step 3: Use the Service: storage filter then value as “storage.buckets.getIamPolicy“

image

Step 4: Choose the permission and Click “Add“ then Click Create in the same page.

image

Step 5: In the Navigation Panel, navigate to IAM Admin > Service Accounts.

image

Step 6: Click on "Create Service Account"

image

Step 7: Enter any name that you want on Service Account Name.

Step 8: Click on Continue.

image

Step 9: Select the role: Project > Viewer and click Add another Role.

image

Step 10: Click “Add Another Role” Choose “Custom“ Select the created Custom Role.

image

Step 11: Click on “Continue“ and ”Done”

image

Step 12: Go to the created Service Account, click on that Service Account navigate to the “Keys“ section.

image

Step 13: Click the “Add key“ button and “Create new key “ . Chosen Key type should be JSON format.

image

Step 14: Click the “Create“ button it will automatically download the JSON key.

AI/ML Security Prerequisites for GCP Cloud Accounts

Permissions for Vertex AI (GCP) Access Control:

Ref - Vertex AI Docs

  • Basic roles (apply broadly to cloud resources)

    • Viewer (for general cloud assets)
    • Security Reviewer

  • Predefined roles specific to Vertex AI / Storage

    • Vertex AI Viewer
    • Storage Bucket Viewer
    • Storage Object Viewer

  • Custom role

    • A role containing only the aiplatform.endpoints.predict permission
      • Grants ability to call (invoke) Vertex AI endpoints
      • Does not grant permissions to manage or deploy endpoints

Note

You need to get a JSON private key with the service account to onboard the GCP account into AccuKnox SaaS. This can be done by following the CSPM pre-requisite steps mentioned above.

Screenshots for enabling AI related permissions are shown below:

image image image

SCHEDULE DEMO