Google Cloud Platform

Overview

Heeler supports broad visibility into Google Cloud Platform, and can be configured to onboard and stream inventory data from all projects via a GCP Organization or individual projects can be added for testing purposes. It is recommended to setup both organization collection and event collection for near real-time assessment.

Setup Options

• Terraform - Please reach out to the Heeler team for the Terraform modules for GCP setup.

• gcloud CLI - The instructions below leverage gcloud CLI commands. To install the gcloud CLI utility please follow this guide: https://cloud.google.com/sdk/docs/install.

There are several steps that must be completed within the GCP Console.

Permissions Check

To validate you have the permissions needed to connect a GCP Organization/Project to Heeler you can run the following steps:

1. Login with GCP CLI:

gcloud auth login

1. Determine your GCP Organization ID:

gcloud organizations list

1. Replace <your org id> below with the value of the ID (not DIRECTORY_CUSTOMER_ID) from the previous step and validate permissions:

  ACCESS_TOKEN=$(gcloud auth print-access-token)
  
  curl -X POST \
    -H "Authorization: Bearer ${ACCESS_TOKEN}" \
    -H "Content-Type: application/json" \
    "https://cloudresourcemanager.googleapis.com/v1/organizations/<your org id>:testIamPermissions" \
    -d '{
      "permissions": [
        "resourcemanager.projects.create",
        "resourcemanager.organizations.get",
        "resourcemanager.organizations.setIamPolicy",
        "resourcemanager.organizations.getIamPolicy",
        "serviceusage.services.enable",
        "iam.serviceAccounts.list",		
        "iam.serviceAccounts.create",
        "iam.workloadIdentityPoolProviders.create"	
      ]
    }' 

The response should include all 8 permissions required:

If you do not have all required permissions, you will need to work with a GCP administrator to add the additional permissions.