CSPM Pre-requisite for GCP¶
In SaaS model of deployment the AccuKnox CNAPP will be hosted in our cloud environment and scan will be done using the Cloud account Readonly Access permission.
Note: Make sure the Below API Library is enabled in your GCP Account for onboarding into AccuKnox SaaS:
- Compute Engine API
- Identity and Access Management (IAM) API
- Cloud Resource Manager API
- Cloud Functions API
- KMS API
- Kubernetes API
- Cloud SQL Admin API
For GCP there is a requirement for IAM Service Account Access.
Step 1: Log into your Google Cloud console and navigate to IAM & Admin choose “Roles“ and Click “Create Role“
Step 2: Name the “Role” and Click “Add Permission”
Step 3: Use the Service: storage filter then value as “storage.buckets.getIamPolicy“
Step 4: Choose the permission and Click “Add“ then Click Create in the same page.
Step 5: In the Navigation Panel, navigate to IAM Admin > Service Accounts.
Step 6: Click on "Create Service Account"
Step 7: Enter any name that you want on Service Account Name.
Step 8: Click on Continue.
Step 9: Select the role: Project > Viewer and click Add another Role.
Step 10: Click “Add Another Role” Choose “Custom“ Select the created Custom Role.
Step 11: Click on “Continue“ and ”Done”
Step 12: Go to the created Service Account, click on that Service Account navigate to the “Keys“ section.
Step 13: Click the “Add key“ button and “Create new key “ . Chosen Key type should be JSON format.
Step 14: Click the “Create“ button it will automatically download the JSON key.