Skip to main content

Google Cloud

Visualize Google Cloud resources, map Google Cloud users to employees, and monitor visibility and governance of the environment through queries and alerts.

Installation

info

To use this integration, JupiterOne requires the contents of a Google Cloud service account key file with the correct API services enabled. In addition, you must have permission in JupiterOne to install new integrations.

Google Cloud Configuration

Google Cloud has most API services disabled by default. When a Google Cloud service API is disabled, the JupiterOne integration will not ingest the data from that API. The following Google Cloud service APIs must be enabled to ingest all of the supported data into JupiterOne:

Service NameService API
Access Context Manageraccesscontextmanager.googleapis.com
API Gatewayapigateway.googleapis.com
App Engine Adminappengine.googleapis.com
BigQuerybigquery.googleapis.com
Binary Authorizationbinaryauthorization.googleapis.com
Certificate Authority Serviceprivateca.googleapis.com
Cloud Assetcloudasset.googleapis.com
Cloud DNSdns.googleapis.com
Cloud Functionscloudfunctions.googleapis.com
Cloud Key Management Service (KMS)cloudkms.googleapis.com
Cloud Logginglogging.googleapis.com
Cloud Memorystore for Memcachedmemcache.googleapis.com
Cloud Pub/Subpubsub.googleapis.com
Cloud Resource Managercloudresourcemanager.googleapis.com
Cloud Runrun.googleapis.com
Cloud Spannerspanner.googleapis.com
Cloud SQL Adminsqladmin.googleapis.com
Cloud Storagestorage.googleapis.com
Compute Enginecompute.googleapis.com
Google Cloud Memorystore for Redisredis.googleapis.com
Identity and Access Management (IAM)iam.googleapis.com
Kubernetes Enginecontainer.googleapis.com
Service Usageserviceusage.googleapis.com
Stackdriver Monitoringmonitoring.googleapis.com
Secret Managersecretmanager.googleapis.com
Cloud Source Repositoriessourcerepo.googleapis.com

Google Cloud service APIs can be enabled using one of the following methods:

Enabling Google Cloud Service API from Google Cloud Console

  1. Click on the service name link that you want to enable from the table above.
  2. Select your Google Cloud project from the project dropdown menu.
  3. Click Enable.

Enabling Google Cloud Service API from gcloud CLI

Instructions on how to set up thegcloud CLI can be found in the JupiterOne Google Cloud integration developer documentation.

After setting up the gcloud CLI, you can run the following command to enable all services that the JupiterOne integration supports.

note

You can only enable 20 services at a time.

    gcloud services enable \
accesscontextmanager.googleapis.com \
apigateway.googleapis.com \
appengine.googleapis.com \
bigquery.googleapis.com \
binaryauthorization.googleapis.com \
privateca.googleapis.com \
cloudasset.googleapis.com \
dns.googleapis.com \
cloudfunctions.googleapis.com \
cloudkms.googleapis.com \
logging.googleapis.com \
memcache.googleapis.com \
pubsub.googleapis.com \
cloudresourcemanager.googleapis.com \
run.googleapis.com \
spanner.googleapis.com \
sqladmin.googleapis.com \
storage.googleapis.com \
compute.googleapis.com \
redis.googleapis.com \
iam.googleapis.com \
container.googleapis.com \
serviceusage.googleapis.com \
monitoring.googleapis.com \
secretmanager.googleapis.com \
sourcerepo.googleapis.com \
websecurityscanner.googleapis.com \
orgpolicy.googleapis.com

Creating Google Cloud project service account

We must assign the correct permissions to the newly created service account for the integration to be run. We recommend using the following roles managed by Google Cloud:

Some additional data may be optionally ingested by the JupiterOne Google Cloud integration by configuring a custom role with the following permissions:

appengine.applications.get
binaryauthorization.policy.get
cloudasset.assets.searchAllIamPolicies
compute.projects.get
orgpolicy.policy.get

For BigQuery, the following additional permissions are needed to ingest BigQuery datasets, models, and tables respectively:

bigquery.datasets.get
bigquery.models.getMetadata
bigquery.tables.get

See the Google Cloud custom role documentation for additional information on how custom roles can be configured and assigned.

NOTE: You may also create a service account using the gcloud CLI. There is documentation on how to leverage the CLI in the JupiterOne Google Cloud integration developer documentation.

Generate a service account key

See the Google Cloud service account key documentation for more information on how to create a service account key for the service account that you would like to ingest data using.

NOTE: You may also create a service account key using the gcloud CLI. Read more about the CLI in the Google Cloud integration developer documentation.

JupiterOne + Google Cloud Organization

Given the correct permissions, JupiterOne has the ability to automatically discover each project under a Google Cloud organization and configure integration instances for each of the projects.

Setup
  1. Select one Google Cloud project to configure a service account for JupiterOne.

  2. Create the service account without a role. Copy the email address of the new service account (e.g. my-sa@my-j1-project.iam.gserviceaccount.com).

  3. Generate and copy a new service account key.

  4. Enable all service APIs in the "main" project and each "child" project that you'd like JupiterOne to access. Documentation for enabling service APIs is described in an earlier section of this document.

    NOTE: The "Cloud Asset" and "Identity and Access Management (IAM)" APIs only need to be enabled in the "main" project.

  5. Switch to the organization that you'd like to create individual integration instances for each project

  6. Create a new custom role with the following permissions:

resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager.organizations.get
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.services.list
resourcemanager.organizations.getIamPolicy
cloudasset.assets.searchAllIamPolicies

The integration will also try to ingest organization policy for "storage.publicAccessPrevention" to precisely calculate storage buckets public access, it is therefore recommended that the following permission is also included in the custom role above:

orgpolicy.policy.get

The integration will calculate if a storage bucket is public or not based on the following conditions:

  • Public to internet means one or more bucket-level permissions grant access to allUsers or allAuthenticatedUsers.
  • Not public means the bucket’s policy controls all objects uniformly, and no permissions have been granted to allUsers or allAuthenticatedUsers.
  • Subject to object ACLs means fine-grained, object-level access control lists (ACLs) are enabled. Objects may be public if they grant access to allUsers or allAuthenticatedUsers.
  1. Navigate to the Cloud Resource Manager for that organization and add a new member to the organization. The new member email address is the email address of the service account that was created earlier. Select the new organization role that was created above, as well as the Google Cloud managed role "Security Reviewer" (roles/iam.securityReviewer) or an alternative JupiterOne custom role that you've created.

  2. Navigate to the JupiterOne Google Cloud integration configuration page to begin configuring the "main" integration instance.

Use the generated service account key as the value for the "Service Account Key File" field.

note

The "Polling Interval" that is selected for the "main" integration instances will be the same polling interval that is used for each of the child integration instances.

  1. Select the "Configure Organization Projects" checkbox.
  2. Enter the numerical value of the Google Cloud organization into the "Organization ID" text field (e.g. "1234567890").
  3. Click CREATE CONFIGURATION.

Depending on how many projects exist under a Google Cloud organization, the auto-configuration process may take a few minutes to complete. When the process has been completed, you will see your new integration instances on the JupiterOne Google Cloud integration list page.

Configuration in JupiterOne

To install the Google Cloud integration in JupiterOne, navigate to the Integrations tab in JupiterOne and select Google Cloud. Click New Instance to begin configuring your integration.

Creating a configuration requires the following:

  • Account Name by which you want to identify this Google Cloud account in JupiterOne. Ingested entities will have this value stored in tag.AccountName when Add AccountName Tag is enabled.
  • Description that will assist your team to identify the integration instance.
  • Polling Interval that you feel is sufficient for your monitoring needs. You can leave this as DISABLED and manually execute the integration.
  • Service Account Key File contents of the Google Cloud service account.
  • Add any tags you want to use to simplify data management and queries.

Optionally, you can enter a project ID to target for data ingestion. The default is the project ID specified in the service account key file.

Select Configure Organization Projects if you want J1 to auto-configure all projects in your organization. J1 applies the configuration to all other projects that do not have optional j1-integration: SKIP tag applied to the project in your infrastructure-as-code. Do not use the optional project ID if you want to use this feature.

Optionally, enter a numerical folder ID if you want to specify that J1 is to only ingest projects in a specific folder and any of its subfolders. If you have enabled Configure Organization Projects, J1 only auto-configures projects in this specified folder.

Click Create after all values are provided to finalize the integration.

Next steps

Now that your integration instance has been configured, it will begin running on the polling interval you provided, populating data within JupiterOne. Continue on to our Instance management guide to learn more about working with and editing integration instances.