Skip to main content

Cloud

Onboard a GCP organization

Onboard a Google Cloud Platform (GCP) organization to take advantage of Illumio Cloud security features and minimize an attacker's lateral movement.

By participating in the BETA program for GCP features you agree that your company’s use of the BETA version of GCP features will be governed by Illumio’s Beta Terms and Conditions.

  1. Review the prerequisites. See Prerequisites for onboarding GCP.

  2. Onboard your organization. Onboarding an organization with the wizard automatically provides the required permissions. See Permissions for onboarding GCP.

Onboard an organization with Illumio Cloud

Note

Enabling APIs is optional, but Illumio Cloud functionality is affected if you don't enable APIs. See Permissions for onboarding GCP for a list of supported services and enable their corresponding service APIs.

  1. If this is the first time logging in to Illumio Cloud, click + GCP on the Onboarding page to onboard your first account.

    If you've already onboarded other accounts, choose Onboarding. The Onboarding page appears. Click +Add GCP.

    The Add GCP Cloud Organization wizard starts and displays the first step: Connect to GCP.

  2. Provide the following information about your GCP account:

    • Name: Specify a name for the account; this name appears in Illumio Cloud. Make the name descriptive so that you can easily identify it.

    • Organization ID: Paste this ID that you copied from GCP.

    • Onboarding toggle options:

      • Project Onboarding:

        • Onboard all Projects in this Organization (choose Yes)

          This onboards all member projects along with the organization.

        • Onboard all Projects in this Organization (choose No)

          This does not onboard any projects in the organization. Go to the Onboarding page to onboard projects individually.

      • Read/Write Access:

        • Illumio has Read and Write access to ensure compliance (choose Yes)

          This grants the Illumio Cross Account Role permission to view your GCP organization resources and to apply policy to them, choose this option. To view the permissions you are granting Illumio Cloud to your GCP organizations, click Download Permissions.

        • Illumio has Read and Write access to ensure compliance (choose No)

          This grants the Illumio Cross Account Role read-only access.

  3. Click Next.

Next, set up access.

  1. Select a service account that you want to use or create a new one. Make sure to download the credentials, as they are needed for the Cloudshell script to return the GCPcredentials back to Illumio Cloud.

  2. Enter the ServiceAccountToken in the appropriate field.

  3. Provide a Project ID for the GCP service account. Even if you are not onboarding projects with the organization, Illumio requires a project ID to assign to the GCP service account.

    The Organization Deployment command field populates with a command to run the gcp_onboarding_prod.sh script in GCP. Illumio securely hosts the script so that it can run during the onboarding process. The command automatically appends the IDs, role, service account name, and secret from the first step of the wizard.

    In summary, the command does the following:

    • Creates a GCP service account

    • Enables APIs

    • Creates an IAM role with the appropriate permissions based on Read/ReadWrite mode

    • Binds the IAM role to the service account

    • Binds pre-defined IAM roles:

    • Grants impersonation permission to the Illumio service account

    • Sends the service account email to the Illumio endpoint

    • Sends the Project ID, Organization ID, and GCP service account email to Illumio Cloud.

  4. To the left of the command field, click the copy icon. The icon refreshes with a check mark on a green field indicating you successfully copied the command.

  5. In a new browser window, open your GCP console and paste the copied command in the Cloudshell prompt window to run it.

    The command provides Illumio the information and permissions necessary to onboard your organization.

  6. Leave your GCP console and return to Illumio Cloud. The Set up Access step in the onboarding wizard should still be displayed.

  7. Select the check box indicating that the “deployment” script has finished running in GCP, and click Next.

  8. The final step of the wizard appears. This step displays a summary of the GCP organization information you just specified for onboarding.

  9. Click Save and Confirm.