Links

GCP Integration

Integration guide for Resmo GCP Integration.
Resmo seamlessly integrates with the Google Cloud Platform to ensure the security and compliance of your GCP environment.

Resmo + GCP Integration Fundamentals

What does Resmo offer Google Cloud Platform users?

  • Collect all your GCP assets in place.
  • Ability to query your GCP roles, networks, Cloud functions, and 50+ other resources.
  • Set up rule notifications based on GCP resource configurations and their changes.
  • Set up custom or predefined rules for continuous security and compliance auditing.
  • Check your GCP security and compliance posture using the GCP Best Practices and compliance packs.

How does the integration work?

Resmo has a GCP integration that you can install securely once you sign up for a Resmo account. Our application uses API calls to make the initial polling and receive existing resources.
  • API polling uses API calls to sync your GCP assets with Resmo.
  • Exposing Audit Logs over PUB/SUB lets track changes with actor information in real-time.

Available resources

Resmo GCP integration collects AppEngine, API Gateway, Compute, IAM, and much more.
Available GCP Resources
AppEngine Application
AppEngine Service
AppEngine Version
Cloud Storage Bucket
Compute Disk
Compute Health Check
Compute Project
Compute Snapshot
Compute SSL Policy
GCP Function
IAM Policy
IAM Role
IAM Service Account
IAM Service Account Key
KMS Crypto Key
KMS Keyring
Logging Metric
Logging Sink
PUB/SUB Subscription
PUB/SUB Topic
These are only some of the resource types for GCP.

Integration Walkthrough

You have to create a Workload Identity Pool with the AWS provider to let Resmo access your GCP resources. You can learn more about Workload Identity Pool external providers here.
You can follow the instructions to create a Workload Identity Provider with AWS provider.

Setup Your GCP Account

  1. 1.
    Create a Workload Identity Pool gcloud iam workload-identity-pools create POOL_ID \ --location="global" \ --description="DESCRIPTION" \ --display-name="DISPLAY_NAME"
  2. 2.
    Create an AWS Provider with Resmo trust gcloud iam workload-identity-pools providers create-aws PROVIDER_ID \ --location="global" \ --workload-identity-pool="POOL_ID" \ --account-id="512995177166" \ --attribute-mapping="google.subject=assertion.arn" \ --attribute-condition='assertion.arn=="arn:aws:sts::512995177166:assumed-role/Resmo-GCP-DataCollectionRole/resmo-gcp-data-collection"'
  3. 3.
    Create Custom Resmo Data Collect Role
    gcloud iam roles create ResmoDataCollect \
    --project PROJECT_ID \
    --title "Resmo Data Collect" \
    --stage GA \
    --permissions storage.buckets.getIamPolicy
  4. 4.
    Create a Service Account gcloud iam service-accounts create SERVICE_ACCOUNT_ID \ --description="DESCRIPTION" \ --display-name="DISPLAY_NAME"
  5. 5.
    Grant viewer and Custom Resmo Data Collect role to the created service account gcloud projects add-iam-policy-binding PROJECT_ID \ --member="serviceAccount:SERVICE_ACCOUNT_EMAIL" \ --role="roles/viewer"
    gcloud projects add-iam-policy-binding PROJECT_ID \
    --member="serviceAccount:SERVICE_ACCOUNT_EMAIL" \
    --role=CUSTOM_ROLE_NAME
  6. 6.
    Grant workloadIdentityUser role to the created service account gcloud iam service-accounts add-iam-policy-binding SERVICE_ACCOUNT_EMAIL \ --role=roles/iam.workloadIdentityUser \ --member="MEMBER_EXPRESSION" You can learn more about MEMBER_EXPRESSION here.
  7. 7.
    Enable Google Cloud Service API NOTE You can only enable 20 services at a time gcloud services enable \ accesscontextmanager.googleapis.com \ apigateway.googleapis.com \ appengine.googleapis.com \ bigquery.googleapis.com \ cloudasset.googleapis.com \ dns.googleapis.com \ cloudfunctions.googleapis.com \ cloudkms.googleapis.com \ logging.googleapis.com \ memcache.googleapis.com \ pubsub.googleapis.com \ cloudresourcemanager.googleapis.com \ run.googleapis.com \ spanner.googleapis.com \ sqladmin.googleapis.com \ storage.googleapis.com \ compute.googleapis.com \ redis.googleapis.com \ iam.googleapis.com \ container.googleapis.com \ serviceusage.googleapis.com \ monitoring.googleapis.com

Enable Real Time Change Ingestion with PUB/SUB Model

Note: Real Time Change Ingestion is avaliable for enterprise plan only.
  1. 1.
    Create a PUB/SUB topic gcloud pubsub topics create TOPIC_NAME
  2. 2.
    Create a PUB/SUB subscription gcloud pubsub subscriptions create SUBSCRIPTION_ID \ --topic=FULL_TOPIC_NAME \ --push-endpoint=https://id.resmo.app/integration/gcp/event?ingestKey=<your-ingest-key> \ --expiration-period="never" \ --ack-deadline=60 \ --message-retention-duration=10m \ --min-retry-delay=10s \ --max-retry-delay=30s
  3. 3.
    Create a Log Router gcloud logging sinks create SINK_NAME pubsub.googleapis.com/projects/PROJECT_ID/topics/TOPIC_NAME \ --log-filter='[email protected]="type.googleapis.com/google.cloud.audit.AuditLog" protoPayload.serviceName=("pubsub.googleapis.com" OR "compute.googleapis.com" OR "storage.googleapis.com" OR "container.googleapis.com")'
Don't forget to add destination permissions for the created topic. You can learn about it here.

How to install

  1. 1.
    Sign up or log in to your Resmo account.
  2. 2.
    Go to the Integrations page, click on Add Integration, and select GCP.
  3. 3.
    Name the integration and write a description (optional.)
4. Enter your GCP project ID into the Project ID field.
5. Enter your full name of the Identity Provider into the GCP Target Resource field.
  1. 1.
    List your identity pools gcloud iam workload-identity-pools list --location="global"
  2. 2.
    List your identity pool providers
    gcloud iam workload-identity-pools providers list --workload-identity-pool="my-workload-identity-pool" --location="global"
6. Copy your provider name, and paste it to the GCP Target Resource field with the below format. //iam.googleapis.com/<provider-name>
7. Enter your Service Account Email into the Service Account Email field.
8. Hit the create button, and you are ready to run queries.

How to uninstall

  1. 1.
    Login to your Resmo account.
  2. 2.
    Navigate to the Integrations page and click your GCP integration.
  3. 3.
    Click the Delete button to uninstall or Disable to stop polling GCP resources temporarily.
  4. 4.
    Delete your Workload Identity Pool, Service Account (PUB/SUB, Log Router if you enable real-time change ingestion) GCP resources.

FAQ

If you see Not Ready state for your integration after setup;
  1. 1.
    Check your attribute-condition of identity provider attribute-conditionmust be matched with the following condition assertion.arn=="arn:aws:sts::512995177166:assumed-role/Resmo-GCP-DataCollectionRole/resmo-gcp-data-collection"
  2. 2.
    Check your service account has roles/iam.workloadIdentityUserrole for the related identity provider.
  3. 3.
    Check your service account has the correct identity. To impersonate a service account, grant your external identity the Workload Identity User role (roles/iam.workloadIdentityUser) on a service account with the roles required by your workload. You can learn more about identities here.
If you see Ready state for your integration but cannot see some resources;
  1. 1.
    Check your Google Cloud Service API for the related resource. You have to enable Google Cloud Service API for the related resource to let Resmo collect them.
You will see Not Ready state for your integration after a while. To fix the problem you need to visit the setup steps and recreate the necessary resources for your account. After updating your integration you will see your integration became ready to poll resources.
Changing Project ID is not allowed for GCP integration. If you want Resmo to poll resources from another project you need to create a new integration or delete the current one.
Changing Service Account Email or Identity Provider is allowed for the GCP integration. Make sure your new Service Account Email and Identity Provider have correct permissions.