Views:
Important
Important
You can now use Cloud Accounts to add your Google Cloud projects to Trend Vision One. To get the latest cloud security features to protect your environment, get started by going to Cloud SecurityCloud AccountsGoogle Cloud.
For more information, see Google Cloud projects.
The content below is kept for your reference. The ability to add Google Cloud projects to Server & Workload Protection is planned to be retired soon.
Below is all the information you need to create a Google Cloud Platform (GCP) service account for use with Server & Workload Protection.
Tip
Tip
For information on why you might want to create a GCP service account to use with Server & Workload Protection, see What are the benefits of adding a GCP account?

Prerequisite: Enable the Google APIs Parent topic

Before you can create a GCP service account for Server & Workload Protection, you'll need to enable a few Google APIs under your existing GCP account.
Follow the procedure below to enable these APIs inside each of your projects:

Procedure

  1. Log in to Google Cloud Platform using your existing GCP account. This account must have access to all the GCP projects that contain VMs that you want to protect with Server & Workload Protection.
  2. At the top, select a project that includes VMs that you want to add to Server & Workload Protection. If you have multiple projects, you can select them later. For example: Project01
    google-gcp-select-proj=23883865-a0fd-4d63-8a4f-dd6e4224ecf7.png
  3. Click Google Cloud Platform at the top to make sure you're on the Home screen.
  4. From the tree view on the left, select APIs & Services Dashboard.
  5. Click + ENABLE APIS AND SERVICES.
  6. In the search box, enter cloud resource manager API and then click the Cloud Resource Manager API box.
  7. Click ENABLE.
  8. Repeat steps 5 - 7 of this procedure, entering compute engine API and clicking the Compute Engine API box.
  9. Repeat steps 1 - 9 of this procedure for any other projects that include VMs that you want to add to Server & Workload Protection.

What to do next

For more information on how to enable or disable APIs in GCP, refer to this page from Google:
https://cloud.google.com/apis/docs/getting-started

Create a GCP service account Parent topic

Note
Note
A service account is a special type of Google account that is associated with an application or VM, instead of an individual end user. Server & Workload Protection assumes the identity of the service account to call Google APIs, so that users aren't directly involved.
Follow the procedure below to create a service account for Server & Workload Protection:

Procedure

  1. Before you begin, make sure you've enabled the GCP APIs. See Prerequisite: Enable the Google APIs.
  2. Log in to Google Cloud Platform using your existing GCP account.
  3. At the top, select a project. If you have multiple projects, you can select any one. For example: Project01.
  4. Click Google Cloud Platform at the top to make sure you're on the Home screen.
  5. From the tree view on the left, select IAM & admin Service accounts.
  6. Click + CREATE SERVICE ACCOUNT.
    google-gcp-create-svc-accnt=1c18388e-3d0e-4114-9f62-448e65a1514d.png
  7. Enter a service account name, ID and description.
    google-gcp-svc-accnt-details=552e772b-a5dc-4a81-bb63-f075f62e77e0.png
    For example:
    • Service account name: GCP Server & Workload Protection
    • Service account ID: gcp-deep-security@<your_project_ID>.iam.gserviceaccount.com
    • Service account description: GCP service account for connecting Server & Workload Protection to GCP.
  8. Click Create.
  9. In the Select a role drop-down list, select the Compute Engine Compute Viewer role, or click inside the Type to filter area and enter compute viewer to find it.
  10. Click CONTINUE.
    google-gcp-svc-accnt-roles=98138a2b-6886-454f-aea7-98b6a38cbdcf.png
    You have now assigned the Compute Viewer role.
  11. Click + CREATE KEY.
    google-gcp-create-key=107832a2-d06e-4678-8aa7-d362d67505a7.png
  12. Select JSON and click CREATE.
    google-gcp-json=bd231946-280f-4547-ae80-c915fe45a7b9.png
    The key is generated and placed in a JSON file.
  13. Save the key (JSON file) to a safe place.
  14. Place the JSON file in a location that is accessible for later upload. If you need to move or distribute the file, make sure you do so using secure methods.
  15. Click DONE. You have now created a GCP service account with necessary roles, as well as a service account key in JSON format. The service account is created under the selected project (Project01), but can be associated with additional projects. For details, see the following section.
    Note
    Note
    It will take 60 seconds - 7 minutes for the IAM permissions to propagate through the system. See this Google article for details.

Add more projects to the GCP service account Parent topic

If you have multiple projects in GCP, you must associate them with the service account you just created. All your projects (and underlying VMs) will then become visible in the Server & Workload Protection console when you later add the service account to Server & Workload Protection.
Note
Note
If you have many projects, you might find it easier to divide them up across multiple GCP accounts instead of adding them all to just 1, as described below. For details on a multi-GCP account setup, see Create multiple GCP service accounts.
Follow this procedure to associate additional projects with 1 service account:

Procedure

  1. Before you begin, make sure you have completed the procedures in Prerequisite: Enable the Google APIs and Create a GCP service account.
  2. Determine the email of the GCP service account you just created, as follows:
    1. In Google Cloud Platform, from the drop-down list at the top, select the project under which you created the GCP service account (in our example, Project01).
    2. On the left, expand IAM & Admin Service accounts.
    3. In the main pane, look under the Email column to find the GCP service account email. For example: gcp-deep-security@project01.iam.gserviceaccount.com The service account email includes the name of the project under which it was created.
    4. Note this address or copy it to the clipboard.
  3. Still in Google Cloud Platform, go to another project by selecting it from the drop-down list at the top. For example: Project02.
    google-gcp-proj02=62ea9d4b-f895-4aef-b70c-646e6d8ec4b7.png
  4. Click Google Cloud Platform at the top to make sure you're on the Home screen.
  5. From the tree view on the left, click IAM & admin IAM.
  6. Click ADD at the top of the main pane.
  7. In the New members field, paste the Project01 GCP service account email address. For example:gcp-deep-security@project01.iam.gserviceaccount.com
    Tip
    Tip
    You can also start typing the email address to auto-fill the field.
  8. In the Select a role drop-down list, select the Compute Engine Compute Viewer role, or click inside the Type to filter area and enter compute viewer to find it.
    google-gcp-members=b7c52c33-f708-4abc-beb3-9dc89ec2067c.png
    You have now added the service account with the Compute Viewer role to Project02.
  9. Click SAVE.
  10. Repeat steps 1 to 9 in this procedure for each project that you want to associate with the GCP service account.

What to do next

For more information on how to create a service account, refer to the following page from Google:https://cloud.google.com/compute/docs/access/create-enable-service-accounts-for-instances
You are now ready to add the GCP account you just created to Server & Workload Protection. Proceed to Add a Google Cloud Platform account.

Create multiple GCP service accounts Parent topic

Normally, you would Create a single GCP service account for Server & Workload Protection and associate all your projects to it. This configuration is straightforward and works well for smaller organizations with fewer projects. If, however, you have a large number of projects, having them all under the same GCP service account might make them difficult to manage. In this scenario, you can divide your projects across multiple GCP service accounts. Here's how you would set this up, assuming your projects were spread across your organization's Finance and Marketing departments:

Procedure

  1. Create a Finance GCP Server & Workload Protection GCP service account for Server & Workload Protection.
  2. Add finance-related projects to Finance GCP Server & Workload Protection.
  3. Create a Marketing GCP Server & Workload Protection GCP service account for Server & Workload Protection.
  4. Add marketing-related projects to Marketing GCP Server & Workload Protection. For detailed instructions, see Create a Google Cloud Platform service account and Add more projects to the service account.
  5. After creating the GCP service accounts, add them to Server & Workload Protection one by one, following the instructions Add a Google Cloud Platform account.