Google Cloud Platform

Set up GCP for automated tests with TrustCloud

Purpose

Once you set up your compliance program, TrustCloud TrustOps works to ensure that your systems remain compliant with your adopted controls. To do so, TrustCloud runs automated tests against systems in your product and business stack, and verifies that they are properly configured.

This document outlines the steps you can take to grant TrustCloud access to only read metadata about the configuration settings for your GCP account, so that TrustOps can validate and generate evidence for your compliance program.

Instructions to grant TrustCloud limited access to GCP metadata

1. Go to Google Cloud Platform https://console.cloud.google.com/ and select a project to create your service account in.
2. In the console, navigate to IAM & admin and then Service accounts.
3. Select Create a service account.
4. Enter a service account name to display in the console and select Create.
5. Grant access to the following roles:
   • Viewer
   • Security Reviewer
6. When you are done adding roles, click Continue.
7. Create a private key.
   
8. Select JSON, select Create.
9. Save the private key.
   
10. Click Done to finish creating the service account.
11. Go to your IAM roles for the service account user. Confirm that Viewer and Security Reviewer roles are enabled. Add the Organization Policy Viewer role. For each project in your GCP account, the service account should be assigned the role of Viewer.
12. Optional: To run IAM tests, you need to add a custom user to your Google Workspace Domain that has a User Management Admin role. 💡 This account will only be used to delegate access to read specific metadata only. You will explicitly grant this access below in step 5. This account delegation is required because accessing users requires the Google Admin API, which is only available via account delegation. If you do not want to run IAM tests, you can skip this step.
13. Navigate to your Google Workspace admin console. From the console, navigate to Security → API Controls → Manage Domain-wide Delegation. (Or click on this link: https://admin.google.com/u/4/ac/owl/domainwidedelegation).
14. Click Add New.
15. Set Client ID, to the client ID of your service account**.**
16. Under Scopes, add the following:
    • https://www.googleapis.com/auth/admin.directory.user.readonly
    • https://www.googleapis.com/auth/cloud-platform.read-only
    • https://www.googleapis.com/auth/compute.readonly
    • https://www.googleapis.com/auth/devstorage.read_only
    • https://www.googleapis.com/auth/cloud-billing.readonly
    • https://www.googleapis.com/auth/admin.directory.orgunit.readonly
    • https://www.googleapis.com/auth/admin.directory.group.readonly
    • https://www.googleapis.com/auth/cloud-platform
    • https://www.googleapis.com/auth/admin.directory.user
    • https://www.googleapis.com/auth/devstorage.full_control

    💡 These scopes, combined with the service account permissions only allow TrustCloud to audit your GCP configuration settings in order to determine adherence to specified controls. They only allow TrustCloud to access your GCP metadata. They do not provide TrustCloud the ability to read any GCP data. (See this document for a full list of Google scopes).

17. Click Authorize.
18. Enable the required APIs for each project separately. Click on the links beneath to navigate to the respective URLs –
    1. Cloud Billing API
    2. Cloud Resource Manager API
    3. SQL Admin API
    4. Service Usage API
    5. Admin SDK API
19. Enter your private key, the email address for your account delegate, and the names of all GCP projects you want to test.