GCP Integration
Integration guide for Resmo GCP Integration.
Resmo + GCP Integration Fundamentals
Resmo seamlessly integrates with the Google Cloud Platform to ensure the security and compliance of your GCP environment.
What does Resmo offer to Google Cloud Platform users?
Collect all your GCP assets in place.
Ability to query your GCP roles, networks, Cloud functions, and 50+ other resources.
Set up rule notifications based on GCP resource configurations and their changes.
Set up custom or predefined rules for continuous security and compliance auditing.
Check your GCP security and compliance posture using the GCP Best Practices and compliance packs.
How does the integration work?
Resmo has a GCP integration that you can install securely once you sign up for a Resmo account. Our application uses API calls to make the initial polling and receive existing resources.
API polling uses API calls to sync your GCP assets with Resmo.
Exposing Audit Logs over PUB/SUB lets track changes with actor information in real-time.
Available resources
Resmo GCP integration collects AppEngine, API Gateway, Compute, IAM, and much more.
Integration Walkthrough
You have to create a Workload Identity Pool with the AWS provider to let Resmo access your GCP resources. You can learn more about Workload Identity Pool external providers here.
You can follow the instructions to create a Workload Identity Provider with AWS provider.
Setup Your GCP Account
Create a Workload Identity Pool
gcloud iam workload-identity-pools create POOL_ID \ --location="global" \ --description="DESCRIPTION" \ --display-name="DISPLAY_NAME"
Create an AWS Provider with Resmo trust
gcloud iam workload-identity-pools providers create-aws PROVIDER_ID \ --location="global" \ --workload-identity-pool="POOL_ID" \ --account-id="512995177166" \ --attribute-mapping="google.subject=assertion.arn" \ --attribute-condition='assertion.arn=="arn:aws:sts::512995177166:assumed-role/Resmo-GCP-DataCollectionRole/resmo-gcp-data-collection"'
Create Custom Resmo Data Collect Role
Create a Service Account
gcloud iam service-accounts create SERVICE_ACCOUNT_ID \ --description="DESCRIPTION" \ --display-name="DISPLAY_NAME"
Grant viewer and Custom Resmo Data Collect role to the created service account
gcloud projects add-iam-policy-binding PROJECT_ID \ --member="serviceAccount:SERVICE_ACCOUNT_EMAIL" \ --role="roles/viewer"
Grant workloadIdentityUser role to the created service account
gcloud iam service-accounts add-iam-policy-binding SERVICE_ACCOUNT_EMAIL \ --role=roles/iam.workloadIdentityUser \ --member="MEMBER_EXPRESSION"
You can learn more about MEMBER_EXPRESSION here.Enable Google Cloud Service API
NOTE You can only enable 20 services at a timegcloud services enable \ accesscontextmanager.googleapis.com \ apigateway.googleapis.com \ appengine.googleapis.com \ bigquery.googleapis.com \ cloudasset.googleapis.com \ dns.googleapis.com \ cloudfunctions.googleapis.com \ cloudkms.googleapis.com \ logging.googleapis.com \ memcache.googleapis.com \ pubsub.googleapis.com \ cloudresourcemanager.googleapis.com \ run.googleapis.com \ spanner.googleapis.com \ sqladmin.googleapis.com \ storage.googleapis.com \ compute.googleapis.com \ redis.googleapis.com \ iam.googleapis.com \ container.googleapis.com \ serviceusage.googleapis.com \ monitoring.googleapis.com \ iamcredentials.googleapis.com \ sts.googleapis.com
Enable Real Time Change Ingestion with PUB/SUB Model
Enable Real Time Change Ingestion with PUB/SUB Model
Note:
Real Time Change Ingestion
is avaliable for enterprise plan only.
Create a PUB/SUB topic
gcloud pubsub topics create TOPIC_NAME
Create a PUB/SUB subscription
gcloud pubsub subscriptions create SUBSCRIPTION_ID \ --topic=FULL_TOPIC_NAME \ --push-endpoint=https://id.resmo.app/integration/gcp/event?ingestKey=<your-ingest-key> \ --expiration-period="never" \ --ack-deadline=60 \ --message-retention-duration=10m \ --min-retry-delay=10s \ --max-retry-delay=30s
Create a Log Router
gcloud logging sinks create SINK_NAME pubsub.googleapis.com/projects/PROJECT_ID/topics/TOPIC_NAME \ --log-filter='protoPayload.@type="type.googleapis.com/google.cloud.audit.AuditLog" protoPayload.serviceName=("pubsub.googleapis.com" OR "compute.googleapis.com" OR "storage.googleapis.com" OR "container.googleapis.com")'
Don't forget to add destination permissions for the created topic. You can learn about it here.
How to install
Sign up or log in to your Resmo account.
Go to the Integrations page and select GCP.
Click the Add Integration button from the bottom right corner of the opening modal.
4. Enter your GCP project ID into the Project ID field.
5. Enter the full name of the Identity Provider into the GCP Target Resource field. (The full resource name of the identity provider without a https: prefix)
List your identity pools
gcloud iam workload-identity-pools list --location="global"
List your identity pool providers
gcloud iam workload-identity-pools providers list --workload-identity-pool="my-workload-identity-pool" --location="global"
Copy your provider name, and paste it to the GCP Target Resource field with the below format.
//iam.googleapis.com/<provider-name>
7. Enter your Service Account Email into the Service Account Email field.
Service Account Email that you attached to your Workload Identity Pool.
8. Hit the Create button, and you are ready to run queries.
How to uninstall
Login to your Resmo account.
Navigate to the Integrations page and click your GCP integration.
Click the Connected Integrations tab and select the account you want to remove.
Click the Delete button to uninstall or Disable to stop polling GCP resources temporarily.
Delete your Workload Identity Pool, Service Account (PUB/SUB, Log Router if you enable real-time change ingestion) GCP resources.
FAQ
Last updated