How to onboard your GCP projects with the VMware Aria Automation for Secure Clouds API

Before you begin

Before you can onboard a GCP project with the API, you need:

• Your GCP project ID.
• Your GCP service account email.
• Your GCP service account key.
• A shell terminal with curl installed or an API development tool capable of making REST API calls, such as Postman.
• An API access token for the VMware Aria Automation for Secure Clouds platform.

Connect service account

To connect VMware Aria Automation for Secure Clouds with your GCP project, you must run a script that enables several APIs and provisions a service account to monitor your project.

1. Open Google Cloud Shell or any shell with Google Cloud SDK.

2. Run one of the following commands in your shell environment based on your onboarding scenario. Replace the Project ID and Organization ID placeholder values as necessary.

   Single project onboarding

   curl https://api.securestate.vmware.com/download/onboarding/gcp/gcp_single_project_onboarding.sh --output gcp_single_project_onboarding.sh && /bin/bash gcp_single_project_onboarding.sh <project_id>
   

   Organization onboarding

   curl https://gcp.events.securestate.vmware.com/scripts/gcp-onboarding/vss_sa_onboarding.sh -o vss_sa_onboarding.sh && curl https://gcp.events.securestate.vmware.com/scripts/gcp-onboarding/vss_sa_deploy_template.jinja -o vss_sa_deploy_template.jinja && sh vss_sa_onboarding.sh --project-id <project_id> --organization-id <organization_id>
   

3. The script outputs a service account key file named vmw-secure-state-sa-key.json for use in the next steps. If you ran the script in a cloud shell, enter this command to download the file.

   cloudshell download vmw-secure-state-sa-key.json
   

Discover GCP projects

Once you have the key file, use this command to invoke the GCP Discovery API and upload your service account.

curl -X POST \
https://api.securestate.vmware.com/v1/cloud-accounts/gcp-discovery-task \
-H 'Authorization: Bearer {access_token}' \
-d '{
        "serviceAccountKey": "{base64_encoded_service_account}"
}'

A successful response should list all GCP Projects associated with the service account.

Response Body

{
     "projects": [
         {
             "creationTime": {timestamp},
             "tags": {
                 {GCP project tag 1}
                 {GCP project tag 2}
                 {GCP project tag 3}
                 ...
              },
             "lifecycleState": "{status}",
             "name": "{Cloud account name}",
             "projectId": "{GCP project ID}",
             "projectNumber": "{GCP project number}"
          }
     ]
}

If you don't see certain GCP projects, make sure the service account permissions have been configured to access them and submit another request until you verify all projects you want to monitor are part of the response.

Upload credentials

The GCP service account acts as a credential for monitoring GCP projects by VMware Aria Automation for Secure Clouds. Use this command to upload the service account and get a credential ID.

curl -X POST \
https://api.securestate.vmware.com/v1/providers/gcp/cloud-credentials/ \
-H 'Authorization: Bearer {access_token}' \
-d '{
        "credentialType": "collection",
        "provider": "gcp",
        "properties": [
            {
                "name": "ServiceAccountEmail",
                "type": "string",
                "stringV": "{GCP service account email}"
            },
            {
                "name": "ServiceAccountKey",
                "type": "string",
                "stringV": "{Base 64 encoded service account key}"
            }
        ]
}'

A successful response confirms the information you entered and returns the credentialId. Copy the value in this field for use in the next step.

Response Body

Use this command to add your GCP project to the service and link it with the previously uploaded credentials. The value of cspProjectId can be either default, or another CSP Project ID you would like to add the GCP project to.

curl -X POST \
https://api.securestate.vmware.com/v1/cloud-accounts/bulk-update \
-H 'Authorization: Bearer {access_token}' \
-d '{
        "provider": "gcp",
        "cloudAccountUpdates": [
            {
                "action": "post",
                "cloudAccountName": "{GCP project name 1}",
                "cspProjectId": "{CSP project ID}",
                "properties": [
                    {
                        "name": "projectId",
                        "type": "string",
                        "stringV": "{GCP project ID 1}"
                    }
                ]
            },
            {
                "action": "post",
                "cloudAccountName": "{GCP project name 2}",
                "cspProjectId": "{CSP project ID}",
                "properties": [
                    {
                        "name": "projectId",
                        "type": "string",
                        "stringV": "{GCP project ID 2}"
                    }
                ]
            },
            ...
        ],
        "relationshipUpdates": [
            {
                "action": "post",
                "cloudAccountId": "{GCP project ID 1}",
                "credentialId": "{Credential ID}"
            },
            {
                "action": "post",
                "cloudAccountId": "{GCP project ID 2}",
                "credentialId": "{Credential ID}"
            },
            ...
        ]
}'

You can use the bulk update API to upload single or multiple GCP projects, as seen in the request example. You can add as many projects and credentials as necessary to the cloudAccountUpdates and relationshipUpdates arrays, though GCP does let you share a single credential across multiple projects if desired.

A successful response confirms the information you entered, along with general status updates and timestamps. 

Event stream setup

Run this script to set up an event stream for the cloud accounts you've added.

curl https://gcp.events.securestate.vmware.com/scripts/gcp-eventstream/setup-securestate-events.sh -o setup-securestate-events.sh && curl https://gcp.events.securestate.vmware.com/scripts/gcp-eventstream/gcp-event-bridge.jinja -o gcp-event-bridge.jinja && sh setup-securestate-events.sh --endpoint=https://gcp.events.securestate.vmware.com --project-ids=<gcp-project-id1,gcp-project-id2,gcp-project-id3>

Note: The script assigns three roles to the specified projects for the event stream setup. The default cloud services service account for each monitored project is assigned the “Logs Configuration Writer” and “Security Admin” roles to create a Cloud Logging Sink and publish to a Pub/Sub topic. The Pub/Sub service account (identified as @gcp-sa-pubsub.iam.gserviceaccount.com) is also assigned the “Service Account Token Creator” role for authentication.

The script creates a Cloud Logging Sink and Pub/Sub per project selected to send change configurations to VMware Aria Automation for Secure Clouds. You can verify whether the event stream is successfully connected by using the Cloud Accounts Query API to check that your GCP projects have an event stream connected status.

To verify the event stream is active, follow these steps:

1. From the VMware Aria Automation for Secure Clouds dashboard, navigate to Settings > Cloud accounts.
2. Locate your cloud account in the list, filtering as necessary.
3. If the Status field displays a green checkmark, then the event stream is active for your account.
4. You can click on the Account Name to see additional details regarding event stream status and cloud account metadata.

While the event stream is active, you should see real-time updates in the service for any changes in your cloud account that trigger or resolve a violation.