You can onboard gcp account for agentless scanning using the following docs:
Please search for "Onboard GCP Accounts for Agentless Scanning".
You can create a service account key using the following GCP documentation:
Hope it helped!
The content of the service account JSON file will be entered the service account field in Prisma Cloud Compute Console.
API token field should be left empty.
Please save the settings, and try to perform the agentless scan.
Thanks again, this time we made some progress. JSON worked and downloaded the permissions template as well. When I tried to initiate the scan it threw the following error:
failed to create account clients for permissions check. target:"<credential_name>" hub:"" region: us-central1. failed to initialize the target account client for credential <credential_name>: googleapi: Error 403: Required 'compute.zones.list' permission for 'projects/<project_id>', forbidden
Do I need to apply the downloaded template? And how they are used?
Based on the error, it looks like the account does not have sufficient permissions.
Can you verify using the downloaded the permission template if the account has the permission?
To understand more about the downloaded template files and how they are used, refer to https://docs.paloaltonetworks.com/prisma/prisma-cloud/22-06/prisma-cloud-compute-edition-admin/confi...
I hope you are doing well. As the scope of this issue is going beyond the chat messages, can you please open a support ticket and one of the TAC Engineers will be able to assist you?
I hope you are doing well. To answer your question about the template, Prisma Cloud validates the specified credentials and the download raises an error if the credentials are incorrect. To understand more about the downloaded template files and how they are used, refer to the permission templates.
Please let me know if you have any other questions.
A suggestion would be to create a role in GCP that includes the permissions listed in the attached screenshot. Make sure that the role is created in the GCP Project you are looking to scan. The document titled 'Permissions by feature' has the complete list that the screenshot is based from.
Scroll down to the GCP section, then look for the Agentless scanning section. Then, associate the role to a service account. Then create a new JSON file for the specific project. Before going back to the console to on-board the account, double check that the contents of the JSON file reference the project you want scanned.
This suggestion is based on the 'Same Account' setting in the onboarding process in the console.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!