Onboard Google Cloud assets using a service account key

更新时间:
复制 MD 格式

Configure a Google Cloud Platform (GCP) service account key in Security Center to automatically sync GCP host assets to Alibaba Cloud's security protection system. This topic describes how to configure a GCP service account key to onboard host assets, helping you achieve centralized security management for multi-cloud assets and reduce security management complexity.

Important

The GCP console operations described in this topic are for reference only. For detailed steps, see the official GCP documentation.

Step 1: Create a service account and obtain a key

  1. Log on to the GCP console. In the upper-left corner of the console, select the target project.

    Note

    You must use a network outside the Chinese mainland to access the GCP console, such as from China (Hong Kong) or Singapore.

  2. Enable the Compute Engine API.

    1. In the left-side navigation pane, choose API & Services > Enabled APIs & Services..

    2. Enable the Compute Engine API as prompted by the console.

      After the API is enabled, the product details page displays the API Enabled status.

  3. Create a service account and grant permissions.

    1. In the left-side navigation pane, choose IAM & Admin > Service Accounts.

    2. On the Service Account page, click Create Service Account.

    3. On the Create Service Account page, enter a service account name and click Create and Continue.

      For example, enter AliSecurityCenter.

    4. In the Permissions (optional) section, select the Compute Viewer role and click Done.

  4. Create a key for the service account.

    1. In the service account list, click the image icon in the Actions column for the target service account,In the expanded action menu, select Manage Keys.

    2. On the Keys tab of the service account, click Add Key > Create New Key.

    3. In the Create Private Key dialog box, keep the default Key Type as JSON and click Create.

    4. Download the private key file and store it securely.

Step 2: Associate the VM instance with the service account

Security Center can only sync GCP VM instances that are associated with a service account. You must associate the VM instances to be onboarded with the service account created for this purpose.

For newly created VM instances

On the Create Instance page in the GCP console, click Security in the left-side navigation pane. In the Service Account section, select the service account created in Step 1: Create a service account and obtain a key and complete the instance creation.

For existing VM instances

  1. On the VM instance details page, click Modify.

  2. In the Identity and API access section, change the service account to the one created in Step 1: Create a service account and obtain a key and click Save.

    Important

    You must stop the VM instance before you can modify its service account.

Step 3: Submit the service account key

  1. Log on to the Security Center console.

    Important

    Due to network restrictions, you can onboard Google Cloud assets only in the Outside Chinese Mainland region.

  2. In the navigation pane on the left, select System Settings > Feature Settings. In the upper-left corner of the console, select the region where the assets to be protected are located: Chinese Mainland or Outside Chinese Mainland.

  3. On the Multi-cloud Configuration Management > Multi-cloud Assets tab, click Grant Permission and select GCP from the drop-down list.

    Alternatively, on the Assets > Host page, hover over the Add Multi-cloud Asset section image icon and click Add below GCP to open the Add Assets Outside Cloud panel.

  4. In the Permission Description section, select Host and click Next.

  5. Under Extended Information, click Upload File to upload the private key file obtained in Step 1: Create a service account and obtain a key.

  6. Enter an Account Name and click Next.

    The account name is used to distinguish different accounts under the same cloud provider. We recommend that you set a meaningful name based on its purpose.

    Important

    Do not delete or disable this key. Otherwise, the onboarding of GCP assets will be disrupted.

Step 4: Complete the onboarding policy configuration

  1. In the Add Assets Outside Cloud panel in the Security Center console, configure the region of the GCP assets to be onboarded and the data sync frequency in the Policy Configuration wizard, and then click OK.

    Parameter

    Description

    Select region

    Select the region where the assets to be onboarded reside. Security Center adds the assets in the selected region of the current account to the Outside Chinese Mainland management center.

    Region Management

    After you select this option, if new regions are added under the current GCP account, Security Center by default adds the asset data from the new regions to the Outside Chinese Mainland data management center.

    If you do not select this option, assets from new regions will not be onboarded to Security Center.

    Host Asset Synchronization Frequency

    Select the interval at which Security Center automatically syncs GCP host assets. Select Close to disable synchronization.

    AK Service Status Check

    Select the interval at which Security Center automatically checks the validity of the GCP service account key. Select Close to disable the check.

  2. Click Synchronize Assets to sync all host assets under the GCP service account to Security Center.

Step 5: Verify the onboarding results

In the Security Center console, navigate to the Assets > Host page. In the Add Multi-cloud Asset section, click the image icon. If you can view the GCP asset list, the onboarding is successful. For more information, see Server assets.

What to do next

  1. Install the Security Center client on your GCP assets.

  2. Associate a Security Center edition with your GCP assets. We recommend that you associate a paid edition to obtain security protection and hardening capabilities. The Free edition provides only basic detection and no protection. For more information about the differences between editions, see Purchase Security Center.