You can create a Google Cloud Platform (GCP) service account for use with Workload Security.
For information on why you might want to create a GCP service account to use with Workload Security, see What are the benefits of adding a GCP account?

Prerequisite: Enable the Google APIs Parent topic

Before you can create a GCP service account for Workload Security, you need to enable a several Google APIs under your existing GCP account.
To enable these APIs inside each of your projects:

Procedure

  1. Log in to GCP using your existing GCP account. This account must have access to all the GCP projects that contain VMs that you want to protect with Workload Security.
  2. At the top, select a project that includes VMs that you want to add to Workload Security. If you have multiple projects, you can select them later. For example: Project01
    google-gcp-select-proj=4bea8208-9983-4578-b7c0-f2195f2d29a7.png
  3. Click Google Cloud Platform at the top to make sure you are on the Home screen.
  4. From the tree on the left, select APIs & Services Dashboard.
  5. Click + ENABLE APIS AND SERVICES.
  6. In the search box, enter cloud resource manager API, and then click the Cloud Resource Manager API box.
  7. Click ENABLE.
  8. Repeat steps 5 - 7 of this procedure, entering compute engine API and clicking the Compute Engine API box.
  9. Repeat steps 1 - 9 of this procedure for any other projects that include VMs that you want to add to Workload Security.
    For more information on how to enable or disable APIs in GCP, see Getting Started with Google Cloud APIs.

Create a GCP service account Parent topic

A service account is a special type of Google account that is associated with an application or VM, instead of an individual end user. Workload Security assumes the identity of the service account to call Google APIs, so that users are not directly involved.
Follow this procedure to create a service account for Workload Security:

Procedure

  1. Before you begin, make sure you have enabled the GCP APIs (see Prerequisite: Enable the Google APIs).
  2. Log in to GCP using your existing GCP account.
  3. At the top, select a project. If you have multiple projects, you can select any one. For example, Project01.
  4. Click Google Cloud Platform at the top to make sure you are on the Home screen.
  5. From the tree on the left, select IAM & admin Service accounts.
  6. Click + CREATE SERVICE ACCOUNT.
    google-gcp-create-svc-accnt=d757715b-75eb-47a2-b195-712045e114b9.png
  7. Enter a service account name, ID and description. For example:
    google-gcp-svc-accnt-details=8a124a70-0a82-48c6-9017-7deb3270bf9b.png
    • Service account name: GCP Workload Security
    • Service account ID: gcp-deep-security@<your_project_ID>.iam.gserviceaccount.com
    • Service account description: GCP service account for connecting Workload Security to GCP.
  8. Click Create.
  9. In the Select a role list, select the Compute Engine Compute Viewer role, or click inside the Type to filter area and enter compute viewer to find it.
  10. Click CONTINUE. You have now assigned the Compute Viewer role.
    google-gcp-svc-accnt-roles=5faf06ed-2e56-4ff2-8eaa-7e8b46849ee9.png
  11. Click + CREATE KEY.
    google-gcp-create-key=09bd796a-15fc-43f7-abce-780ebf2436d8.png
  12. Select JSON and click CREATE.
    google-gcp-json=d3703797-908a-4fbf-86d2-687d3c102f35.png
    The key is generated and placed in a JSON file.
  13. Save the key (JSON file) to a safe place.
  14. Place the JSON file in a location that is accessible for later upload. If you need to move or distribute the file, make sure you do so using secure methods.
  15. Click DONE. You have now created a GCP service account with necessary roles, as well as a service account key in JSON format. The service account is created under the selected project (Project01), but can be associated with additional projects.
    It takes anywhere between 60 seconds and 7 minutes for the IAM permissions to propagate through the system. See IAM overview in Google documentation.

Add more projects to the GCP service account Parent topic

If you have multiple projects in GCP, you must associate them with the service account you just created. All your projects (and underlying VMs) will then become visible in the Workload Security console when you later add the service account to Workload Security.
If you have many projects, you might find it easier to divide them up across multiple GCP accounts instead of adding them all to just one. For details on a multi-GCP account setup, see Create multiple GCP service accounts.
Follow this procedure to associate additional projects with one service account:

Procedure

  1. Before you begin, make sure you have completed the procedures in Prerequisite: Enable the Google APIs and Create a GCP service account.
  2. Determine the email of the GCP service account you just created, as follows:
    1. In GCP, from the list at the top, select the project under which you created the GCP service account (for example, Project01).
    2. On the left, expand IAM & Admin Service accounts.
    3. In the main pane, look under the Email column to find the GCP service account email. For example: gcp-deep-security@project01.iam.gserviceaccount.com The service account email includes the name of the project under which it was created.
    4. Note this address or copy it to the clipboard.
  3. Still in GCP , go to another project by selecting it from the list at the top. For example: Project02.
    google-gcp-proj02=f41f2793-1fad-41d9-8a64-10fc1f956644.png
  4. Click Google Cloud Platform at the top to make sure you are on the Home screen.
  5. From the tree view on the left, click IAM & admin IAM.
  6. Click ADD at the top of the main pane.
  7. In the New members field, paste the Project01 GCP service account email address. For example:gcp-deep-security@project01.iam.gserviceaccount.com
    You can also start typing the email address to auto-fill the field.
  8. In the Select a role list, select the Compute Engine Compute Viewer role, or click inside the Type to filter area and enter compute viewer to find it.
    google-gcp-members=37a25768-f3d5-4861-af27-6be71a89d647.png
    You have now added the service account with the Compute Viewer role to Project02.
  9. Click SAVE.
  10. Repeat steps 1 to 9 in this procedure for each project that you want to associate with the GCP service account.
    For more information on how to create a service account, see Create a VM that uses a user-managed service account in Google documentation.
    You are now ready to add the GCP account you just created to Workload Security. Proceed to Add a Google Cloud Platform account.

Create multiple GCP service accounts Parent topic

Typically, you would Create a single GCP service account for Workload Security and associate all your projects to it. This configuration is straightforward and works well for smaller organizations with fewer projects. If, however, you have a large number of projects, having them all under the same GCP service account might make them difficult to manage. In this scenario, you can divide your projects across multiple GCP service accounts. The following example procedure demonstrates how to set this up, assuming your projects were spread across your organization's Finance and Marketing departments:

Procedure

  1. Create a Finance GCP Workload Security GCP service account for Workload Security.
  2. Add finance-related projects to Finance GCP Workload Security.
  3. Create a Marketing GCP Workload Security GCP service account for Workload Security.
  4. Add marketing-related projects to Marketing GCP Workload Security. For details, see Create a Google Cloud Platform service account and Add more projects to the service account.
  5. After creating the GCP service accounts, add them to Workload Security one by one, following the instructions from Add a Google Cloud Platform account.