Skip to main content

Enable the Required GCP APIs

When you manually create a GCP compliance or audit log integration, it is important to enable the required APIs in the correct way for the integration to work as expected.

API List

Use this table as a reference when enabling the APIs in the How to Enable the APIs section below.

info

Lacework recommends that all the APIs listed below are enabled on the project that hosts the service account.

If they are not enabled, Lacework is not able to assess other projects that have these APIs enabled (or if they are enabled in the future).

API NameAPI URLIntegration Type
Cloud Resource Manager APIcloudresourcemanager.googleapis.comAudit Log
Compliance
Identity and Access Management (IAM) APIiam.googleapis.comAudit Log
Compliance
Service Usage APIserviceusage.googleapis.comAudit Log
Compliance
BigQuery APIbigquery.googleapis.comCompliance
Cloud Asset APIcloudasset.googleapis.comCompliance
Cloud DNS APIdns.googleapis.comCompliance
Cloud Key Management Service (KMS) APIcloudkms.googleapis.comCompliance
Cloud Logging APIlogging.googleapis.comCompliance
Cloud Pub/Sub APIpubsub.googleapis.comAudit Log
Compliance
Cloud SQL Admin APIsqladmin.googleapis.comCompliance
Cloud Storagestorage-component.googleapis.comCompliance
Compute Engine APIcompute.googleapis.comCompliance
Essential Contact APIessentialcontacts.googleapis.comCompliance
Kubernetes Engine APIcontainer.googleapis.comCompliance

How to Enable the APIs

For the project that hosts the service account for the integration, enable each of the APIs listed in the API List by choosing one of the methods below.

Enable using the GCP Console

  1. Log in to the GCP Console and click gcp_api_home.png.

  2. Select APIs & Services > Library.

  3. In the Search for APIs & Services field, enter the API URL listed in the table above such as iam.googleapis.com.

    gcp_api_lib.png

  4. Click on the result that matches the API name listed above, such as Identity and Access Management (IAM) API.

    gcp_iam_api.png

  5. Click Enable.

    gcp_edit_iam_api.png

  6. If you are prompted to enable billing, click Enable Billing.

  7. Repeat these steps for each GCP project that hosts a service account that you are using for your Lacework integration.

Enable using the gcloud CLI

Ensure that the gcloud config is set to use a service account with the permissions required to enable APIs.

For further information about enabling APIs, see the Google Cloud documentation.

  1. Set the project that you wish to enable the APIs on:

    gcloud config set project target_project
  2. Enable the required APIs for your integration type:

    Audit Log
    gcloud services enable \
    pubsub.googleapis.com \
    cloudresourcemanager.googleapis.com \
    iam.googleapis.com \
    serviceusage.googleapis.com
    Compliance
    gcloud services enable \
    cloudresourcemanager.googleapis.com \
    iam.googleapis.com \
    serviceusage.googleapis.com \
    bigquery.googleapis.com \
    cloudasset.googleapis.com \
    dns.googleapis.com \
    cloudkms.googleapis.com \
    logging.googleapis.com \
    pubsub.googleapis.com \
    sqladmin.googleapis.com \
    storage-component.googleapis.com \
    compute.googleapis.com \
    essentialcontacts.googleapis.com \
    container.googleapis.com
  3. Verify the APIs were successfully enabled:

    gcloud services list