Create a GCP Service Account

Create a service account for Tenable Cloud Security in Google cloud and then provide read-only access for this service account to your Google cloud project. This provides Tenable Cloud Security with authorized access to the resources in the Google cloud project.

To create a GCP service account:

1. Log in to the Google Cloud console.

2. Select your GCP project from the drop-down box in the top panel.

3. Enable the Cloud Resource Manager API service.

   1. Search for Cloud Resource Manager API in the search box.

   2. Click Enable.

      

4. On the left navigation bar of the the Google Cloud dashboard, click IAM & Admin > Service Accounts.

   The Service accounts page appears.

5. Click + Create Service Account to create the service account.

   The Create service account page appears.

6. In the Service account details section, provide the following information:

   • Service account name: Name of the service account you are creating.

   • Service account ID: The Service account ID box populates automatically with the name of the service account. The email address of the service account uses this ID. Change the ID, if required.

   • Service account description: A description for the service account.

   

7. Click Create and Continue.

   Google Cloud displays a confirmation message that the service account creation is complete.

8. In the Grant this service account access to project (optional) section, provide the service account with access to the GCP project by adding the following role:

   • Viewer: Click Basic > Viewer in the Role drop-down box.

     

     This role provides access to Tenable Cloud Security to view most Google Cloud resources. For more information about basic roles, see Basic roles in Google documentation. You can see the list of included permissions for the Viewer role from the Roles page.

     

9. Click Continue.

   Google Cloud displays a confirmation message that the policy update is complete.

10. (Optional) In the Grant users access to this service account (optional) section, add users or groups that need access to this service account.

11. Click Done.

    The Service accounts page appears with the list of service accounts.

    

12. Click the service account that you created.

    The Service account details page for the service account appears.

13. Click the Keys tab.

    The Keys page appears.

    

14. Click Add Key > Create new key.

    The Create private key page appears.

    

15. In the Key type section, select JSON and click Create.

    A confirmation message appears that the private key JSON file is saved to your computer.

16. Click Close to close the confirmation message.

    The new private key and its details appear.

    

What to do next:

Activate the GCP Service Account.

Activate the GCP Service Account

After creating the service account for Tenable Cloud Security, you must authorize this service account to access the Google Cloud resources using the Google Cloud CLI. Use the gcloud auth activate-service-account command to import the credentials from the JSON file with the private authorization key for the service account and activate it for use.

Before you begin:

• Install the gcloud CLI.

  For more information, see Install the gcloud CLI.

To activate the GCP service account:

1. From the gcloud CLI, run the following command:

   gcloud auth activate-service-account --key-file=<KEY_FILE>

   Where:

   • KEY_FILE is the path to the JSON key file for the service account. For more information, see Create a GCP Service Account.

   Copy

   $ gcloud auth activate-service-account --key-file="C:\tenablecs-0cf0be2a244e.json"
   Activated service account credentials for: []

2. Verify that you can list the GCP project with the service account credentials:

   gcloud projects list --sort-by=projectId

   Copy

   $ gcloud projects list --sort-by=projectId
   PROJECT_ID  NAME                  PROJECT_NUMBER
   tenablecs   CS-GoogleProject      XXXXXXXXXXXX