Documentation
Integrations

Google Cloud API Inventory Scanning

Created:
September 21, 2023
Updated:
April 12, 2024

Integrating with Google Cloud inventory scanning enables the scanning of API resources in Google Cloud to populate into the FireTail platform.

To set up the integration you can deploy by running a script in Google Shell or you can manually deploy.

Manual deployment

1. Navigate to Integrations in the FireTail platform. Select the Create integration tab.

2. Click Google Cloud API Inventory Scanning.

3. In the My Integration field, enter a name for the integration.

4. Log in to the Google Cloud console.

5. Create a project if you do not have one already created. Learn How to create a project.

6. Copy the Project number, paste this value into the Google Project Number field in the FireTail platform.

Note: The Project number is a numerical value and should not be confused with the Project ID.

7. Create a Service account:

  • Open IAM & Admin. This can be found by using the search bar, or from the menu.
  • Select Service Accounts from the left menu. Click Create Service Account.
  • Under Service account details, enter a name for the service account. Click Create and Continue.
  • Under Grant this service account access to project, the following roles must be included, this adds the necessary permissions to the Service account:
    • APIGateway Viewer
    • Apigee API Reader
    • Compute Network Viewer
    • Workload Identity User
  • Click Done.
  • Copy the Service account email and paste it into the Google Service account field in the FireTail platform. The Service account email can be found in the Service account details. Click the Service account to view.
  • Return to Google Cloud console when done.

8. Create a Workload identity pool:

  • Select Workload Identity Federation from the left menu. Click Create Pool.
  • Under Create an identity pool, enter firetail-pool into the name field. The Pool ID field is automatically populated.
  • Return to Google Cloud console and click Continue.
  • Under Add a provider to pool, select AWS from the dropdown menu.
  • Return to the FireTail platform, copy the ORG UUIDfrom the script. Paste this value into the Provider Name in Google cloud, the Provider ID automatically populates with the same value.
  • In the FireTail platform copy the AWS account ID from the script. The account ID is 247286868737. Paste this ID into Google Cloud console in the AWS account ID field.
  • Click Continue.
  • Under Configure provider attributes, click Edit Mapping. The provider attributes should be mapped as follows:
    • google.subject - assertion.arn
    • attribute.aws_role - assertion.account
  • Click Save.

9. Open the Workload Identity Federation page for the pool you have created. Click the Activate Cloud Shell Icon. The Cloud shell terminal opens.

10. Run the following script in the terminal:


gcloud iam service-accounts add-iam-policy-binding ${SERVICE_ACCOUNT_EMAIL} \
--role roles/iam.workloadIdentityUser \
--member "principalSet://iam.googleapis.com/projects/${CURRENT_PROJECT_NUMBER}
/locations/global/workloadIdentityPools/${POOL_NAME}/*"

Note: in the below script, replace the ${SERVICE_ACCOUNT_EMAIL} with the service account email you have created (this can be found in the service account details), replace ${CURRENT_PROJECT_NUMBER} with the project number and replace ${POOL_NAME} with firetail-pool

11. Go to the Security Token Service API and click Enable (if its not already enabled).

12. Go to the IAM Service Account Credentials API and click Enable (if its not already enabled).

13. Return to the Google Cloud API Inventory Scanning integration form in the FireTail platform to complete the integration.

14. The integration is Enabled by default. To make the integration inactive, clear the check box.

15. Select an application from the dropdown, or click Create to create a new application. When you complete the integration this adds the discovered APIs under the application that you choose. Learn more about applications here.

16. Enter a Scan Frequency. This is how often the scan is done in seconds.

17. Click Submit.

The discovered APIs can be viewed by navigating to Applications in the FireTail platform and selecting the required application to view the discovered APIs.

Deploy using Google Shell

1. Navigate to Integrations in the FireTail platform. Select the Create integration tab.

2. Click Google Cloud API Inventory Scanning.

3. In the My Integration field, enter a name for the integration.

4. Log in to the Google Cloud console.

5. If you do not have a project created, create a project. Learn How to create a project.

6. Copy the Project number, paste this value into the Google Project Number field in the FireTail platform.

Note: The project number is a numerical value and should not be confused with the Project ID.

7. Open the Cloud Shell Editor and copy the script in the FireTail platform and run in the Cloud Shell terminal.

8. Click Authorize. The script creates the service account and workload identity pool with the necessary permissions.

9. The service account email and Pool ID should be copied and pasted it into the Google Service account and Workload Identity Pool ID fields respectively in the FireTail platform. This information can be found in the generated return of the script. Alternatively locate the information in the Google Cloud console. Search for service account and open the newly created one, copy the email address. For the Pool ID, open the Workload Identity Federation and copy the Pool ID.

10. Return to the Google Cloud API Inventory Scanning integration form in the FireTail platform to complete the integration.

11. The integration is Enabled by default. To make the integration inactive, clear the check box.

12. In the FireTail platform, select an application from the dropdown, or click Create to create a new application. This is the application that will be associated with the integration. When you complete the integration this adds the discovered APIs under the FireTail application that you choose. Learn more about applications here.

13. Enter a Scan Frequency. This is how often the scan is done in seconds. The minimum is 900 seconds (15 minutes).

14. Click Submit.

The discovered APIs can be viewed by navigating to Applications in the FireTail platform and selecting the application to view the discovered APIs.

Categories
Getting started
Organizations
Applications
APIs
Posture management
Specifications
Integrations
Alerts
Python documentation
FAQs
Related Docs
Set up a Splunk integration
View doc
Set up a Microsoft Teams integration
View doc
Google Cloud API Gateway Logging
View doc
Discover APIs in a GitHub repository (GitHub App)
View doc
Recently Updated
Set up an AWS API inventory integration
View doc
Dynamic variables
View doc
Set up a Splunk integration
View doc
Manage subscriptions and billing
View doc
Dashboard overview
View doc