GCP Cloud Asset Inventory
GCP Cloud Asset Inventory is the functionality inside the GCP portal that provides visibility across your cloud resources.
The following prerequisites must be met to utilize the SHI One GCP Cloud Asset Inventory Integration:
- An active project in Google Cloud Platform
- The individual performing the steps below must have the necessary permissions to enable the Cloud Asset API and grant necessary permissions to a service account for the target organization, project, or folder
A metadata inventory service that allows you to view, monitor, and analyze all your Google Cloud and Anthos assets across projects and services.
Before you can start working with Cloud Asset Inventory, you must enable the Cloud Asset Inventory API in your primary project.
Click the following link to enable the Cloud Asset Inventory API:
GCP Cloud Asset Inventory is available at no additional cost.
- Overview:
- Documentation:
- Pricing:
- Quickstart Guide:
Once SHI One GCP Cloud Asset Inventory is enabled, findings from GCP Cloud Asset Inventory will be visible from within the SHI One Asset Inventory.
The following section describes the necessary configuration to integrate your GCP Cloud Asset Inventory into SHI One and details the permissions necessary to ensure the proper functionality of the GCP Cloud Asset Inventory Integration.
To utilize the GCP Cloud Asset Inventory Integration to its fullest capabilities, a service account must be deployed with the permissions required to access the API for the target resource.
- The individual performing the steps below must be an Admin in SHI One
- The individual performing the following steps must have the required permissions to delegate permissions for the target organization, project, or folder
- Log in to the GCP portal with an account that has the required permissions
- Note: This link takes you directly to GCP's service account creation walkthrough. You can also create a service account by navigating to IAM & Admin -> Service Accounts from the GCP portal navigation
- Select the project that has the Cloud Asset Inventory API enabled
- Provide a name, id, and description for the service account
- Click Create and Continue
- Select the Cloud Asset Viewer role
- Click Continue
- (Optional) Grant users access to the service account
- Click Done
- For the newly created service account, click the actions button and select Manage Keys
- Click Add Key and select Create new key
- For key type, select JSON , then click Create
- Save the file to your computer, for upload to SHI One
At this point the created service account will have permissions scoped to the project in which it was created. To enable access to other projects or the parent organization, you must grant the Cloud Asset Viewer permission for the service account on the target resource.
- From the GCP portal, select the organization, project, or folder from the switcher box in the menu bar that you would like to grant the service account access to
- Click IAM & Admin in the left navigation
- From the permissions tab, click Grant Access
- Enter the email for your service account in the New principals input field
- Assign the Cloud Asset Viewer role
- Click Save
Repeat the process above for any organizations, projects, or folders you would like to grant access to.
If you have granted access at the organization level, the below process only needs to be done once per organization. For projects and folders, this process needs to be completed for each project or folder.
- Log in to SHI One and navigate to Settings -> Integrations
- Click the icon in the top right corner of the GCP Cloud Asset Inventory integration and click Add New
- Upload the Service Account Key file saved in the prior steps
- Enter the scope of permissions for the integration
- Note: The format must be: organizations/{organization_id}, projects/{project_id}, or folders/{folder_id}
- Click Save
Note that it takes GCP up to 48 hours to start sending data to SHI One.
The hourglass icon appears when GCP has not yet sent data to SHI One. It can take up to 48 hours after activating an integration for GCP to start sending data to SHI One.
If it has been more than 48 hours since activating an integration and the hourglass icon is still there, you can submit a support request. Perform the following steps:
- In SHI One, navigate to Support Center -> New Request -> Service Request -> General Service Request
- For Contract, select GCP
- For Issue Type, select GCP - Account Management
- For Issue Sub-Type, select Other General Account Questions
- Fill out the required fields.
- Click Submit
The Support Team will be in touch; you can check the status of your support request at Support Center -> Requests.
The red exclamation mark appears when there is an error with an integration. Integrations in error are displayed with a message below explaining the nature of the error.
Because there are many error causes and possibilities, there is no way to list all potential methods of rectifying an error. Often the fastest method is to deactivate the affected integration and then perform this document's process again. If that doesn't solve the problem, submit a support request in SHI One; make sure to include the details of the integration in error and include screenshots if possible.
