GCP Agentless Scanning Setup

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

GCP Agentless Scanning Setup

L1 Bithead

Hi,

Has anyone tried onboarding GCP account for agentless scanning? During the setup it is asking for GCP Service account and API token details but we can only generate json keys for service accounts. Any idea how to get this setup done?

Thanks.

10 REPLIES 10

L3 Networker

Hi SKodi,

 

You can onboard gcp account for agentless scanning using the following docs:

https://docs.paloaltonetworks.com/prisma/prisma-cloud/22-06/prisma-cloud-compute-edition-admin/confi...

 

Please search for "Onboard GCP Accounts for Agentless Scanning".

 

You can create a service account key using the following GCP documentation:

https://cloud.google.com/iam/docs/creating-managing-service-account-keys

 

Hope it helped!

 

Umer Sheikh | Technical Support Engineer - Prisma Cloud Compute | PCCSE, AWS - Associate Architect

Hi Umer - Thanks for your reply. I followed the same documentation but during the setup page on Prisma it looks for the service account and API Token but the service account keys are in json format which is where we got stuck.

Hi SKodi,

 

The content of the service account JSON file will be entered the service account field in Prisma Cloud Compute Console.

 

API token field should be left empty. 

 

Please save the settings, and try to perform the agentless scan. 

 

Regards,

Umer Sheikh | Technical Support Engineer - Prisma Cloud Compute | PCCSE, AWS - Associate Architect

Thanks again, this time we made some progress. JSON worked and downloaded the permissions template as well. When I tried to initiate the scan it threw the following error:

failed to create account clients for permissions check. target:"<credential_name>" hub:"" region: us-central1. failed to initialize the target account client for credential <credential_name>: googleapi: Error 403: Required 'compute.zones.list' permission for 'projects/<project_id>', forbidden

Do I need to apply the downloaded template? And how they are used?

Hi SKodi,

 

Based on the error, it looks like the account does not have sufficient permissions.

 

Can you verify using the downloaded the permission template if the account has the permission?

 

To understand more about the downloaded template files and how they are used, refer to https://docs.paloaltonetworks.com/prisma/prisma-cloud/22-06/prisma-cloud-compute-edition-admin/confi...

Umer Sheikh | Technical Support Engineer - Prisma Cloud Compute | PCCSE, AWS - Associate Architect

Hi Umer,

compute.zones.list is mentioned in the included permissions on the downloaded permission template.

L2 Linker

Hi SKodi,

 

I hope you are doing well. As the scope of this issue is going beyond the chat messages, can you please open a support ticket and one of the TAC Engineers will be able to assist you?

 

Regards,

Muhammad Wahaaj Siddiqui | Sr. Technical Support Engineer - Prisma Cloud Compute | PCCSE, CKA, CKS, AWS SysOps, AWS DevOps Professional

Hi SKodi,

It appears to be related to missing permissions for Google managed service accounts. Can you please check IAM policies for your project and verify if the permissions are listed?

Kishwar Firdaus | Customer Success Engineer - PrismaCloud

Hi SKodi,

 

I hope you are doing well. To answer your question about the template, Prisma Cloud validates the specified credentials and the download raises an error if the credentials are incorrect. To understand more about the downloaded template files and how they are used, refer to the permission templates. 

 

Please let me know if you have any other questions.

Muhammad Wahaaj Siddiqui | Sr. Technical Support Engineer - Prisma Cloud Compute | PCCSE, CKA, CKS, AWS SysOps, AWS DevOps Professional

L1 Bithead

Hello SKodi,

 

A suggestion would be to create a role in GCP that includes the permissions listed in the attached screenshot. Make sure that the role is created in the GCP Project you are looking to scan. The document titled 'Permissions by feature' has the complete list that the screenshot is based from.

 


https://docs.paloaltonetworks.com/prisma/prisma-cloud/22-12/prisma-cloud-compute-edition-admin/confi...

 

 

Scroll down to the GCP section, then look for the Agentless scanning section. Then, associate the role to a service account. Then create a new JSON file for the specific project. Before going back to the console to on-board the account, double check that the contents of the JSON file reference the project you want scanned.

 

This suggestion is based on the 'Same Account' setting in the onboarding process in the console. 

  • 2623 Views
  • 10 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!