Add a Google Cloud Platform account to VMware Tanzu Platform hub

As a Tanzu Platform hub organization owner or administrator, you can run the Google Cloud Platform account workflow that helps you download a service account key from Google Cloud Platform and then upload it to Tanzu Platform hub, and start event monitoring.

Before you begin

  • Verify that you can log in to your Google Cloud Platform console as a user with the following organization-level permissions so that you can add roles and IAM member bindings in your GCP console.

  • Verify that you have access to the GCP project for which you are creating this account.

  • Locate and save the GCP project ID so that you can use it as you configure this account connection.
  • If you are associating account with a Tanzu Platform hub project, verify that you created the project. For instructions, see Add projects.

Add a single GCP account

Use this workflow to add a single account. This process is useful if you do not have many GCP accounts that you want to manage. If you are new to Tanzu Platform hub, it is useful way to explore how Tanzu Platform hub can help you manage your resources.

  1. In Tanzu Platform hub, select Setup & Configuration > Cloud Accounts.

  2. Click New Account and click Google Cloud Platform.

    The Account Information section requires a name and GCP project ID.

    1. In the Account Information section, enter a useful account name and your GCP project ID.
    2. If you work with projects, select the Tanzu Platform hub project that you are associating with the GCP project.
    3. You can use Environment to add descriptive metadata to subscriptions that are used by some features in Tanzu Platform hub. For example, if you add and select environments such as prod, dev, and test, you can then apply governance policies to a particular environment. You can then search based on environment and even apply a policy to the resources in your production environment but not development or testing.
    4. Enter the owner name and email address.
    5. Click Next.

  3. Connect the account using a GCP service account key.

    The steps provided in the UI are repeated in this procedure for your convenience.

    The Service Account Connection section provides guidance about the required user roles an then provides steps for creating and then downloading the service key.

    1. Verify that you have the permissions described at the beginning of this article.
    2. Open Google Cloud Shell or any Shell with Google Cloud Command Line Interface.
    3. Run the provided script. The script creates a service account key in the selected directory. The key filename is vmw-secure-state-sa-key.json.
    4. To download the service account key, run the provided script.
    5. To upload the downloaded GCP service account key in Tanzu Platform hub, click Browse.
    6. Click Next.

  4. In the Account Onboarding section, enable event monitoring.

    To configure Event Stream, which provides updates about security findings for this cloud account, you must configure GCP so that you can run a connection script. See the prerequisites at the beginning of this procedure.

    The connection script sets up a Google Cloud Logging and Pub/Sub-based Event Stream using the following roles and permissions.

    • The Google-managed service account for this project, {project-number}@cloudservices.gservicesaccount.com, is granted the following roles and permissions.

      GCP Role Permissions
      Logs Configuration
    • Create a Cloud Logging Sink
    • Publish to a Pub/Sub topic
      		•
      Security Admin
    • Create a Cloud Logging Sink
    • Publish to a Pub/Sub topic
      		•

    • The Pub/Sub service account {project-number}@gcp-sa-pubsub-iam- gserviceaccount.com is granted the Service Account Token Creator role. For information provided by Google about the roles, see Google-managed service accounts, Logs configuration writer role, Security admin role, and Configure Pub/Sub with the token creator role.

      The Account Onboarding section provides the setup script to create the roles and permissions that connect the Event Stream.

      1. Verify that you have the event monitoring permissions described at the beginning of this article.
      2. Open Google Cloud Shell or any Shell with Google Cloud Command Line Interface.
      3. Run the provided command to run the setup script.
  5. On the Accounts page, verify that the data source account exists, the status is OK, and the Event Monitoring State is Connected.

Add multiple GCP accounts

If you have multiple Google Cloud Platform accounts to add, you can add them using the GCP Organization (Multiple GCP projects) options rather than adding them one at a time.

You can onboard projects in groups of 100 accounts.

When using the following procedure, you can refer to the images and details in the single account procedure in the previous section.

You must use the scripts on the pages in this procedure. They are customized each time you onboard the resources. Do not reuse a script from previous onboarding actions.

  1. In Tanzu Platform hub, select Setup & Configuration > Cloud Accounts.

  2. Click Google Cloud Platform, select GCP Organization (Multiple GCP projects), and then click Continue.

    To add multiple accounts, start by adding the project root account and then configure the collected member accounts.

  3. To add the project root account, click Start in the Add GCP projects step.

    1. On the General information page, enter the GCP project ID for the accounts that you are adding.

      The root project ID is required here so that Tanzu Platform hub can collect the member accounts that you want to manage.

    2. Complete the form and click Next.

      If you have not added an account before, see the step in the previous single account section for this step and the others that follow for additional details.

    3. On the Service Account Connection page, follow the on-screen instructions for adding the read-only collection IAM role for the root product account and click Next.

      When you click Next, Tanzu Platform hub uses the collection role to discover the member accounts so that you can select the ones you want to manage.

    4. On the Select GCP Projects page, review the discovered projects and select the ones that you want to add.

    5. When the list includes the accounts that you want to add, up to 100, click Next.

    6. On the Edit Properties page, select the projects where you want to update one or more of the properties and click Next.

      The properties include GCP project name, owner and owner email, Tanzu Platform hub projects, and any tags.

    7. On the Onboard GCP Projects page, click Onboard GCP Projects.

    8. When the onboarding process is finished, click Close.
  4. On the Account Setup page, click Start on the Configure event monitoring step.
    1. Select the member accounts that you want to collect real-time event data from and click Continue.
    2. Follow the on-screen instructions to run the provided command that runs the setup script.
    3. Click Finish.
  5. Close the Account Setup page.
  6. On the Accounts page, verify that the projects are included in the list as individual entries.

What to do next

  • The collection might take up to thirty minutes before you see data. To monitor the process, select Infrastructure > Search and click the Inventory tab. See Reviewing your discovered inventory.
  • If you need to make changes to a GCP account, select Setup & Configuration > Cloud Accounts, expand the details for the target account, and edit the individual account properties.

Parent topic:Setting up data connections in VMware Tanzu Platform hub

check-circle-line exclamation-circle-line close-line
Scroll to top icon