Skip to main content

Create a GCP Service Account and Grant Access

The following procedure provides steps to create a Service Account within Google Cloud Platform (GCP) to use in a Lacework integration.

Do not start with this topic.

For instructions on creating the entire integration, see the topics in GCP Terraform or GCP Console.

Recommendations

When integrating at the Organization level, Lacework recommends creating a Project specifically to contain Lacework resources.

When integrating at the Project level, you can provision all required resources for Lacework within the Project that is being integrated.

Prerequisites

The account that will be used to create and configure the integration resources must have certain privileges. Those privileges are mentioned in the following articles:

Additionally, the Project where the resources will reside must have billing enabled.

Steps

Create a Service Account

note

For more information, see Creating and managing Service Accounts.

Follow these steps to manually create a Service Account:

  1. Log in to the GCP Console.

  2. Navigate to IAM & Admin page, then click Service Accounts > + Create Service Account.

    gcp_create_service_account.png

  3. In the Service account details step, enter values in the fields, then click Create and Continue.

  4. Skip the optional sections and click Done.

  5. On the Services Accounts page, find the newly created service account, click the kebab menu under Actions, and then click Manage keys.

    gcp_manage_keys.png

  6. Click Add Key > Create new key.

  7. Select the JSON key type, then click Create. A JSON key file downloads to your system.

    gcp_create_private_key_sa.png

    note

    After you download the key file, you cannot download it again.

  8. In the Details tab, find the email address of the new service account and copy it to your clipboard.

  9. Click the menu icon located at the top right of the page to exit the Service Accounts page.

(Compliance Only) Create the Lacework Compliance Custom Role

info

This step is required only when creating a Lacework Compliance integration.

  1. Select IAM & Admin > Roles from the cloud console navigation menu. gcp_iam_roles.png

  2. Click the down arrow in the top menu bar for the project.

    gcp_role_picker.png

    The Select from dialog appears.

  3. From the Select from drop-down, select an Organization that contains the GCP resources that you want the integration to monitor, or select No Organization if selecting a Project that does not reside within an Organization.

    gcp_select_from.png

  4. In the Select from dialog, click the All tab to display the list of all entities. Select the Organization or Project where the Custom Role shall be created, then click Open. gcp_select_all.png

  5. Click Create Role on the top toolbar.

    gcp_toolbar.png

  6. In the Create Role page, enter a title, description, and account identifier to the fields. From the Role launch stage drop-down, select General Availability.
    Lacework suggests naming similar to below.

    gcp_create_custom_role.png

  7. Add the required permissions by clicking + Add Permissions.

    gcp_custom_role_permissions.png

  8. Click Create.

Grant the Required Roles to the Service Account

Grant the required Roles to the Service Account created in the previous section:

  1. Select IAM & Admin > IAM from the cloud console navigation menu.

  2. Click the down arrow in the top menu bar for the project.

    gcp_topmenu.png

    The Select from dialog appears.

  3. From the Select from drop-down, select an Organization that contains the GCP resources that you want the integration to monitor, or select No Organization if selecting a Project that does not reside within an Organization.

    gcp_select_from.png

  4. In the Select from dialog, click the All tab to display the list of all entities. Select the Organization or Project where the IAM Roles will be granted, then click Open.

    gcp_select_all.png

  5. Click Add.

    note

    You must have permission to add members to the Organization or Project IAM Policy for the Add button to be active.

    gcp_add_button.png

  6. Add a member and roles to a Project or Organization. In the New members field, paste the email address of the Service Account copied in an earlier step.

    gcp_add_members.png

  7. From the Select a role drop-down, select the appropriate roles depending on the integration type.

  8. (Compliance Only): Add the Custom Role created from the Create the Lacework Compliance Custom Role section.

    gcp_select_custom_role.png

  9. Click Save.

Service Account Roles

These are the specific Roles required by the Service Account being used for the integrations, depending on the integration level and type.

Role NameRole IDIntegration TypeIntegration Level
Organization Viewerroles/resourcemanager.organizationViewerAudit Log
Compliance
Organization level only.
Browserroles/browserAudit Log
Compliance
Project or Organization level depending on the integration.
Cloud Asset Viewerroles/cloudasset.viewerComplianceProject or Organization level depending on the integration.
Security Reviewerroles/iam.securityReviewerComplianceProject or Organization level depending on the integration.
Lacework Compliance Custom RoleRole created in Create the Lacework Compliance Custom RoleComplianceProject or Organization level depending on the integration.

Lacework Compliance Role Permissions

In addition to the above GCP roles, Lacework also requires a Custom Role for the Compliance integration. The permissions required are outlined in the following table:

Role NamePermissionsUsage
Lacework Compliance Rolebigquery.datasets.getRead access to retrieve dataset metadata, such as encryption keys and access permissions.
compute.projects.getRead access to project metadata, such as the resources contained within.
pubsub.topics.getRead access to Pub/Sub topics metadata.
storage.buckets.getRead access to bucket metadata, excluding IAM policies. Can also list or read Pub/Sub notification configurations on a bucket.
compute.sslPolicies.getRead access to SSL Policy resources.

Next Steps