Google Cloud Platform

Set up Google Cloud Platform for automated tests with TrustCloud!

Purpose

Once you set up your compliance program, TrustCloud TrustOps works to ensure that your systems remain compliant with your adopted controls. To do so, TrustCloud runs automated tests against systems in your product and business stack and verifies that they are properly configured.

This document outlines the steps you can take to grant TrustCloud access to only read metadata about the configuration settings for your GCP account so that TrustOps can validate and generate evidence for your compliance program.

Instructions to grant TrustCloud limited access to GCP metadata

1. Go to Google Cloud Platform https://console.cloud.google.com/ and select a project to create your service account.
2. In the console, navigate to IAM and click on ‘Service accounts’.
3. Click on “Create Service Account”.
4. Enter a Service account name to display in the console and click on the “Create” button.
5. Grant access to the following roles:
   1. Viewer
   2. Security Reviewer
6. After adding roles, click on the “Continue” button.
7. Click on the “Create Key” button.
8. Select the key type as JSON, and click on the “Create” button.
9. Save the private key.
   
10. Click on the “Done” button to finish creating the service account.
11. Go to your IAM roles for the service account user. Confirm that the Viewer and Security Reviewer roles are enabled. Add the Organization Policy Viewer role. For each project in your GCP account, the service account should be assigned the role of Viewer.
12. Optional: To run IAM tests, you need to add a custom user to your Google Workspace Domain that has a User Management Admin role. 💡 This account is used to delegate access to read specific metadata only. You need to explicitly grant this access below in step 5. This account delegation is required because accessing users requires the Google Admin API, which is only available via account delegation. If you do not want to run IAM tests, you can skip this step.
13. Navigate to your Google Workspace admin console. From the console, navigate to Security and click on ‘API Controls’.  Click on ‘Domain-wide Delegation’. (Or click on this link: https://admin.google.com/u/4/ac/owl/domainwidedelegation).
14. Click on the “Add New” button.
15. Set Client ID to the client ID of your service account.
16. Under Scopes, add the following:
    1. https://www.googleapis.com/auth/admin.directory.user.readonly
    2. https://www.googleapis.com/auth/cloud-platform.read-only
    3. https://www.googleapis.com/auth/compute.readonly
    4. https://www.googleapis.com/auth/devstorage.read_only
    5. https://www.googleapis.com/auth/cloud-billing.readonly
    6. https://www.googleapis.com/auth/admin.directory.orgunit.readonly
    7. https://www.googleapis.com/auth/admin.directory.group.readonly
    8. https://www.googleapis.com/auth/sqlservice.admin
    9. https://www.googleapis.com/auth/datastore
    10. https://www.googleapis.com/auth/devstorage.full_control
        💡 These scopes, combined with the service account permissions, only allow TrustCloud to audit your GCP configuration settings in order to determine adherence to specified controls. They only allow TrustCloud to access your GCP metadata. They do not provide TrustCloud with the ability to read any GCP data. (See this document for a full list of Google scopes.)
17. Click on the “Authorize” button.
18. Enable the required APIs for each project separately. Click on the following links to navigate to the respective URLs –
    1. Cloud Billing API
    2. Cloud Resource Manager API
    3. SQL Admin API
    4. Service Usage API
    5. Admin SDK API
19. Enter your private key, the email address for your account delegate, and the names of all GCP projects you want to test.