Configure Google Cloud Platform (GCP)

The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the Tenable FedRAMP Moderate Product Offering.

Required User Role: Administrator

Before you can use Tenable Vulnerability Management GCP connectors, you must configure GCP to support your connectors.

Note: Before configuring, you must enable the compute engine API for each project you want scanned from within Google Cloud Platform. See the Google API documentation for more information.

To configure GCP to support Tenable Vulnerability Management connectors:

  1. Log into Google Cloud Platform.
  2. In the left navigation bar, select IAM & admin.

    3. The IAM & admin page appears.

  3. In the Select a project drop-down box in the upper-left, select the applicable GCP project.
  4. In the left navigation bar, select Service accounts.

    5. The Service accounts page for your GCP project appears.


  5. Click + CREATE SERVICE ACCOUNT.

    6. The Create service account page appears.

  6. In the Service account name box, type a display name for your service account.
  7. In the Service account ID box, type a unique service account ID.
  8. In the Service account description box, describe what the service account will do.
  9. Click the CREATE button.

    10. The Grant this service account access to project page appears.

  10. In the drop-down box on the Service account permissions (optional) page, add the Logging -> Logs Viewer role.

    11. Note: The service accounts must have the Logging -> Log Viewer role for discovery sync (incremental syncs after initial full sync).

  11. Click + ADD ANOTHER ROLE on the Service account permissions (optional) page.
  12. Add the Compute Engine -> Compute Viewer role.

  13. Click the Continue button.

    14. The Grant users access to this service account page appears.

  14. In the Create key (optional) section, click +CREATE KEY.

    15. The create key (optional) pane appears.

  15. Under Key type, select JSON to create a key in JSON format.
  16. Click the CREATE button.
  17. Your browser downloads the key in JSON format.

(Optional) To configure a GCP service account that can access multiple projects:

You may have dozens of GCP accounts that are added and removed regularly. Instead of adding each GCP account as a different connector, you can configure the top-level service account to access multiple projects. The GCP connector automatically discovers all linked projects and pulls assets from those projects.

Note: The top-level service account must have the Cloud Resource Manager API enabled in order to access multiple projects.

Caution: The GCP connector pulls assets from any project that is configured with access to the top-level service account. Only add projects that you want the GCP connector to pull data from.
  1. Log into Google Cloud Platform.
  2. In the left navigation bar, select IAM & admin.

    3. The IAM & admin page appears.

  3. In the drop-down menu in the upper-left corner, select the second GCP project.
  4. In the IAM menu bar, click + ADD.

    The Add members to project pane appears.

  5. In the New Members box, type the name of the top-level service account that you created in step 6 of the first section.
  6. In the Select a role drop-down box, select the Logging > Logs Viewer role.
  7. Click the + ADD ANOTHER ROLE button.
  8. In the Select a role drop-down box, select the Compute Engine > Compute Viewer role.
  9. (Optional) Click the + ADD ANOTHER ROLE button to add additional roles.

  10. To add additional projects, repeat steps 3 through 9.

What to do next: