How do I collect from the Google Cloud Platform?
In order to collect from a Google Cloud Platform project, you need to set up a key so Nanitor gains access to your cloud environment.
Go to the Google Cloud Platform console at https://console.cloud.google.com/. Go to IAM & Admin -> Service Accounts. Click Create service account. Choose an appropriate name for your service account. Click Create.
Grant the new service account the role of Security Reviewer and Browser. Click Done.
Click the name of the new service account. Go to Keys.
Click Add Key -> Create new key. Select type JSON.
You will receive a prompt to download the key file, named something like account-id-xxxxxxxxx.json. Save it and store it securely, it cannot be recovered if lost.
To allow the benchmark to run all checks, ensure that the following APIs are enabled for your project:
- Cloud Resource Manager API
- Cloud Billing API
- Cloud Key Management Service (KMS) API
- Cloud DNS API
- Compute Engine API
To enable APIs, go to APIs & Services -> API Library, search for the aforementioned APIs, and enable them.
Some APIs require billing to be configured before they can be enabled. Configure billing via the console at https://console.cloud.google.com/billing/.
Create a credential for the Google Cloud Platform. Add a credential of type 'google', enter the ID of the Google Cloud project you wish to collect from and the path to the service account key file:
/usr/lib/nanitor-collector/bin/nanitor-collector-ctl credential_add --title nangoogle-cred --access_method google --google_project_name <ACCOUNT ID> --google_credential_file /PATH/TO/CREDENTIAL/<CREDENTIAL FILE>.json
After a credential has been created successfully, you will see a prompt message:
Credential successfully added
/usr/lib/nanitor-collector/bin/nanitor-collector-ctl cloud_add --title google-cloud-platform --cloud_type google --credential_title nangoogle-cred
Cloud successfully added
