Documentation
Integrations

Google Cloud API Inventory Scanning

Created:
September 21, 2023
Updated:
September 18, 2024

Integrating with Google Cloud inventory scanning enables the scanning of API resources in Google Cloud to populate into the FireTail platform.

The Google Cloud API Inventory Scanning integration enables FireTail to automatically discover and monitor API resources within your Google Cloud environment. By connecting FireTail with Google Cloud through IAM roles and services, FireTail scans your environment pulling API data using service accounts and workload identity federation. Discovered APIs are then populated into your selected FireTail application. The integration can be set up manually via the Google Cloud Console or through a script executed in Google Shell. To set up the integration:

Manual deployment

1. Navigate to Integrations in the FireTail platform. Select the Create integration tab.

2. Click Google Cloud API Inventory Scanning.

3. In the My Integration field, enter a name for the integration. The integration is Enabled by default. Toggle off to make inactive.

4. Log in to the Google Cloud console.

5. Create a project if you do not have one already created. Learn How to create a project.

6. Copy the Project number, paste this value into the Google Project Number field in the FireTail platform.

Note: The Project number is a numerical value and should not be confused with the Project ID.

7. Create a Service account:

  • Open IAM & Admin. This can be found by using the search bar, or from the menu.
  • Select Service Accounts from the left menu. Click Create Service Account.
  • Under Service account details, enter a name for the service account. Click Create and Continue.
  • Under Grant this service account access to project, the following roles must be included, this adds the necessary permissions to the Service account:
    • APIGateway Viewer
    • Apigee API Reader
    • Compute Network Viewer
    • Workload Identity User
  • Click Done.
  • Copy the Service account email and paste it into the Google Service account field in the FireTail platform. The Service account email can be found in the Service account details. Click the Service account to view.
  • Return to Google Cloud console when done.

8. Create a Workload identity pool:

  • Select Workload Identity Federation from the left menu. Click Create Pool.
  • Under Create an identity pool, enter firetail-pool into the name field. The Pool ID field is automatically populated.
  • Return to Google Cloud console and click Continue.
  • Under Add a provider to pool, select AWS from the dropdown menu.
  • Return to the FireTail platform, copy the ORG UUIDfrom the script. Paste this value into the Provider Name in Google cloud, the Provider ID automatically populates with the same value.
  • In the FireTail platform copy the AWS account ID from the script. The account ID is 247286868737. Paste this ID into Google Cloud console in the AWS account ID field.
  • Click Continue.
  • Under Configure provider attributes, click Edit Mapping. The provider attributes should be mapped as follows:
    • google.subject - assertion.arn
    • attribute.aws_role - assertion.account
  • Click Save.

9. Open the Workload Identity Federation page for the pool you have created. Click the Activate Cloud Shell Icon. The Cloud shell terminal opens.

10. Run the following script in the terminal:


gcloud iam service-accounts add-iam-policy-binding ${SERVICE_ACCOUNT_EMAIL} \
--role roles/iam.workloadIdentityUser \
--member "principalSet://iam.googleapis.com/projects/${CURRENT_PROJECT_NUMBER}
/locations/global/workloadIdentityPools/${POOL_NAME}/*"

Note: in the below script, replace the ${SERVICE_ACCOUNT_EMAIL} with the service account email you have created (this can be found in the service account details), replace ${CURRENT_PROJECT_NUMBER} with the project number and replace ${POOL_NAME} with firetail-pool

11. Go to the Security Token Service API and click Enable (if its not already enabled).

12. Go to the IAM Service Account Credentials API and click Enable (if its not already enabled).

13. Return to the Google Cloud API Inventory Scanning integration form in the FireTail platform to complete the integration.

14. Select an application from the dropdown, or click Create to create a new application. When you complete the integration this adds the discovered APIs under the application that you choose. Learn more about applications here.

15. Enter a Scan Frequency. This is how often the scan is done in seconds.

16. Click Submit.

The discovered APIs can be viewed by navigating to Applications in the FireTail platform and selecting the required application to view the discovered APIs.

Deploy using Google Shell

1. Navigate to Integrations in the FireTail platform.

2. Click Google Cloud API Inventory Scanning.

3. In the My Integration field, enter a name for the integration. The integration is Enabled by default. Toggle off to make inactive.

4. Log in to the Google Cloud console.

5. If you do not have a project created, create a project. Learn How to create a project.

6. Copy the Project number, paste this value into the Google Project Number field in the FireTail platform.

Note: The project number is a numerical value and should not be confused with the Project ID.

7. Open the Cloud Shell Editor and copy the script in the FireTail platform and run in the Cloud Shell terminal.

8. Click Authorize. The script creates the service account and workload identity pool with the necessary permissions.

9. The service account email and Pool ID should be copied and pasted it into the Google Service account and Workload Identity Pool ID fields respectively in the FireTail platform. This information can be found in the generated return of the script. Alternatively locate the information in the Google Cloud console. Search for service account and open the newly created one, copy the email address. For the Pool ID, open the Workload Identity Federation and copy the Pool ID.

10. Return to the Google Cloud API Inventory Scanning integration form in the FireTail platform to complete the integration.

11. In the FireTail platform, select an application from the dropdown, or click Create to create a new application. This is the application that will be associated with the integration. When you complete the integration this adds the discovered APIs under the FireTail application that you choose. Learn more about applications here.

12. Enter a Scan Frequency. This is how often the scan is done in seconds. The minimum is 900 seconds (15 minutes).

14. Click Submit.

The discovered APIs can be viewed by navigating to Applications in the FireTail platform and selecting the application to view the discovered APIs.

Getting Started
Organizations
Dashboard
APIs
Applications
Integrations
Actions
Specifications
Posture Management
Alerting
Code Libraries
Reporting
Python Documentation
FAQs
Related Docs
AppSync Lambda logging
View doc
Discover APIs in a GitLab repository
View doc
AWS WAFv2 IP Set
View doc
Set up a Splunk integration
View doc
Recently Updated
Glossary
View doc
Dashboard overview
View doc
API Risk Dashboard
View doc
API Risk Scoring
View doc
Set up AWS API Gateway Logging with AWS Lambda
View doc