How to connect Google Cloud Platform to ContraForce

ContraForce can ingest logs and security event information from Google Cloud Platform (GCP) resources. This article will provide an overview of what steps are needed to connect GCP to ContraForce.

Overview

The core of connecting GCP resources to ContraForce is a dedicated service account. This, along with a few tweaks within GCP, allow the API to perform all of the necessary functions. Throughout this document, ContraForce will provide step by step instructions based on our experience connecting GCP to ContraForce. Additionally, we will link to various Google technical documents that provide further details around this process. 

If you have any questions, don't hesitate to reach out! Please feel free to contact us at support@contraforce.com.

Creating the Service Account

Below is an overview on how to create a Service Account within GCP. For further details, Google's documentation around Service Accounts can be found here

  1. Using an administrator account, log into your GCP environment. 
  2. Navigate to IAM & Admin, click Service Accounts then Create Service Account in the top header. 
    gcp_2_create_service_account_button
  3. Enter a name for the Service Account, then Create and Continue. 
  4. Grant the newly created account the required roles. The roles for ContraForce are Monitoring Viewer and Logs Viewer. 
    gcp_3_select_a_role 
  5. Click Done once all roles are assigned. 

Generating an API key for the Service Account

The next step is generating an API key for the newly created service account. For further details around managing keys in GCP, Google's documentation can be found here

  1. From within the GCP console, navigate to Service Accounts. 
  2. Select the relevant project that you wish to generate the API key for. 
  3. Selected the newly created service account, click the Keys tab. 
  4. Click the Add Key, then Create New Key. 
  5. Select JSON as the key type and then click Create. 
    1. A JSON file will be downloaded after clicking Create. Make sure to keep this file. The JSON key file cannot be downloaded again. If a mistake is made, go back to step 1. to generate a new key. 
  6. After the JSON file has been saved, send the file to ContraForce. This will be needed to establish the connection to ContraForce. 

Other Requirements 

In addition to the new service account, please provide all of the IDs of the projects that need to be monitored by ContraForce. Additionally, the Cloud Monitoring API and the Cloud Logging API need to be enabled for each project. Google's documentation around enabling APIs for specific projects can be found here.