Configure GCP for Keyless Authentication

To integrate Tenable Attack Surface Management with GCP Workload Identity Federation, you must create a workload identity pool in GCP. Then, you must add a provider to the pool, grant access to the provider, and download the credential configuration file. Use this configuration file when integrating Tenable Attack Surface Management with GCP Workload Identity Federation. For more information about pools and how they manage external identities, see the Google Cloud documentation.

To configure GCP for keyless authentication:

To create a service account:

  1. Log into Google Cloud Platform.

  2. In the left navigation bar, select IAM & Admin.

    The IAM page appears.

  3. In the left navigation bar, select Service Accounts.

    1. In the Service account name box, provide a name for the service account. For example: TenableCloudConnector.

    2. In the Service account ID box, provide the service account ID. For example: tenablecloudconnector.

    3. Click Create and continue to continue to the next section to grant access to the service account.

  4. In the Grant this service account access to project, select the Roles as Viewer.

  5. Click Done.

To create a Workload Identity Pool:

  1. In the left navigation pane, select Workload Identity Federation.

    The Workload Identity Pools page appears.

  2. Click Create Pool.

    The New workload provider and pool page appears.

  3. In the Create an Identity pool section, do the following:

    1. In the Name box, type a name for the pool.

    2. (Optional) In the Description box, provide a description for the pool.

    3. Click Continue.

  4. In the Add a provider to pool section, do the following:

    1. From the Select a provider drop-down box, select AWS from the list.

    2. In the Provider details box, provide the Tenable's AWS account name. For example:TenableCloudConnectorAWS

    3. In the AWS account ID box, provide the Tenable's AWS account ID: 939095807864.

    4. Click Continue.

  5. In the Configure provider attributes section, add new mapping:

    1. In the google subject box, type the identity as attribute.aws_role.

    2. In the AWS box, type assertion.arn.extract('assumed-role/{role}/')

      For more information, see Mapping and Mapping Conditions in Google Cloud Platform documentation.

  6. Click Save.

    GCP creates the pool and opens the newly created pool page.

  7. Click Grant Access.

    The Grant access to service account panel appears.

  8. Select the Grant access using Service Account Impersonation option.

    The relevant sections appear.

  9. In the Service account drop-down box, select the service account that you created in Step 1.

  10. In the Select principals drop-down box, select aws_role and provide the value as tenable-data-gcp-connector.

  11. Click Save.

    The Configure your application dialog box appears.

  12. In the Provider drop-down box, select the workload identity pool provider, then click Download Config.

    GCP downloads the configuration file. Use this file in the Upload File section when you integrate GCP Workload Identity Federation with Tenable Attack Surface Management.

  1. Create a GCP service account.

    Copy 
    gcloud iam service-accounts create <YOUR_SA> --description="Tenable Cloud Connector export assests to ASM" --display-name="<YOUR_SA>"

    Where:

    • YOUR_SA is the service account name. For example: TenableCloudConnector.

  2. Assign read-only role to your service account.

    Copy 
    gcloud iam service-accounts add-iam-policy-binding <YOUR_SA_ID> --member=<YOUR_SA> --role=roles/Viewer

    Where:

    • Your_SA_ID is the service account ID.

    • Your_SA is the service account name.

  3. Create the Workload Identity Pool.

    Copy 
    gcloud iam workload-identity-pools create <Workload_Identity> --location="global" --display-name="<YOUR_SA>" --description="Tenable Cloud connectors"

    Where:

    • Workload_Identity is the workload identity pool name. For example: tenable-cloud-connectors.

    • YOUR_SA is the service account name. For example: Tenable Cloud Connectors.

  4. Create Provider.

    Copy 
    gcloud iam workload-identity-pools providers create-aws TenableAWS --location="global" --workload-identity-pool="<YOUR_POOL_ID>" --account-id="939095807864" --attribute-mapping="attribute.aws_role=assertion.arn.extract('assumed-role/{role}/')"

    Where:

    • TenableAWS is the name of the Provider.

    • Your_Pool_ID is the ID of the pool you created.

  5. Add service account impersonation.

    Copy 
    gcloud iam service-accounts add-iam-policy-binding <SERVICE_ACCOUNT_EMAIL> --role=roles/iam.workloadIdentityUser --member="principal://iam.googleapis.com/projects/<PROJECT_NUMBER>/locations/global/workloadIdentityPools/<POOL_ID>/attribute.aws_role/tenable-data-gcp-connector"

    Where:

    • Service_Account_Email is the email ID of the service account.

    • PROJECT_NUMBER is the project where the Workload Identity Pool is created.

    • Your_Pool_ID is the ID of the pool you created.

    • Provider_ID is the ID of the Provider.

  6. Download the configuration file.

    Copy 
    gcloud iam workload-identity-pools create-cred-config  projects/<PROJECT_NUMBER>/locations/global/workloadIdentityPools/<POOL_ID>/providers/<PROVIDER_ID> --service-account=<SERVICE_ACCOUNT_EMAIL> --service-account-token-lifetime-seconds=3600 --enable-imdsv2 --aws --output-file=config.json

    Where:

    • Service_Account_Email is the email ID of the service account.

    • PROJECT_NUMBER is the project where the Workload Identity Pool is created.

    • Your_Pool_ID is the ID of the pool you created.

    • Provider_ID is the ID of the Provider.

What to do next

Integrate with GCP Using Keyless Authentication