Create a GCP Connector with Workload Identity Federation Authentication (Discovery Only)

The following is not supported in Tenable FedRAMP Moderate environments. For more information, see the Tenable FedRAMP Product Offering.

Required User Role: Administrator

Create a GCP connector to discover GCP assets and import them to Tenable Vulnerability Management. Assets discovered through the connectors do not count against the license unless Tenable Vulnerability Management scans them for vulnerabilities.

Before you begin:

• Make sure your service account has the following roles:

  • Compute Viewer

  • Logs Viewer

  • Service Account Token Creator

  • Workload Identity User

  For more information about adding these roles, see Configure GCP.

• Create a Workload Identity Pool or Workload Identity Pool Provider and download the credential configuration file. See Create a GCP Workload Identity Pool and Download the Configuration File.

• Add a Principal to your Service Account.

To create a GCP connector with Workload Identity Federation authentication:

1. In the left navigation, click Settings.

   The Settings page appears.

2. Click the Cloud Connectors tile.

   The Cloud Connectors page appears and displays the configured connectors table.

3. In the upper-right corner of the page, click the Create Cloud Connector button.

   The cloud connector selection plane appears.

4. In the Cloud Connectors section, click GCP Workload Identity Federation.

   The Connector Setup window appears.

5. In the Connector Name box, type a name to identify the connector and click Next.
6. In the Apply Choices section, do the following:
   1. Click Add File and browse to your local system to add a credential configuration file.
      Note: To download the GCP credential configuration file, follow the steps in Create a GCP Workload Identity Pool and Download the Configuration File
   2. Make sure the Auto Account Discovery option is selected.
   3. In the Network drop-down box, select an existing network to add the connector. When the connector discovers an asset, the associated network figure in the asset's details. Click Create New to add a new network.
   4. (Optional) Use the Schedule Import toggle to enable or disable scheduled imports. By default, Tenable Vulnerability Management requests new and updated asset records every 1 day.

      If enabled:

   1. In the text box, type the frequency that Tenable Vulnerability Management sends data requests to the GCP server.
   2. In the drop-down box select Minutes, Hours, or Days.
      Note: When you schedule a connector configuration to sync every 30 minutes, a discovery job is placed in a queue every 30 minutes. The results of the discovery job become available in the Tenable Vulnerability Management interface and logs depending on the workload for the connector services. So, the results of the discovery job can take more than 30 minutes depending on the queue.

7. Do one of the following:
   • To save the connector, click Save.

   • To save the connector and import your assets from GCP, click Save & Import.

   Tenable Vulnerability Management imports your assets from GCP. There may be a short delay before your assets appear.