Google Cloud Configuration Integration - Manual Configuration

To create a Lacework Google Cloud configuration integration manually using the Google Cloud Console and the Lacework Console, follow the procedures below.

Prerequisites

Ensure that you are deploying the integration to a supported Google Cloud region.

Google Cloud Project

When integrating at the Organization level, Lacework recommends that you create a project specifically for Lacework resources.

When integrating at the Project level, all required resources for Lacework may be provisioned within the project being integrated.

The project being used must have billing enabled.

Create a Google Cloud Service Account and Grant Access

Follow the procedure provided in Create a Google Cloud Service Account and Grant Access.

Enable the Required Google Cloud APIs

When manually creating a Google Cloud configuration integration, you must enable APIs for the projects you want to integrate. Follow the procedure provided in Enable the Required Google Cloud APIs.

Navigate to Manual Integration

Log in to the Lacework Console.
Go to Settings > Integrations > Cloud accounts.
Click + Add New.
Click Google Cloud Platform and select Manual configuration.
Click Next.
Select Configuration and follow the steps in Create a Google Cloud Configuration Integration.

Create a Google Cloud Configuration Integration

Create a Google Cloud service account and grant access.
Enable the required Google Cloud APIs.
For Name, enter a unique name that displays in the Lacework Console.
Follow the steps to either upload GCP credentials or enter information manually.

When creating the Google Cloud integration, you can either upload Google Cloud credentials or enter all information manually. Finish creating the integration in the Lacework Console by following the steps described in one of the following sections.

Upload GCP Credentials

To upload Google Cloud credentials, follow these steps:

For Upload GCP Credential, click Choose File and navigate to the JSON key file downloaded when you created the Google Cloud service account.
This populates the credential fields.
For Integration Level, select Organization or Project. Select Organization if integrating at the organization level. Select Project if integrating at the project level.
For Org/Project ID, paste in the appropriate ID value for your integration type:
- If integrating at the project level, copy and paste the value of the project_id property from the JSON file.
- If integrating at the organization level, log in to the Google Cloud console. Click the down arrow in the top menu bar. From the Select from drop-down, select an organization that contains the Google Cloud project(s) that you want the integration to monitor. Select IAM & admin > Settings and copy and paste the number from the Organization ID field.
Click Save to finish the Google Cloud integration and save your onboarding progress. The integration appears in the list of cloud accounts under Cloud accounts.

For the “Integration Pending” status, hover over the status text and click the refresh icon to fetch the status result again. This does not retest the integration.

Enter Information Manually

Entering information manually requires a system with the jq utility installed. The jq utility is a flexible command-line JSON processor. For more information, see https://stedolan.github.io/jq/.

To manually enter Google Cloud credentials, follow these steps:

Verify that the jq (command-line JSON processor) utility is available from your command-line shell. Leave this command-line window open.
```
jq
```
If the jq utility is found, skip to the next step. If the jq utility is not installed or not listed in your PATH, install it and verify that the path to the utility is listed in your PATH environment variable. The jq utility is required for some steps in the following procedure.
Locate the JSON key file downloaded when you created the Google Cloud service account.
Open the file in an editor and leave it open.
Copy the value of the client_id property from the JSON file and paste the value into the Client ID field of the Lacework Console.
Copy the value of the private_key_id property from the JSON file and paste the value into the Private Key ID field of the Lacework Console.
Copy the value of the client_email property from the JSON file and paste the value into the Client Email field of the Lacework Console.
Exit the editor.
You cannot just copy the private key from the editor because of an issue with copying the new line characters. You must copy a raw version of the key using the “jq” utility as described in the following steps.
To view the raw text of the private key, enter the following command, where YourFileName.json is the name of the file downloaded when you created the Google Cloud Service Account.
```
cat YourFileName.json  | jq -r '.private_key'
```
Copy all text displayed in the output including the Begin and End lines.
```
-----BEGIN PRIVATE KEY-----
YourKeyInfo
-----END PRIVATE KEY-----
```
Paste the text into the Private Key field of the Lacework Console.
For Integration Level, select Organization or Project. Select Organization if integrating at the organization level. Select Project if integrating at the project level.
For Org/Project ID, paste in the appropriate ID value for your integration type:
- If integrating at the project level, copy and paste the value of the project_id property from the JSON file.
- If integrating at the organization level, log in to the Google Cloud console. Click the down arrow in the top menu bar. From the Select from drop-down, select an organization that contains the Google Cloud project(s) that you want the integration to monitor. Select IAM & admin > Settings and copy and paste the number from the Organization ID field.
Click Save to finish the Google Cloud integration and save your onboarding progress. The integration appears in the list of cloud accounts under Cloud accounts.

For the “Integration Pending” status, hover over the status text and click the refresh icon to fetch the status result again. This does not retest the integration.

Validate your Google Cloud Configuration Integration

Use the commands included in this section to verify if your Google Cloud Configuration Integration is set up properly.

Verify whether the project associated with the service account has the cloudasset service enabled:
```
gcloud --project <project_name> services list
```
Verify which project the service account belongs to:
```
gcloud iam service-accounts describe <service_account>.iam.gserviceaccount.com
```
The response will include the projectId, which you can utilize to enable the cloudasset service by executing the following command:
```
gcloud --project <service_account_project_id> services enable cloudasset.googleapis.com
```

We recommend verifying all services that should be enabled on the project associated with the service account, in addition to CAI (Cloud Asset Inventory). For the list of available services, see Service Account Roles.

info

Google Apps Script Projects are hidden by default. Contact Lacework Support if you want to enable visibility of these projects.

Prerequisites​

Google Cloud Project​

Create a Google Cloud Service Account and Grant Access​

Enable the Required Google Cloud APIs​

Navigate to Manual Integration​

Create a Google Cloud Configuration Integration​

Upload GCP Credentials​

Enter Information Manually​

Validate your Google Cloud Configuration Integration​