GCP Integration

Introduction:

Sprinto has built-in integration with Google Cloud Platform (GCP) accounts. To comply with regulations, Sprinto must retrieve information from the GCP account. You can review the fetched information and act to meet the security compliance requirement. This reduces the manual work that goes in each time Sprinto needs details from the GCP account to align the organization with the security compliance requirements.

Upon successful integration, Sprinto will retrieve the necessary information from the following GCP resources:

Note: Sprinto only has "Read-only" access and makes no configuration changes to GCP resources.

You can integrate Sprinto with a GCP account in the following ways:

Note: Sprinto uses "Read-Only" permission from the GCP platform to fetch only the necessary information from GCP resources, regardless of the integration method used.

• Integrate via. Cloud Shell: (Recommended)

  The main advantage behind choosing this way is it reduces multiple steps to be performed manually on the GCP platform to create the service account and then integrate the service account on Sprinto.

  In this process, you need to create and download a JSON file by running a bash code on the google cloud shell. Later, this JSON file needs to be uploaded on Sprinto. This process will create a service account on the GCP platform and integrate Sprinto with the created service account on Sprinto.

• Integrate via. Service account:

  This integration requires you to create a service account on the GCP platform. Once the service account is created, download the JSON key for the service account. Upload it on Sprinto, which will integrate the service account with Sprinto.

Prerequisites:

• Log in to Sprinto as an administrator.

• Ensure you have the “Owner” access privilege in your GCP account.

• Logged in on GCP account with Owner access.

Procedure:

Step 1: Navigate to Security Hub > Settings, then click on Available Integrations.

Step 2: On integration page, click on Connect next to GCP.

Note: If necessary, use the search bar to find GCP on the integration page.

Step 3: On setup GCP integration page, enter the project ID you want to integrate on Sprinto.

Note: You can add multiple project IDs at the same time. Press enter after each Project ID.

Step 4: Choose one of the following integration methods:

1. Google Cloud Shell

   1. Select the Use Google Cloud Shell option, then click on Continue.

      
   2. On Integrate GCP page, copy the bash code and run it on the Google cloud shell terminal.

      Note: If required, refer to the below run script. This script creates a service account with “Read-only” access on your GCP account.

      Copy

      sa="sprinto-service-account"
      currentproject=`gcloud info --format='value(config.project)'`
      ## Add project IDs of projects(other than the current one) that you want to have access to
      projects=($currentproject "12345" "ABCD" "XYZ")
      uniq_projects=($(echo "${projects[@]}" | tr ' ' '
      ' | sort -u | tr '
      ' ' '))
      echo "Integrating Sprinto"
      echo "Service Account: $sa"
      echo ""
      # Create service account
      gcloud iam service-accounts create $sa --description="Sprinto uses this to monitor production GCP resources" --display-name="Sprinto"
      ## Adding roles to service account for multiple projects
      for project in ${uniq_projects[@]}; do
      # Adding Security Reviewer role to the service account
      gcloud projects add-iam-policy-binding $project --member="serviceAccount:$sa@$currentproject.iam.gserviceaccount.com" --role="roles/iam.securityReviewer"
      #Adding Compute Viewer role to the service account
      gcloud projects add-iam-policy-binding $project --member="serviceAccount:$sa@$currentproject.iam.gserviceaccount.com" --role="roles/compute.viewer"
      # Enabling services
      gcloud services enable compute.googleapis.com cloudresourcemanager.googleapis.com pubsub.googleapis.com logging.googleapis.com iam.googleapis.com serviceusage.googleapis.com spanner.googleapis.com bigquery.googleapis.com bigtable.googleapis.com firebase.googleapis.com datastore.googleapis.com file.googleapis.com sqladmin.googleapis.com storage-component.googleapis.com servicemanagement.googleapis.com cloudapis.googleapis.com container.googleapis.com stackdriver.googleapis.com containerregistry.googleapis.com
      done
      # Create Keys for service account
      gcloud iam service-accounts keys create ~/sa-private-key.json --iam-account=$sa@$currentproject.iam.gserviceaccount.com
      # Download the private key
      cloudshell download sa-private-key.json
      echo ""
      echo "Successfully integrated project ($currentproject), please upload the key file in the dashboard"

   3. After the script runs successfully, you will be prompted to download a JSON key. Please download and save it on your computer.

      
   4. On GCP integration page, click on Upload Key to upload the JSON key you’ve downloaded in the previous step, then click on Connect.

      
2. Google service accounts

   1. Select the Set up service account manually option, then click on Continue.

      
   2. On GCP integration page, carefully follow the on-screen instructions to create the service account on the GCP platform. If required, refer to Google documentation on creating a service account. Note: To integrate Sprinto on GCP, complete the on screen instructions from the Sprinto app:

      • Create a service account on GCP

      • Create access keys

      • Enable APIs

      Please note that these steps are required to create the integration for Sprinto.

      
   3. On GCP integration page, click on Upload Key to upload the JSON key file you’ve downloaded from the previous step, then click on Connect.

      

Results:

On successfully integrating Sprinto on GCP, you can find the created service account on the GCP > IAM page.