GCP Cloud Asset Inventory

overview gcp cloud asset inventory is the functionality inside the gcp portal that provides visibility across your cloud resources getting started prerequisites the following prerequisites must be met to utilize the shi one gcp cloud asset inventory integration an active project in google cloud platform the individual performing the steps below must have the necessary gcp permissions to enable the cloud asset api and grant necessary permissions to a service account for the target organization, project, or folder gcp cloud asset inventory overview a metadata inventory service that allows you to view, monitor, and analyze all your google cloud and anthos assets across projects and services enable cloud asset inventory api before you can start working with cloud asset inventory, you must enable the cloud asset inventory api in your primary project click the following link to enable the cloud asset inventory api https //console cloud google com/flows/enableapi?apiid=cloudasset googleapis com https //console cloud google com/flows/enableapi?apiid=cloudasset googleapis com\&redirect=https //console cloud google com pricing gcp cloud asset inventory is available at no additional cost references overview https //cloud google com/security/products/asset inventory https //cloud google com/security/products/asset inventory documentation https //cloud google com/asset inventory/docs/overview https //cloud google com/asset inventory/docs/overview pricing https //cloud google com/asset inventory/pricing https //cloud google com/asset inventory/pricing quickstart guide https //cloud google com/asset inventory/docs/export asset metadata https //cloud google com/asset inventory/docs/export asset metadata shi one integration overview once shi one gcp cloud asset inventory is enabled, findings from gcp cloud asset inventory will be visible from within the shi one asset inventory the following section describes the necessary configuration to integrate your gcp cloud asset inventory into shi one and details the permissions necessary to ensure the proper functionality of the gcp cloud asset inventory integration to utilize the gcp cloud asset inventory integration to its fullest capabilities, a service account must be deployed with the permissions required to access the api for the target resource enable shi one integration prerequisites the individual performing the following steps must be an admin in shi one the individual performing the following steps must have the required gcp permissions to delegate permissions for the target organization, project, or folder step by step process log in to the gcp portal with an account that has the required permissions navigate to https //console cloud google com/projectselector/iam admin/serviceaccounts/create?walkthrough id=iam create service account#step index=1 https //console cloud google com/projectselector/iam admin/serviceaccounts/create?walkthrough id=iam create service account#step index=1 note this link takes you directly to gcp's service account creation walkthrough; you can also create a service account by navigating to iam & admin > service accounts from the gcp portal navigation select the project that has the cloud asset inventory api enabled provide a name, id, and description for the service account click create and continue select the cloud asset viewer role click continue (optional) grant users access to the service account click done for the newly created service account, click the actions button and select manage keys click add key and select create new key for key type, select json , then click create save the file to your computer for later upload to shi one at this point the created service account will have permissions scoped to the project in which it was created to enable access to other projects or the parent organization, you must grant the cloud asset viewer permission for the service account on the target resource from the gcp portal, select the organization, project, or folder from the switcher box in the menu bar that you would like to grant the service account access to click iam & admin in the left navigation from the permissions tab, click grant access enter the email for your service account in the new principals input field assign the cloud asset viewer role click save repeat the process above for any organizations, projects, or folders you would like to grant access to enable the integration in shi one if you have granted access at the organization level, the below process only needs to be done once per organization for projects and folders, this process needs to be completed for each project or folder log in to shi one and navigate to settings > integrations click the three dots in the top right corner of the gcp cloud asset inventory tile click add new upload the service account key file saved in the prior steps enter the scope of permissions for the integration note the format must be organizations/{organization id}, projects/{project id}, or folders/{folder id} click save note that it takes gcp up to 48 hours to start sending data to shi one troubleshooting my integration has an hourglass icon next to it the hourglass icon appears when gcp has not yet sent data to shi one it can take up to 48 hours after activating an integration for gcp to start sending data to shi one if it has been more than 48 hours since activating an integration and the hourglass icon is still there, you can submit a support request using the following steps in shi one, navigate to support center > new request > service request > general service request for contract, select gcp for issue type, select gcp account management for issue sub type, select other general account questions fill out the required fields click submit the support team will be in touch; you can check the status of your support request at support center > requests my integration has a red exclamation mark next to it the red exclamation mark appears when there is an error with an integration integrations in error are displayed with a message below explaining the nature of the error because there are many error causes and possibilities, there is no way to list all potential methods of rectifying an error often the fastest method is to deactivate the affected integration and then perform this document's process again if that doesn't solve the problem, submit a support request in shi one; make sure to include the details of the integration in error and include screenshots if possible