Docy Child

Google Cloud Platform

Estimated reading: 3 minutes 571 views

Set up GCP for automated tests with TrustCloud


Once you set up your compliance program, TrustCloud TrustOps works to ensure that your systems remain compliant with your adopted controls. To do so, TrustCloud runs automated tests against systems in your product and business stack, and verifies that they are properly configured.

This document outlines the steps you can take to grant TrustCloud access to only read metadata about the configuration settings for your GCP account, so that TrustOps can validate and generate evidence for your compliance program.

Instructions to grant TrustCloud limited access to GCP metadata

  1. Go to Google Cloud Platform and select a project to create your service account cloud
  2. In the console, navigate to IAM & admin and then Service cloud service account
  3. Select Create a service account.create service account
  4. Enter a service account name to display in the console and select Create.service account details
  5. Grant access to the following roles:
    • Viewer
    • Security Reviewer
  6. When you are done adding roles, click Continue.
  7. Create a private key.
    private key
  8. Select JSON, select Create.json private key
  9. Save the private key.
    save private key
  10. Click Done to finish creating the service account.
  11. Go to your IAM roles for the service account user. Confirm that Viewer and Security Reviewer roles are enabled. Add the Organization Policy Viewer role. For each project in your GCP account, the service account should be assigned the role of Viewer.
  12. Optional: To run IAM tests, you need to add a custom user to your Google Workspace Domain that has a User Management Admin role. 💡 This account will only be used to delegate access to read specific metadata only. You will explicitly grant this access below in step 5. This account delegation is required because accessing users requires the Google Admin API, which is only available via account delegation. If you do not want to run IAM tests, you can skip this step.
  13. Navigate to your Google Workspace admin console. From the console, navigate to Security → API Controls → Manage Domain-wide Delegation. (Or click on this link: api control
  14. Click Add New.
  15. Set Client ID, to the client ID of your service account**.**new client id
  16. Under Scopes, add the following:

    💡 These scopes, combined with the service account permissions only allow TrustCloud to audit your GCP configuration settings in order to determine adherence to specified controls. They only allow TrustCloud to access your GCP metadata. They do not provide TrustCloud the ability to read any GCP data. (See this document for a full list of Google scopes).

  17. Click Authorize.authorize
  18. Enable the required APIs for each project separately. Click on the links beneath to navigate to the respective URLs –
    1. Cloud Billing API
    2. Cloud Resource Manager API
    3. SQL Admin API
    4. Service Usage API
    5. Admin SDK API
  19. Enter your private key, the email address for your account delegate, and the names of all GCP projects you want to test.

Join the conversation

Twitter Facebook LinkedIn

❤️  Joyfully crafted by a 100% distributed team.