Google Cloud Provider (GCP)

Overview

This document provides a step-by-step guide on how to set up Google Cloud Platform (GCP) credentials for the RegScale integration. These credentials are necessary for authenticating and authorizing RegScale to access GCP services.

Prerequisites

Access to a Google Cloud Platform account.
Basic knowledge of GCP services and IAM (Identity and Access Management).

Steps to Create GCP Credentials

1. Create a GCP Project

If you haven't already, create a new GCP project:

Navigate to the GCP Console.
Click on the project drop-down near the top of the page and select "New Project".
Follow the prompts to create your new project.

2. Enable Necessary APIs

You need to enable the APIs that your application will use. This can be done either through the GCP Console or via the command line. For instance, if you're using the Security Command Center API, follow these steps:

Through the GCP Console:

Open the API Library in the GCP Console.
Look for and enable the necessary APIs (for example, the Security Command Center API and the Cloud Asset API).

Through the Command Line:

Use the following commands to enable the APIs:
- For the Security Command Center API: gcloud services enable securitycenter.googleapis.com --project {PROJECT_ID}
- For the Cloud Asset API: gcloud services enable cloudasset.googleapis.com --project {PROJECT_ID}

Remember to replace {PROJECT_ID} with your actual GCP Project ID in the commands above.

3. Create a Service Account

In the GCP Console, go to the "IAM & Admin" section, and select "Service accounts".
Click "Create Service Account", enter a name and description, and click "Create".
Assign the necessary roles to the service account (e.g., roles/securitycenter.admin for Security Command Center access, roles/).
Click "Done" to create the service account.

4. Generate a Key File

Find the newly created service account in the list and click on it.
Go to the "Keys" section and click "Add Key" > "Create new key".
Choose "JSON" as the key type and click "Create".
A JSON key file will be downloaded to your computer. Securely store this file, as it provides access to your GCP services.

Configuring the Integration with GCP Credentials

Once you have your service account key file:

Setting an Environment Variable (Optional):

You can set the GOOGLE_APPLICATION_CREDENTIALS environment variable to the path of the JSON key file. This method is recommended for authenticating with GCP services.
```
export GOOGLE_APPLICATION_CREDENTIALS="/path/to/your/keyfile.json"
export gcpProjectId="Your GCP Project ID"
```
Please replace "/path/to/your/keyfile.json" with the actual path to your key file and 'Your GCP Project ID' with your actual GCP Project ID. Use the number format of the Id (e.g. 000000000000) and surround it with quotes.
Directly in the Application (Recommended):

Alternatively, you can add gcpCredentials and gcpProjectId to your init.yaml file. For example, you can specify the path to your credentials file as shown below:
```
gcpCredentials: '/path/to/credentials.json'
gcpProjectId: 'Your GCP Project ID'
gcpOrganizationId: 'Your GCP Project ID'
gcpScanType: 'project | organization'
```
Again, ensure you replace "/path/to/credentials.json" with the actual path to your key file and 'Your GCP Project ID' with your actual GCP Project ID. Use the number format of the Ids (e.g. 000000000000) and surround it with quotes.

Important Notes

Security: Treat the service account key file as sensitive data. It should not be committed to source control or left in insecure places.
Roles and Permissions: Assign only the necessary roles to the service account to follow the principle of least privilege.
Documentation: Refer to the GCP IAM Documentation for more details on managing service accounts and roles.

Usage

You can use the regscale gcp sync_assets and regscale gcp sync_findings commands to synchronize your GCP assets and findings with RegScale. Here is how you can use these commands:

Sync Assets:

regscale gcp sync_assets ---regscale_ssp_id [RegScale Plan ID]

Sync Findings:

regscale gcp sync_findings ---regscale_ssp_id [RegScale Plan ID]

Replace [RegScale Plan ID] with the actual ID number from RegScale of the System Security Plan. These commands are required to run the integration.