Google Cloud Platform
Last updated
Was this helpful?
Last updated
Was this helpful?
Overview
Heeler supports broad visibility into Google Cloud Platform, and can be configured to onboard and stream inventory data from all accounts via a GCP Organization. The instructions below leverage gcloud CLI commands as well as several steps that must be completed within the GCP Console.
To install the gcloud CLI utility please follow this guide: .
To validate you have the permissions needed to connect your GCP organization to Heeler you can run the following check. Be sure to retrieve your GCP organization ID and replace below:
The response should include all 8 permissions required:
If you do not have all required permissions, you will need to work with a GCP administrator to add the additional permissions.
To add your GCP Organization to Heeler, it is recommended that a dedicated project be added to your company's existing organization. Doing this ensures isolation and adheres to industry standard best practices. The new project, typically named heeler-security will hold a single service account that will have read-only permission to view resources inside the project and inside the organization.
Create a new project, e.g., heeler-security
To simplify the remaining gcloud commands, set the newly created project as default
Enable the APIs that Heeler uses to communicate with GCP
Create a new service account that Heeler will use to pull inventory data, e.g., heeler-collector
Get the organization ID
Grab the email from the newly created service account
Use the organization ID to add the Heeler-required predefined IAM Roles to the newly created service account using the email from the previous step, e.g., heeler-collector@XXXXX.heeler-security.iam.gserviceaccount.com
Create the Workload Identity Pool
Create Workload Identity Provider
Login to the GCP Console in order to finalize the configuration and download the Workload Credentials in the following steps:
Click on Grant Access at the top and on the overlay window select Grant access using Service Account impersonation. Then select the available service account Heeler Security Collector and select account as the attribute with a value of 168777450829. Once you click on save you will be prompted to save
Click on Save and then click on Connected Service Accounts on the top right. Select Download Config and select the provider Heeler AWS Provider.
Click on Add Organization and then select Google Cloud Platform. Enter:
Organization Name (e.g. Acme Corp)
Workload Identity Configuration, which was downloaded in the prior step
Project ID from the first step, e.g., heeler-security
Folder IDs (optional). If entered, a subset of projects within provided folders will be harvested. If left blank then Heeler will collect inventory from all projects/folders that it has access to.
Click Save. If everything is configured properly within GCP you should see a success message and inventory collection will immediately begin in the background. Please note that for the first round of collection it could take some time based on the size of the GCP footprint.
If you are using GKE clusters without publicly accessible endpoints and you have enabled, Heeler needs an additional permission container.clusters.connect. You can create a custom role with this permission, or use the Google-managed roles/container.viewer.
Once the resources are created and configured in GCP, you need to add their information to Heeler. Open the URL or just click on the settings icon at the top right and then click on Connections.
