Connect GCP account
To allow Prevasio CSPM to access your GCP services programmatically, enable API access for the selected GCP project with the steps below.
Make sure the following APIs for your project are enabled by clicking each API in the list below. In the page that displays information about the API, click
- Cloud Spanner API
- Kubernetes Engine API
- BigQuery API
- Cloud Key Management Service (KMS) API
- Cloud Pub/Sub API
- Compute Engine API
- Cloud Logging API
- Cloud Storage API
- Cloud DNS API
- Cloud Monitoring API
- Dataflow API
- Dataproc API
- Identity and Access Management (IAM) API
- Cloud Resource Manager API
- Cloud SQL Admin API
- Cloud Deployment Manager V2 API
- Cloud Functions API
- Artifact Registry API
If you have Google Cloud (gcloud
) CLI intalled, start a new terminal session. Alternatelively, click the
Run the following command in the terminal window to display the project IDs for your Google Cloud projects (if the Cloud Shell authorization request pops up, click the
gcloud projects list
Using the applicable project ID from the previous step, set the default project to the one in which you want to enable the API:
gcloud config set project YOUR_PROJECT_ID
Execute the following command to enable the APIs for your project:
curl -s -L https://prevasio-cspm-resources.s3.amazonaws.com/enable-gcp-api/enable-api | bash
Alternatively, use gcloud
CLI by executing the contents of the following script:
#!/bin/bash services=(spanner container bigquery cloudkms pubsub compute logging storage dns monitoring dataflow iam cloudresourcemanager sqladmin deploymentmanager cloudfunctions) for service in ${services[@]}; do echo "Enable API for $service" gcloud services enable $service.googleapis.com done
Go to IAM & Admin / Service Accounts page, select your project and press
Enter 'Prevasio CSPM' for the service account name. Press
At the next step called 'Grant this service account access to project', select the Project / Viewer role in the 'Select a role' selector. Once the Viewer role is selected, press
Once the new service account 'Prevasio CSPM' was created, generate a new key for it by following the steps below:
- Click the email address of the service account 'Prevasio CSPM'. It should look similar to:
prevasio-cspm@project-name-123456.iam.gserviceaccount.com
- At the Service account details page, select KEYS tab and press
ADD KEY Create new key button. Select key type as JSON and proceed to download the private key. - Proceed to the next step to upload the obtained private key.
(Optional) Enable scan for organizations
If you have an organization, and you would like Prevasio CSPM to also scan it for any misconfigurations, please follow the steps below:
- Take a note of the email of the newly added service account for Prevasio CSPM.
For example, it may look like:prevasio-cspm@project-name-123456.iam.gserviceaccount.com
- Go to IAM & Admin / Manage resources and select your organization by ticking the box next to its name.
- Press the button
ADD PRINCIPAL at the Permissions tab of your organization. - Fill the 'New principals' field with the email address of the service account for Prevasio CSPM, and add 3 roles to it:
- Organization Viewer
- Organization Policy Viewer
- Organization Role Viewer
- Press
Save to finish adding the service account for prevasio CSPM as a viewer for your organization.
Once the private key for "Prevasio CSPM" is created and downloaded in JSON format, upload it using the form below.