Scale Google Cloud Integration
The Attack Surface Management (ASM) Google Cloud Integration leverages Google Cloud’s Service Account Impersonation. By creating a service account and delegating account access, ASM can assume control of the service account and fetch the respective resources. This technique is easy and prevents both applications from having to persist credentials.
This document provides steps on how to create the Google Cloud integration at scale to allow ASM access to all projects in your organization.
Scaling information for Google Cloud integration configurations
Follow either Method A or Method B as outlined in the ASM Google Cloud Integration documentation and incorporate the following steps, as directed:
- Additional steps to scale using Method A: Creating a Service Account through Google Cloud Console
- Alternative steps to scale using Method B: Creating a Service Account through gcloud CLI
Additional steps to scale for Method A: Creating a Service Account through Google Cloud Console
Follow steps 1 through 12 as outlined in Creating a Service Account through Google Cloud Console. Then:
- Browse to the IAM settings for your organization and click GRANT ACCESS.
- In the Grant Access interface, in the New principal field, enter the email belonging to the service account that was created for the ASM Google Cloud Integration.
- In the Select a role field, search for and select the role that was created in step two of Creating a Service Account through Google Cloud Console.
If the role does not populate, ensure that the role was created at the organizational level.
- Click Save.
- Return to and complete step 13 of Creating a Service Account through Google Cloud Console.
Alternative steps to scale using Method B: Creating a Service Account through gcloud CLI
Google Cloud only allows service accounts to be created at the project level, not the organizational level. Roles, however, are created at the organizational level and then assigned to the service account to provide organization-wide access. Therefore, the steps outlined here look similar to the steps outlined in Method B: Creating a Service Account through gcloud CLI.
PROJECT_ID
andORGANIZATION_ID
are variables. Therefore, where relevant in the following commands:
- Replace
PROJECT_ID
with the ID of your Google Cloud Project.- Replace
ORGANIZATION_ID
with the Organization ID belonging to your organization.
To see a list of all the projects in your organization and their respective Project IDs, run the following command:
gcloud projects list
To access your Organization ID, run the following command:
gcloud organizations list
-
Make sure you're authenticated with Google Cloud through the gcloud CLI by running the following command:
gcloud auth list
The following output should be returned:
Credentialed Accounts ACTIVE ACCOUNT * [email protected] To set the active account, run: $ gcloud config set account 'ACCOUNT'
-
Set the project for which you would like the integration to fetch resources by running the following command:
gcloud config set project <var>PROJECT_ID</var>
-
Create a custom role within Google Cloud that follows the principle of least privileges.
Save the contents of the following YAML configuration:
title: masm-integration-role description: integration role for the mandiant asm gcp integration stage: GA includedPermissions: - cloudasset.assets.listResource - dns.managedZones.list - dns.resourceRecordSets.list - resourcemanager.projects.get - apigateway.apiconfigs.get
Using the gcloud CLI, run the following command:
gcloud iam roles create masm_integration_role --organization <var>ORGANIZATION_ID</var> --file=role.yaml
-
Create a service account.
Using the gcloud CLI, run the following command:
gcloud iam service-accounts create masm-integration-svc-account --description="Service Account for MASM GCP Integration" --display-name="MASM GCP Integration Service Account"
-
Bind the role created in step 3 to the newly created service account.
Using the gcloud CLI, run the following command:
gcloud organizations add-iam-policy-binding org_id --member="serviceAccount:masm-integration-svc-account@PROJECT_ID.iam.gserviceaccount.com" --role="organizations/<var>ORGANIZATION_ID</var>/roles/masm_integration_role"
-
Allow ASM to impersonate your service account.
Using the gcloud CLI, run the following command:
gcloud iam service-accounts add-iam-policy-binding masm-integration-svc-account@<var>PROJECT_ID</var>.iam.gserviceaccount.com --member="serviceAccount:gcp-inbound-integration@asm-mcp-prod-01-f8ec.iam.gserviceaccount.com" --role="roles/iam.serviceAccountTokenCreator"
-
Enable the
Cloud Asset API
andCloud Resource Manager API
services.Using the gcloud CLI, run the following commands:
gcloud services enable cloudresourcemanager.googleapis.com gcloud services enable cloudasset.googleapis.com
Updated 2 months ago