GCP Projects can be added to Heeler independently if desired. This can be ideal for testing purposes or if there's a third party project that you want added for visibility purposes. Similar to connecting an entire GCP Organization, it is recommended that a dedicated project be added for Workload Identity Federation. Doing this ensures isolation and adheres to industry standard best practices. The new project, typically named heeler-security will hold a single service account that will have read-only permission to view resources inside the individual project(s) that will be onboarded to the Heeler platform.
Create a new project, e.g., heeler-security
gcloud projects create heeler-security
To simplify the remaining gcloud commands, set the newly created project as default
gcloud config set project heeler-security
Enable the APIs that Heeler uses to communicate with GCP
Create a new service account that Heeler will use to pull inventory data, e.g., heeler-collector
gcloud iam service-accounts create heeler-collector \
--description="Service account used to collect inventory across GCP" \
--display-name="Heeler Security Collector"
Get the ID of the project you wish to onboard to Heeler
gcloud projects list
PROJECT_ID NAME PROJECT_NUMBER
acme-project acme-project 592XXXXXXXXX
hooli-project hooli-project 593XXXXXXXXX
pied-piper-testing pied-piper-testing 594XXXXXXXXX
gavin-belson-sandbox gavin-belson-sandbox 595XXXXXXXXX
Grab the email from the newly created service account
Use the project ID to add the Heeler-required predefined IAM Roles to the newly created service account using the email from the previous step, e.g., [email protected]
GKE Cluster Access:
If you are using GKE with GKE DNS endpoints enabled, Heeler needs an additional permission container.clusters.connect. You can create a custom role with this permission, or use the Google-managed roles/container.viewer.
If you are using GKE clusters without publicly accessible endpoints and you use authorized networks instead of DNS endpoints, you need to add the Heeler outbound IPs as authorized networks:
44.221.229.40
52.73.231.96
Create the Workload Identity Pool
Create Workload Identity Provider
Login to the GCP Console in order to finalize the configuration and download the Workload Credentials in the following steps:
Click on Grant Access at the top and on the overlay window select Grant access using Service Account impersonation. Then select the available service account Heeler Security Collector and select account as the attribute with a value of 168777450829. Once you click on save you will be prompted to save
Click on Save and then click on Connected Service Accounts on the top right. Select Download Config and select the provider Heeler AWS Provider.
Heeler Configuration
Once the resources are created and configured in GCP, you need to add their information to Heeler. Open the URL https://app.heeler.com/administration/connections/cloud_accounts or just click on the settings icon at the top right and then click on Connections > Cloud Accounts.
Click on Add Cloud Account and then select Google Cloud Platform. Enter:
Project Name (e.g. Hooli Project)
Workload Identity Configuration, which was downloaded in the prior step
Project ID from the step five, e.g., hooli-project
Click Save. If everything is configured properly within GCP you should see a success message and inventory collection will immediately begin in the background. Please note that for the first round of collection it could take some time based on the size of the GCP project.
gcloud iam workload-identity-pools create heeler-aws-pool \
--description="Workload Identity Pool for Heeler on AWS." \
--display-name="Heeler AWS Pool" \
--location="global"
gcloud iam workload-identity-pools \
providers create-aws heeler-aws-provider \
--account-id=168777450829 \
--description="Workload Identity Provider for Heeler on AWS" \
--display-name="Heeler AWS Provider" \
--attribute-mapping="google.subject=assertion.arn,attribute.account=assertion.account" \
--location="global" \
--workload-identity-pool="heeler-aws-pool"
