GCP Integration using service account impersonation

Scrut enables users to integrate GCP using service account impersonation and also to integrate one or more GCP accounts. Once the integration is done, it automatically scans for misconfigurations every 24 hours in your GCP account(s).

The scan results (i.e., Test Findings) are then displayed in the Test section of the Cloud in the Scrut platform.

Recommended: This method of integration is recommended over the earlier mechanism using json file. Because it is more secure as the credentials are short-lived.

Integrating GCP account

1. From the left navigation menu, click "Settings".

2. Click "Integrations".

3. Scroll to the "Cloud Provider" section and find GCP.

4. Click on "Integrate”

5. Click on “ADD NEW”

6. Select “Integrate GCP service account impersonation” and click on "Proceed"

7. Enter the Service Account Email ID and Project ID, which is fetched from the GCP account, and click "Submit"

To get the Service Account Email ID and Project ID:

1. Login to your GCP console and switch to the project you wish to integrate with Scrut. Please note down the project ID from your project dashboard.

2. In the left navigation menu, click on "IAM & Admin" and then "Service Accounts".

3. Click on the "Create Service Account" button.

4. Add the roles Viewer, Security Reviewer, and Stackdriver Accounts Viewer to the service account.

5. Once the service account is created, note down the service account email address.

6. Activate your GCP cloudshell, and make sure the project you chose in step 1 is selected, else switch the project by running the command:

Gcloud config set project [PROJECT_ID]

7. Enable the IAM and Service Account Credentials APIs by running the following command on your cloudshell:

Gcloud services enable iam.googleapis.com iamcredentials.googleapis.com

8. To enable Scrut to impersonate your service account (from step 5), run the following command in the cloudshell after replacing <your-service-account-email> placeholder with your service account email noted down on step 5:

gcloud iam service-accounts add-iam-policy-binding <your-service-account-email> \\This will enable Scrut’s service account scrut-cp-sa@scrut-cloudscanner.iam.gserviceaccount.com to impersonate Customer’s service account.

9. Share your project ID and service account email with Scrut.

Also, please make sure that

• Cloud Resource Manager API should be enabled for the project. (Kindly refer to this document: Cloud Resource Manager API | Google Cloud

• IAM Service Account Credentials API should be enabled for the project. (Kindly refer to this document: IAM Service Account Credentials API

• The service accounts you have created should have these permissions: Security Reviewer, Service Account Token Creator, and Viewer. (Kindly refer to this document: IAM basic and predefined roles reference

Kindly refer to the Google documentation about service account impersonation here:

1. Service accounts overview

2. Create short-lived credentials for a service account

--member <serviceAccount:scrut-cp-sa@scrut-cloudscanner.iam.gserviceaccount.com> \\

--role roles/iam.serviceAccountTokenCreator

If you have any questions or issues, please reach out to your assigned Customer Success Manager. They'll be happy to assist you!

To view all the product updates, please click here.