Configure a Google Cloud Platform (GCP) service account key in Security Center to automatically sync GCP host assets to Alibaba Cloud's security protection system. This topic describes how to configure a GCP service account key to onboard host assets, helping you achieve centralized security management for multi-cloud assets and reduce security management complexity.
The GCP console operations described in this topic are for reference only. For detailed steps, see the official GCP documentation.
Step 1: Create a service account and obtain a key
Log on to the GCP console. In the upper-left corner of the console, select the target project.
NoteYou must use a network outside the Chinese mainland to access the GCP console, such as from China (Hong Kong) or Singapore.
Enable the Compute Engine API.
In the left-side navigation pane, choose API & Services > Enabled APIs & Services..
Enable the Compute Engine API as prompted by the console.
After the API is enabled, the product details page displays the API Enabled status.
Create a service account and grant permissions.
In the left-side navigation pane, choose IAM & Admin > Service Accounts.
On the Service Account page, click Create Service Account.
On the Create Service Account page, enter a service account name and click Create and Continue.
For example, enter AliSecurityCenter.
In the Permissions (optional) section, select the Compute Viewer role and click Done.
Create a key for the service account.
In the service account list, click the
icon in the Actions column for the target service account,In the expanded action menu, select Manage Keys.On the Keys tab of the service account, click Add Key > Create New Key.
In the Create Private Key dialog box, keep the default Key Type as JSON and click Create.
Download the private key file and store it securely.
Step 2: Associate the VM instance with the service account
Security Center can only sync GCP VM instances that are associated with a service account. You must associate the VM instances to be onboarded with the service account created for this purpose.
For newly created VM instances
On the Create Instance page in the GCP console, click Security in the left-side navigation pane. In the Service Account section, select the service account created in Step 1: Create a service account and obtain a key and complete the instance creation.
For existing VM instances
On the VM instance details page, click Modify.
In the Identity and API access section, change the service account to the one created in Step 1: Create a service account and obtain a key and click Save.
ImportantYou must stop the VM instance before you can modify its service account.
Step 3: Submit the service account key
Log on to the Security Center console.
ImportantDue to network restrictions, you can onboard Google Cloud assets only in the Outside Chinese Mainland region.
In the navigation pane on the left, select . In the upper-left corner of the console, select the region where the assets to be protected are located: Chinese Mainland or Outside Chinese Mainland.
On the tab, click Grant Permission and select GCP from the drop-down list.
Alternatively, on the page, hover over the Add Multi-cloud Asset section
icon and click Add below GCP to open the Add Assets Outside Cloud panel.In the Permission Description section, select Host and click Next.
Under Extended Information, click Upload File to upload the private key file obtained in Step 1: Create a service account and obtain a key.
Enter an Account Name and click Next.
The account name is used to distinguish different accounts under the same cloud provider. We recommend that you set a meaningful name based on its purpose.
ImportantDo not delete or disable this key. Otherwise, the onboarding of GCP assets will be disrupted.
Step 4: Complete the onboarding policy configuration
In the Add Assets Outside Cloud panel in the Security Center console, configure the region of the GCP assets to be onboarded and the data sync frequency in the Policy Configuration wizard, and then click OK.
Parameter
Description
Select region
Select the region where the assets to be onboarded reside. Security Center adds the assets in the selected region of the current account to the Outside Chinese Mainland management center.
Region Management
After you select this option, if new regions are added under the current GCP account, Security Center by default adds the asset data from the new regions to the Outside Chinese Mainland data management center.
If you do not select this option, assets from new regions will not be onboarded to Security Center.
Host Asset Synchronization Frequency
Select the interval at which Security Center automatically syncs GCP host assets. Select Close to disable synchronization.
AK Service Status Check
Select the interval at which Security Center automatically checks the validity of the GCP service account key. Select Close to disable the check.
Click Synchronize Assets to sync all host assets under the GCP service account to Security Center.
Step 5: Verify the onboarding results
In the Security Center console, navigate to the page. In the Add Multi-cloud Asset section, click the
icon. If you can view the GCP asset list, the onboarding is successful. For more information, see Server assets.
What to do next
Install the Security Center client on your GCP assets.
Associate a Security Center edition with your GCP assets. We recommend that you associate a paid edition to obtain security protection and hardening capabilities. The Free edition provides only basic detection and no protection. For more information about the differences between editions, see Purchase Security Center.