How do you apply permissions to users groups and service accounts in Google Cloud Platform?

The following procedure provides steps to create a Service Account within Google Cloud Platform (GCP) to use in a Lacework integration.

Do not start with this topic.

For instructions on creating the entire integration, see the topics in GCP Terraform or GCP Console.

Recommendations​

When integrating at the Organization level, Lacework recommends creating a Project specifically to contain Lacework resources.

When integrating at the Project level, you can provision all required resources for Lacework within the Project that is being integrated.

Prerequisites​

The account that will be used to create and configure the integration resources must have certain privileges. Those privileges are mentioned in the following articles:

• Organizational Level Integrations: Roles
• Project Level Integrations: Roles

Additionally, the Project where the resources will reside must have billing enabled.

Steps​

• Create a Service Account
• (Compliance Only) Create the Lacework Compliance Custom Role
• Grant the Required Roles to the Service Account

Create a Service Account​

note

Follow these steps to manually create a Service Account:

1. Log in to the GCP Console.

2. Navigate to IAM & Admin page, then click Service Accounts > + Create Service Account.

   

3. In the Service account details step, enter values in the fields, then click Create and Continue.

4. Skip the optional sections and click Done.

5. On the Services Accounts page, find the newly created service account, click the kebab menu under Actions, and then click Manage keys.

6. Click Add Key > Create new key.

7. Select the JSON key type, then click Create. A JSON key file downloads to your system.

   note

   After you download the key file, you cannot download it again.

8. In the Details tab, find the email address of the new service account and copy it to your clipboard.

9. Click the menu icon located at the top right of the page to exit the Service Accounts page.

(Compliance Only) Create the Lacework Compliance Custom Role​

info

This step is required only when creating a Lacework Compliance integration.

1. Select IAM & Admin > Roles from the cloud console navigation menu.

2. Click the down arrow in the top menu bar for the project.

   The Select from dialog appears.

3. From the Select from drop-down, select an Organization that contains the GCP resources that you want the integration to monitor, or select No Organization if selecting a Project that does not reside within an Organization.

4. In the Select from dialog, click the All tab to display the list of all entities. Select the Organization or Project where the Custom Role shall be created, then click Open.

5. Click Create Role on the top toolbar.

6. In the Create Role page, enter a title, description, and account identifier to the fields. From the Role launch stage drop-down, select General Availability.
   Lacework suggests naming similar to below.

7. Add the required permissions by clicking + Add Permissions.

8. Click Create.

Grant the Required Roles to the Service Account​

Grant the required Roles to the Service Account created in the previous section:

1. Select IAM & Admin > IAM from the cloud console navigation menu.

2. Click the down arrow in the top menu bar for the project.

   The Select from dialog appears.

3. From the Select from drop-down, select an Organization that contains the GCP resources that you want the integration to monitor, or select No Organization if selecting a Project that does not reside within an Organization.

4. In the Select from dialog, click the All tab to display the list of all entities. Select the Organization or Project where the IAM Roles will be granted, then click Open.

5. Click Add.

   note

   You must have permission to add members to the Organization or Project IAM Policy for the Add button to be active.

6. Add a member and roles to a Project or Organization. In the New members field, paste the email address of the Service Account copied in an earlier step.

7. From the Select a role drop-down, select the appropriate roles depending on the integration type.

8. (Compliance Only): Add the Custom Role created from the Create the Lacework Compliance Custom Role section.

9. Click Save.

Service Account Roles​

These are the specific Roles required by the Service Account being used for the integrations, depending on the integration level and type.

Lacework Compliance Role Permissions​

In addition to the above GCP roles, Lacework also requires a Custom Role for the Compliance integration. The permissions required are outlined in the following table:

Next Steps​

• Enable the Required GCP APIs

How do I give permission to service account in GCP?

How do you grant permissions to a service account?

How do I check my GCP service account permissions?

Which basic permissions allows you to change access permissions on resources in GCP?