Skip to main content

Cloud

Onboard a GCP folder

Onboard a Google Cloud Platform (GCP) folder to take advantage of Illumio Cloud security features and minimize an attacker's lateral movement.

By participating in the BETA program for GCP features you agree that your company’s use of the BETA version of GCP features will be governed by Illumio’s Beta Terms and Conditions.

  1. Review the prerequisites. See Prerequisites for onboarding GCP.

  2. Onboard your folder. Onboarding a folder with the wizard automatically provides the required permissions. See Permissions for onboarding GCP.

Onboard a folder with Illumio Cloud

Note

Enabling APIs is optional, but Illumio Cloud functionality is affected if you don't enable APIs. See Permissions for onboarding GCP for a list of supported services and enable their corresponding service APIs.

  1. If this is the first time logging in to Illumio Cloud, click + GCP on the Onboarding page to onboard your first account.

    If you've already onboarded other accounts, choose Onboarding. The Onboarding page appears. Click +Add GCP.

    The Add GCP Cloud Folder wizard starts and displays the first step: Connect to GCP.

  2. Provide the following information about your GCP account:

    • Name: Specify a name for the account; this name appears in Illumio Cloud. Make the name descriptive so that you can easily identify it.

    • Folder ID: Paste this ID that you copied from GCP.

    • Organization ID: Paste this ID that you copied from GCP.

    • Onboarding toggle options:

      • Project Onboarding:

        • Onboard all Projects in this Folder (choose Yes)

          This onboards all member projects along with the folder.

        • Onboard all Projects in this Folder (choose No)

          This does not onboard any projects in the folder. Go to the Onboarding page to onboard projects individually.

      • Read/Write Access (disabled at time of writing):

        • Illumio has Read and Write access to ensure compliance (choose Yes)

          This grants the Illumio Cross Account Role permission to view your GCP folder resources and to apply policy to them, choose this option. To view the permissions you are granting Illumio Cloud to your GCP folders, click Download Permissions.

        • Illumio has Read and Write access to ensure compliance (choose No)

          This grants the Illumio Cross Account Role read-only access.

  3. Click Next.

Next, set up access.

  1. Select a service account that you want to use or create a new one. Make sure to download the credentials, as they are needed for the Cloudshell script to return the GCPcredentials back to Illumio Cloud.

  2. Enter the ServiceAccountToken in the appropriate field.

  3. Provide a Project ID for the GCP service account. Even if you are not onboarding projects with the folder, Illumio requires a project ID to assign to the GCP service account.

    The Folder Deployment command field populates with a command to run the gcp_onboarding_prod.sh script in GCP. Illumio securely hosts the script so that it can run during the onboarding process. The command automatically appends the IDs, role, service account name, and secret from the first step of the wizard.

    In summary, the command does the following:

    • Creates a GCP service account

    • Enables APIs (script asks if you want to)

    • Creates an IAM role with the appropriate permissions based on Read/ReadWrite mode

    • Binds the IAM role to the service account

    • Binds pre-defined IAM roles:

    • Grants impersonation permission to the Illumio service account

    • Sends the service account email to the Illumio endpoint

    • Sends the Project ID, Folder ID, and GCP service account email to Illumio Cloud.

  4. To the left of the command field, click the copy icon. The icon refreshes with a check mark on a green field indicating you successfully copied the command.

  5. In a new browser window, open your GCP console and paste the copied command in the Cloudshell prompt window to run it.

    The command provides Illumio the information and permissions necessary to onboard your folder.

  6. Leave your GCP console and return to Illumio Cloud. The Set up Access step in the onboarding wizard should still be displayed.

  7. Select the check box indicating that the “deployment” script has finished running in GCP, and click Next.

  8. The final step of the wizard appears. This step displays a summary of the GCP folder information you just specified for onboarding.

  9. Click Save and Confirm.

Set up and enable flow logs after onboarding your GCP folder

When finished, the Onboarding page opens and displays a new row for that folder .

For the next steps after onboarding an folder, set up and enable flow logs. See Set up flow logs in your CSP environment. Once you set up and enable flow logs, see After onboarding your accounts.