topic Re: GCP Agentless Scanning Setup in Prisma Cloud Discussions

GCP Agentless Scanning Setup

SKodi — Wed, 28 Dec 2022 00:21:07 GMT

Hi,

Has anyone tried onboarding GCP account for agentless scanning? During the setup it is asking for GCP Service account and API token details but we can only generate json keys for service accounts. Any idea how to get this setup done?

Thanks.

Re: GCP Agentless Scanning Setup

USheikh — Wed, 28 Dec 2022 00:35:48 GMT

Hi SKodi,

You can onboard gcp account for agentless scanning using the following docs:

https://docs.paloaltonetworks.com/prisma/prisma-cloud/22-06/prisma-cloud-compute-edition-admin/configure/configure-agentless-scanning#_configure_agentless_scanning__individual-account

Please search for "Onboard GCP Accounts for Agentless Scanning".

You can create a service account key using the following GCP documentation:

https://cloud.google.com/iam/docs/creating-managing-service-account-keys

Hope it helped!

Re: GCP Agentless Scanning Setup

SKodi — Wed, 28 Dec 2022 03:01:59 GMT

Hi Umer - Thanks for your reply. I followed the same documentation but during the setup page on Prisma it looks for the service account and API Token but the service account keys are in json format which is where we got stuck.

Re: GCP Agentless Scanning Setup

USheikh — Wed, 28 Dec 2022 03:33:05 GMT

Hi SKodi,

The content of the service account JSON file will be entered the service account field in Prisma Cloud Compute Console.

API token field should be left empty.

Please save the settings, and try to perform the agentless scan.

Regards,

Re: GCP Agentless Scanning Setup

SKodi — Wed, 28 Dec 2022 04:07:56 GMT

Thanks again, this time we made some progress. JSON worked and downloaded the permissions template as well. When I tried to initiate the scan it threw the following error:

failed to create account clients for permissions check. target:"<credential_name>" hub:"" region: us-central1. failed to initialize the target account client for credential <credential_name>: googleapi: Error 403: Required 'compute.zones.list' permission for 'projects/<project_id>', forbidden

Do I need to apply the downloaded template? And how they are used?

Re: GCP Agentless Scanning Setup

USheikh — Wed, 28 Dec 2022 05:08:54 GMT

Hi SKodi,

Based on the error, it looks like the account does not have sufficient permissions.

Can you verify using the downloaded the permission template if the account has the permission?

To understand more about the downloaded template files and how they are used, refer to https://docs.paloaltonetworks.com/prisma/prisma-cloud/22-06/prisma-cloud-compute-edition-admin/configure/permissions

Re: GCP Agentless Scanning Setup

SKodi — Wed, 28 Dec 2022 15:33:23 GMT

Hi Umer,

compute.zones.list is mentioned in the included permissions on the downloaded permission template.

Re: GCP Agentless Scanning Setup

musiddiqui — Wed, 28 Dec 2022 19:42:31 GMT

Hi SKodi,

I hope you are doing well. As the scope of this issue is going beyond the chat messages, can you please open a support ticket and one of the TAC Engineers will be able to assist you?

Regards,

Re: GCP Agentless Scanning Setup

kfirdaus — Tue, 10 Jan 2023 16:02:39 GMT

Hi SKodi,

It appears to be related to missing permissions for Google managed service accounts. Can you please check IAM policies for your project and verify if the permissions are listed?

Re: GCP Agentless Scanning Setup

musiddiqui — Wed, 11 Jan 2023 18:45:10 GMT

Hi SKodi,

I hope you are doing well. To answer your question about the template, Prisma Cloud validates the specified credentials and the download raises an error if the credentials are incorrect. To understand more about the downloaded template files and how they are used, refer to the permission templates.

Please let me know if you have any other questions.

Re: GCP Agentless Scanning Setup

JJean-Claude — Tue, 31 Jan 2023 20:50:21 GMT

Hello SKodi,

A suggestion would be to create a role in GCP that includes the permissions listed in the attached screenshot. Make sure that the role is created in the GCP Project you are looking to scan. The document titled 'Permissions by feature' has the complete list that the screenshot is based from.

https://docs.paloaltonetworks.com/prisma/prisma-cloud/22-12/prisma-cloud-compute-edition-admin/configure/permissions

Scroll down to the GCP section, then look for the Agentless scanning section. Then, associate the role to a service account. Then create a new JSON file for the specific project. Before going back to the console to on-board the account, double check that the contents of the JSON file reference the project you want scanned.

This suggestion is based on the 'Same Account' setting in the onboarding process in the console.