Skip to main content

Enable the Required Google Cloud APIs

When you manually create a Google Cloud Configuration or Audit Log integration, it is important to enable the required APIs in the correct way for the integration to work as expected.

API List

Use this table as a reference when enabling the APIs in the How to Enable the APIs section below.

info

Lacework recommends that all the APIs listed below are enabled on the project that hosts the service account.

If they are not enabled, Lacework is not able to assess other projects that have these APIs enabled (or if they are enabled in the future).

API NameAPI URLIntegration Type
Cloud Resource Manager APIcloudresourcemanager.googleapis.comAudit Log
Configuration
Identity and Access Management (IAM) APIiam.googleapis.comAudit Log
Configuration
Service Usage APIserviceusage.googleapis.comAudit Log
Configuration
BigQuery APIbigquery.googleapis.comConfiguration
Cloud Asset APIcloudasset.googleapis.comConfiguration
Cloud DNS APIdns.googleapis.comConfiguration
Cloud Key Management Service (KMS) APIcloudkms.googleapis.comConfiguration
Cloud Logging APIlogging.googleapis.comConfiguration
Cloud Pub/Sub APIpubsub.googleapis.comAudit Log
Configuration
Cloud SQL Admin APIsqladmin.googleapis.comConfiguration
Cloud Storagestorage-component.googleapis.comConfiguration
Compute Engine APIcompute.googleapis.comConfiguration
Essential Contact APIessentialcontacts.googleapis.comConfiguration
Kubernetes Engine APIcontainer.googleapis.comConfiguration

How to Enable the APIs

For the project that hosts the service account for the integration, enable each of the APIs listed in the API List by choosing one of the methods below.

Enable using the Google Cloud Console

  1. Log in to the Google Cloud Console and click gcp_api_home.png.

  2. Select APIs & Services > Library.

  3. In the Search for APIs & Services field, enter the API URL listed in the table above such as iam.googleapis.com.

    gcp_api_lib.png

  4. Click on the result that matches the API name listed above, such as Identity and Access Management (IAM) API.

    gcp_iam_api.png

  5. Click Enable.

    gcp_edit_iam_api.png

  6. If you are prompted to enable billing, click Enable Billing.

  7. Repeat these steps for each project that hosts a service account that you are using for your Lacework integration.

Enable using the gcloud CLI

Ensure that the gcloud config is set to use a service account with the permissions required to enable APIs.

For further information about enabling APIs, see the Google Cloud documentation.

  1. Set the project that you wish to enable the APIs on:

    gcloud config set project target_project
  2. Enable the required APIs for your integration type:

    Configuration Integration
    gcloud services enable \
    cloudresourcemanager.googleapis.com \
    iam.googleapis.com \
    serviceusage.googleapis.com \
    bigquery.googleapis.com \
    cloudasset.googleapis.com \
    dns.googleapis.com \
    cloudkms.googleapis.com \
    logging.googleapis.com \
    pubsub.googleapis.com \
    sqladmin.googleapis.com \
    storage-component.googleapis.com \
    compute.googleapis.com \
    essentialcontacts.googleapis.com \
    container.googleapis.com
    Pub/Sub-Based Audit Log Integration
    gcloud services enable \
    pubsub.googleapis.com \
    cloudresourcemanager.googleapis.com \
    iam.googleapis.com \
    serviceusage.googleapis.com
    Storage-Based Audit Log Integration
    gcloud services enable \
    pubsub.googleapis.com \
    cloudresourcemanager.googleapis.com \
    iam.googleapis.com \
    serviceusage.googleapis.com
  3. Verify the APIs were successfully enabled:

    gcloud services list