UpGuard scans a variety of Google Cloud Platform components using a service account JWT.

UpGuard Core allows you to collect and track the configuration of various components of your Google Cloud Platform set up. This guide assists you in adding GCP nodes into UpGuard Core.

Prerequisites

  • You will need a Google Cloud Platform account.

Preparing a Google Service Account

  1. Log into the Google Cloud Platform console.
  2. Make sure you have selected the correct project you would like to add.

    w500

  3. Navigate to IAM & admin, then Service Accounts.

    w500

  4. Click Create Service Account.

    w300

  5. Give the Service Account a good name, e.g. UpGuard Service Account. For the role, we recommend different read-only permissions based on the types of nodes you want to scan. The table below gives the minimum required permissions required by the UpGuard Connection Managers to be able to scan each node type.
Node Type Role Permissions
Google Compute Engine Compute Engine > Compute Engine Viewer
Google Kubernetes Engine Compute Engine > Compute Engine Viewer and
Kubernetes Engine > Kubernetes Engine Viewer
Google BigQuery BigQuery > BigQuery Data Viewer
  1. Check the box Furnish a new private key and select the Key type as JSON. Click Create to create the Service Account. This should prompt the browser to download a JSON file. Please record the location of this file as this is required when you add the GCE node below and is referred to as the GCP Service Account JWT.

    w500

Adding

  1. Log into your UpGuard Core instance and click Add Node.
  2. From the node select screen locate Cloud App and then select the GCP node type you want to add. Then select Go Agentless.

    Field Description
    Project Name Identifies the Google Cloud project you would like to add.
    GCP Service Account JWT This is the JWT JSON file downloaded when you created the Google Service Account.
  3. Click Scan Node to complete node registration and scan the node for the first time.
Tags: gce gke jwt