Skip to main content

Google Cloud Asset Inventory

Google's Cloud Asset Inventory service lets you gain visibility into resources and policies in your Google Cloud environment. You can bring compute instance data from Google Cloud into Brinqa to construct a unified view of your attack surface and strengthen your cybersecurity posture.

This document details the information you must provide for the connector to authenticate with Google Cloud and how to obtain that information from Google Cloud. See create a data integration for step-by-step instructions on setting up the integration.

Required connection settings

When setting up a data integration, select Google Cloud Asset Inventory from the Connector drop-down. If you cannot find the connector in the drop-down, make sure that you have installed it first. You must provide the following information to authenticate Google Cloud with Brinqa:

  • Scope: The relative name of the root asset in your Google Cloud environment. Only the following formats are supported:

    • An organization number, e.g.: "organizations/123".
    • A project ID, e.g.: "projects/my-project-id".
    • A project number, e.g.: "projects/12345".
    note

    Providing an organization number enables collecting assets from all associated projects, including any new projects added after you have set up the integration. But the credentials you provide must have organization level permissions. Follow the rest of this document for instructions.

  • Credentials: The full content of the JSON file that contains your service account key.

Enable the Cloud Asset API

The Google Cloud Asset Inventory connector requires that you enable the Cloud Asset API on the specified scope.

Create a custom role for Brinqa

Google Cloud uses service accounts to authenticate and authorize API calls, but you can only create service accounts within a project. For the Google Cloud Asset Inventory connector to collect assets from multiple projects, you must grant the service account organization level permissions through a custom Identity and Access Management (IAM) role.

To create a custom role with organization level permissions, follow these steps:

  1. Log in to the Google Cloud Console.

  2. Select the organization where you want the connector to collect assets.

  3. In the Navigation menu, select IAM & Admin > Roles.

  4. Click Create Role.

  5. Enter a name and description for your role.

  6. Click Add Permissions and add the following read-only permissions required by the connector:

    • cloudasset.assets.exportResource

    • cloudasset.assets.searchAllResources

    • compute.instances.get

    • compute.instances.list

    • compute.projects.get

    • compute.regions.get

    • compute.regions.list

    • securitycenter.assets.list

    • securitycenter.findings.list

  7. Click Create.

Create a service account and grant organization level permissions

Since the service account must have organization level permissions for the Google Cloud Asset Inventory connector to collect assets from all the projects within the organization, Brinqa recommends that you create a service account specifically for the connector.

To create a service account and grant the appropriate permissions, follow these steps:

  1. Log in to the Google Cloud Console.

  2. Select the project where you want to create the service account.

  3. In the Navigation menu, select IAM & Admin > Service Accounts.

  4. Click Create Service Account.

  5. Enter a name and description for the service account.

  6. Skip the optional steps and click Done.

  7. View the service account details and save the email address for later use.

  8. Select the organization where you have created the custom role.

  9. In the Navigation menu, select IAM & Admin.

  10. Click Grant Access.

  11. Click New principals and paste in the email taken from the service account details page.

  12. Click Select a role and select the custom role created previously.

    gcp grant access

  13. Click Save.

Obtain your service account key

If you have completed the previous steps successfully, your service account should have the minimum permissions that the Google Cloud Asset Inventory connector needs to collect assets from all the projects within your organization.

To obtain the service account key, follow these steps:

  1. Log in to the Google Cloud Console.

  2. Select your project where the service account resides.

  3. In the Navigation menu, select IAM & Admin > Service Accounts.

  4. Select the service account and click the Keys tab.

  5. Click Add Key > Create new key.

  6. Keep JSON as key type and click Create.

    The generated private key file is saved to your computer automatically.

Additional settings

The Google Cloud Asset Inventory connector contains an additional option for specific configuration:

  • Page size: The maximum number of records to get per API request. The default setting is 100.

Types of data to retrieve

The Google Cloud Asset Inventory connector can retrieve the following types of data from the Google Cloud Asset API:

Connector ObjectRequiredMaps to Data Model
Compute InstanceYesHost
info

The Google Cloud Asset Inventory connector does not currently support operation options for the types of data it retrieves.

For detailed steps on how to view the data retrieved from Google Cloud in the Brinqa Platform, see How to view your data.

APIs

The Google Cloud Asset Inventory connector uses the Google Cloud Asset API. Specifically, it uses the following endpoint:

  • GET https://cloudasset.googleapis.com/v1/{scope=*/*}:searchAllResources

Changelog

The Google Cloud Asset Inventory connector has undergone the following changes:

3.0.0