Prerequisites for onboarding GCP
Review these prerequisites before you begin onboarding your GCP organizations or projects.
Before you begin onboarding GCP
Once you review these prerequisites, return to Onboarding GCP for next steps.
Log into a GCP account. The onboarding wizard flow assumes that you are already logged into a GCP account.
The default installation assumes that you have enabled the APIs for all the services in your GCP projects, irrespective of whether you onboard them separately or as part of an organization.
The default installation assumes that you have Read/ReadWrite permissions for the following: See Permissions for onboarding GCP.
Assigning the following IAM roles:
roles/iam.securityReviewer (This read only role can be truncated.)
roles/compute.viewer (The full read only role is required.)
roles/browser (This read only role is required for organization and folder onboarding only. It reads organization projects and folders.)
roles/cloudasset.viewer (The full read only role is required.)
Assigning custom roles:
IllumioPubSubFlowLogAccess (The full role is required.)
illumio_write_role (The full role is required.)
illumio_api_enable_role (The full role is required.)
Creating a GCP service account and assigning it impersonation permissions
Know your organization ID, project ID, and Role Name.
If you are restricting public access to flow logs, you need to make certain ports and IP addresses available to Illumio Segmentation for the Cloud. See GCP Flow Log Access IP Addresses.
If you are restricting public access to flow logs, make certain ports and IP addresses available to Illumio Segmentation for the Cloud.