Set Up Your GCP Account for Prisma Cloud

Create a Prisma Cloud Viewer custom role on the GCP console.
Prisma Cloud needs this custom role to grant cloud storage bucket permission to read storage bucket metadata and update bucket IAM policies.
Log in to the GCP console, select your organization, and select
IAM & Admin
Roles
Create Role
.
Enter a
Title
and
Description
.
Verify that
ID
is set to CustomRole and select
General Availability
in the
Role launch stage
drop-down.
Click
+ ADD PERMISSIONS
, select
storage.buckets.get
to retrieve your list of storage buckets, and
storage.buckets.getIampolicy
to retrieve the IAM policy for the specified bucket.
Click
Add
.

Click
Create
.
Create a GCP service account.
You need a service account, which is an authorized identity, to enable authentication between Prisma Cloud and GCP. Because you can create a service account under a GCP project only and not directly under the GCP Organization, you must select a project when you create the service account.
Select your project and select

Service accounts

+ CREATE SERVICE ACCOUNT

.



Enter

Service account name

,

Service account ID

,

Service account description

and click

Create

.


Grant the service account permissions to access your GCP project.
The service account must have three roles to analyze and monitor your resources and data on GCP:
Viewer—Primitive role on GCP.
Prisma Cloud Viewer— Custom role that you created in Step 1.
Compute Security Admin—Predefined role on GCP. An optional privilege that is required for auto-remediation.
Select

Project

Viewer

and click

+ ADD ANOTHER ROLE

.

The Project Viewer role is a primitive role allowing Prisma Cloud read-only access to the resources or data in your selected project or projects.

Select

Custom

Prisma Cloud Viewer

(or another custom name) and click

+ ADD ANOTHER ROLE

.

This custom role allows Prisma Cloud to read storage bucket metadata and IAM policies associated with the selected project.

Select

Compute Engine

Compute Security Admin

and click

Continue

.

(Optional role, only required for enabling auto-remediation) The Compute Security Admin is a predefined role that allows full control to remediate any incidents or policy violations on compute engine resources.


Create a security key for the service account.
The service account security key is used for service-to-service authentication within GCP. The private key file is required to authenticate API calls between your GCP projects and Prisma Cloud.
Click
+ CREATE KEY
.

See Create a key, if you are modifying an existing service account.
Select
Key type
as
JSON
.
Create
the key and download the JSON private key file for the service account.

Enable GCP APIs for your GCP project.
Prisma Cloud can ingest data from several GCP APIs. While you must enable Stackdriver Logging API (logging.googleapis.com) to monitor audit logs, for all the other APIs, you can opt to enable only the ones you are using and want Prisma cloud to monitor across your cloud accounts.
Go to the GCP Console API Library and select your GCP project.

Select

Enable APIs and Services

.



Enable the APIs.

You can either enable all the necessary APIs using the Google Command Line Interface as follows:

gcloud services enable compute.googleapis.com sql-component.googleapis.com storage-component.googleapis.com iam.googleapis.com container.googleapis.com logging.googleapis.com monitoring.googleapis.com cloudresourcemanager.googleapis.com cloudkms.googleapis.com bigquery-json.googleapis.com dns.googleapis.com

or search for each API is in the list and enable them from the Google cloud console.



API	Description	Service Name
BigQuery API	Allows you to create, manage, share, and query data.	bigquery-json.googleapis.com
Cloud Resource Manager API	Creates, reads, and updates metadata for Google Cloud Platform resource containers.	cloudresourcemanager.googleapis.com
Cloud Key Management Service (KMS) API	Google Cloud KMS allows customers to manage encryption keys and perform cryptographic operations with those keys.	cloudkms.googleapis.com
Cloud SQL Admin API	API for Cloud SQL database instance management.	sqladmin.googleapis.com
Compute Engine API	Creates and runs virtual machines on the Google Cloud Platform.	compute.googleapis.com
Google Cloud DNS API	Google Cloud DNS translates requests for domain names into IP addresses and manages and publishes DNS zones and records.	dns.googleapis.com
Google Cloud Storage	Google Cloud Storage is a RESTful service for storing and accessing your data on Google’s infrastructure.	storage-component.googleapis.com
Identity and Access Management (IAM) API	Manages identity and access control for GCP resources, including the creation of service accounts, which you can use to authenticate to Google and make API calls.	iam.googleapis.com
Kubernetes Engine API	Builds and manages container-based applications, powered by the open source Kubernetes technology.	container.googleapis.com
Stackdriver Monitoring API	Manages your Stackdriver Monitoring data and configurations.	monitoring.googleapis.com
Stackdriver Logging API	Writes log entries and manages your Logging configuration.	logging.googleapis.com

Verify you have enabled all the APIs listed above.

You can use the GCP APIs and Services Dashboard (screenshot below) to verify or use the command

gcloud services list

on the Google Command Line Interface.


Associate additional GCP projects with the service account and create a custom role within each project.
Because the service account and custom roles are associated with a GCP project, if you plan to add more than one GCP project to Prisma Cloud but not the GCP organization, you must associate each project with the service account and then connect your service account to Prisma Cloud.
This step is not required if you want to add just one project, you can continue to Add Your GCP Project to Prisma Cloud. If you want to ensure that all current and future projects and cloud resources within your organization are automatically monitored by Prisma Cloud, you can configure Prisma Cloud to
Automatically onboard projects that are accessible by this service account.
when you Add Your GCP Organization to Prisma Cloud.
Copy the service account member address.
To copy the service account member address, first select the project that you used to set up the service account, then find the service account member address from
IAM & admin
IAM
.

Select the project you want to add (from the Project drop-down), and click
Add
.
Add the service account member address you copied as
New members
, and
Select a role
.
Select
Project
Viewer
, and click
+ ADD ANOTHER ROLE
.
Select
Compute Engine
Compute Security Admin
.

Save
your changes.
Create a Prisma Cloud Viewer custom role on the GCP console for this project.
If you do not want to add all your GCP projects within the GCP Organizational level grouping, you need to create the custom Prisma Cloud Viewer role for each project.
Add the custom role to the service account.
Select

IAM & Admin

IAM

, and select the service account.

Edit the permissions to

+ ADD ANOTHER ROLE

Select

Custom

Prisma Cloud Viewer

, and click

Save

.


Repeat the steps above for any additional projects you want to onboard to Prisma Cloud.
(Optional)
Enable Flow Logs for GCP Projects or Enable Flow Logs for GCP Organization.
When you enable flow logs, the service ingests flow log data for the last seven days. Then if flow logs become unavailable for any reason such as if you manually disabled flow logs, modified API permissions, or an internal error occurred, when access is restored, logs from the preceding seven days only are ingested.
Add Your GCP Project to Prisma Cloud or Add Your GCP Organization to Prisma Cloud.