Configure Google Cloud Platform (GCP)

The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the Tenable FedRAMP Moderate Product Offering.

Required User Role: Administrator

Before you can use Tenable Vulnerability Management GCP connectors, you must configure GCP to support your connectors.

Note: Before configuring connectors, you must enable the compute engine API for each project you want scanned from within Google Cloud Platform. See the Google API documentation for more information.

To configure GCP to support Tenable Vulnerability Management connectors:

  1. Log into Google Cloud Platform.
  2. In the left navigation bar, select IAM & Admin.

    3. The IAM page appears.

  3. In the Select a project drop-down box in the upper-left, select the applicable GCP project.
  4. In the left navigation bar, select Service accounts.

    5. The Service accounts page for your GCP project appears.


  5. Click + CREATE SERVICE ACCOUNT.

    6. The Create service account page appears.

  6. In the Service account name box, type a display name for your service account.
  7. In the Service account ID box, type a unique service account ID.
  8. In the Service account description box, describe what the service account will do.
  9. Click CREATE.

    10. The Grant this service account access to project page appears.

  10. In the drop-down box on the Service account permissions (optional) page, add the Logging > Logs Viewer role.

    11. Note: The service accounts must have the Logging > Log Viewer role for discovery sync (incremental syncs after initial full sync).

  11. Click + ADD ANOTHER ROLE on the Service account permissions (optional) page.
  12. Add the Compute Engine > Compute Viewer role.

  13. Click Continue.

    14. The Grant users access to this service account page appears.

  14. In the Create key (optional) section, click +CREATE KEY.

    15. The create key (optional) pane appears.

  15. Under Key type, select JSON to create a key in JSON format.
  16. Click CREATE.

    Your browser downloads the key in JSON format.

(Optional) To configure a GCP service account that can access multiple projects:

You may have multiple GCP accounts that you add and remove regularly. Instead of adding each GCP account as a different connector, you can configure the top-level service account to access multiple projects. The GCP connector automatically discovers all linked projects and pulls assets from those projects.

Note: The top-level service account must have the Cloud Resource Manager API enabled in order to access multiple projects.

Caution: The GCP connector pulls assets from any project with configured access to the top-level service account. Only add projects from which you want the GCP connector to pull data.
  1. Log into Google Cloud Platform.
  2. In the left navigation bar, select IAM & Admin.

    3. The IAM page appears.

  3. In the drop-down menu in the upper-left corner, select the second GCP project.
  4. In the IAM menu bar, click + ADD.

    The Add members to project pane appears.

  5. In the New Members box, type the name of the top-level service account you created in step 6 of the first section.
  6. In the Select a role drop-down box, select the Logging > Logs Viewer role.
  7. Click the + ADD ANOTHER ROLE button.
  8. In the Select a role drop-down box, select the Compute Engine > Compute Viewer role.

What to do next: