12-27-2022 04:21 PM
Has anyone tried onboarding GCP account for agentless scanning? During the setup it is asking for GCP Service account and API token details but we can only generate json keys for service accounts. Any idea how to get this setup done?
12-27-2022 04:35 PM
You can onboard gcp account for agentless scanning using the following docs:
Please search for "Onboard GCP Accounts for Agentless Scanning".
You can create a service account key using the following GCP documentation:
Hope it helped!
12-27-2022 07:01 PM
Hi Umer - Thanks for your reply. I followed the same documentation but during the setup page on Prisma it looks for the service account and API Token but the service account keys are in json format which is where we got stuck.
12-27-2022 07:28 PM - edited 12-27-2022 07:33 PM
The content of the service account JSON file will be entered the service account field in Prisma Cloud Compute Console.
API token field should be left empty.
Please save the settings, and try to perform the agentless scan.
12-27-2022 08:07 PM
Thanks again, this time we made some progress. JSON worked and downloaded the permissions template as well. When I tried to initiate the scan it threw the following error:
failed to create account clients for permissions check. target:"<credential_name>" hub:"" region: us-central1. failed to initialize the target account client for credential <credential_name>: googleapi: Error 403: Required 'compute.zones.list' permission for 'projects/<project_id>', forbidden
Do I need to apply the downloaded template? And how they are used?
12-27-2022 09:08 PM
Based on the error, it looks like the account does not have sufficient permissions.
Can you verify using the downloaded the permission template if the account has the permission?
To understand more about the downloaded template files and how they are used, refer to https://docs.paloaltonetworks.com/prisma/prisma-cloud/22-06/prisma-cloud-compute-edition-admin/confi...
12-28-2022 07:33 AM
compute.zones.list is mentioned in the included permissions on the downloaded permission template.
12-28-2022 11:42 AM
I hope you are doing well. As the scope of this issue is going beyond the chat messages, can you please open a support ticket and one of the TAC Engineers will be able to assist you?
01-10-2023 08:02 AM
It appears to be related to missing permissions for Google managed service accounts. Can you please check IAM policies for your project and verify if the permissions are listed?
01-11-2023 10:45 AM
I hope you are doing well. To answer your question about the template, Prisma Cloud validates the specified credentials and the download raises an error if the credentials are incorrect. To understand more about the downloaded template files and how they are used, refer to the permission templates.
Please let me know if you have any other questions.
01-31-2023 12:50 PM
A suggestion would be to create a role in GCP that includes the permissions listed in the attached screenshot. Make sure that the role is created in the GCP Project you are looking to scan. The document titled 'Permissions by feature' has the complete list that the screenshot is based from.
Scroll down to the GCP section, then look for the Agentless scanning section. Then, associate the role to a service account. Then create a new JSON file for the specific project. Before going back to the console to on-board the account, double check that the contents of the JSON file reference the project you want scanned.
This suggestion is based on the 'Same Account' setting in the onboarding process in the console.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!