Enable the Required GCP APIs
When you manually create a GCP compliance or audit log integration, it is important to enable the required APIs in the correct way for the integration to work as expected.
API List
Use this table as a reference when enabling the APIs in the How to Enable the APIs section below.
info
Lacework recommends that all the APIs listed below are enabled on the project that hosts the service account.
If they are not enabled, Lacework is not able to assess other projects that have these APIs enabled (or if they are enabled in the future).
API Name | API URL | Integration Type |
---|---|---|
Cloud Resource Manager API | cloudresourcemanager.googleapis.com | Audit Log Compliance |
Identity and Access Management (IAM) API | iam.googleapis.com | Audit Log Compliance |
Service Usage API | serviceusage.googleapis.com | Audit Log Compliance |
BigQuery API | bigquery.googleapis.com | Compliance |
Cloud Asset API | cloudasset.googleapis.com | Compliance |
Cloud DNS API | dns.googleapis.com | Compliance |
Cloud Key Management Service (KMS) API | cloudkms.googleapis.com | Compliance |
Cloud Logging API | logging.googleapis.com | Compliance |
Cloud Pub/Sub API | pubsub.googleapis.com | Audit Log Compliance |
Cloud SQL Admin API | sqladmin.googleapis.com | Compliance |
Cloud Storage | storage-component.googleapis.com | Compliance |
Compute Engine API | compute.googleapis.com | Compliance |
Essential Contact API | essentialcontacts.googleapis.com | Compliance |
Kubernetes Engine API | container.googleapis.com | Compliance |
How to Enable the APIs
For the project that hosts the service account for the integration, enable each of the APIs listed in the API List by choosing one of the methods below.
Enable using the GCP Console
Log in to the GCP Console and click .
Select APIs & Services > Library.
In the Search for APIs & Services field, enter the API URL listed in the table above such as iam.googleapis.com.
Click on the result that matches the API name listed above, such as Identity and Access Management (IAM) API.
Click Enable.
If you are prompted to enable billing, click Enable Billing.
Repeat these steps for each GCP project that hosts a service account that you are using for your Lacework integration.
Enable using the gcloud CLI
Ensure that the gcloud config is set to use a service account with the permissions required to enable APIs.
For further information about enabling APIs, see the Google Cloud documentation.
Set the project that you wish to enable the APIs on:
gcloud config set project target_project
Enable the required APIs for your integration type:
Audit Loggcloud services enable \
pubsub.googleapis.com \
cloudresourcemanager.googleapis.com \
iam.googleapis.com \
serviceusage.googleapis.comCompliancegcloud services enable \
cloudresourcemanager.googleapis.com \
iam.googleapis.com \
serviceusage.googleapis.com \
bigquery.googleapis.com \
cloudasset.googleapis.com \
dns.googleapis.com \
cloudkms.googleapis.com \
logging.googleapis.com \
pubsub.googleapis.com \
sqladmin.googleapis.com \
storage-component.googleapis.com \
compute.googleapis.com \
essentialcontacts.googleapis.com \
container.googleapis.comVerify the APIs were successfully enabled:
gcloud services list