Google Cloud Platform (GCP) asset inventory discovery is not discovering all projects

sch
Tera Contributor

Hi All

We have GCP cloud discovery up and running in our PROD instance and there are quite a good number of classes which are not discovered part of this cloud discovery.

Product team has suggested us to implement GCP asset inventory discovery which will populate a generic class with resource type mentioned which covers these unsupported classes.

We are in the process of setting up GCP asset inventory discovery in our non-prod instance.

As per ServiceNow product documentation,  https://docs.servicenow.com/bundle/utah-it-operations-management/page/product/service-mapping/refere..., below permissions have been given to service account.

Prerequisites

1.GCP authorization to use the API https://cloudasset.googleapis.com/v1/projects/<account_id>:exportAssets, and one or more of the following Google IAM permissions on the specified resource parent:

cloudasset.assets.exportResource

cloudasset.assets.exportIamPolicy

2.A storage bucket for storing the collected data. This bucket is used as input parameter in the pattern.

If a bucket must be created for this purpose, the same GCP user must have both Create and Edit access for it.

The Retention Policy for the storage bucket must not be active. Otherwise, the pattern does not delete the auto-generated inventory data file.

 

Below bucket permissions are also given to service account based on inputs given by HI support team

Bucket permission name

Description

storage.buckets.create

Create new buckets in a project.

storage.buckets.createTagBinding

Create a new tag binding to a bucket.

storage.buckets.delete

Delete buckets.

storage.buckets.deleteTagBinding

Delete the tag binding on a bucket.

storage.buckets.get

Read bucket metadata, excluding IAM policies, and list or read the Pub/Sub notification configurations on a bucket.

storage.buckets.getIamPolicy

Read bucket IAM policies.

storage.buckets.getObjectInsights

Read object metadata in inventory reports.

storage.buckets.list

List buckets in a project. Also read bucket metadata, excluding IAM policies, when listing.

storage.buckets.listEffectiveTags

List all tags associated with a bucket, including tags inherited from higher in the resource hierarchy, such as from the bucket's project.

storage.buckets.listTagBindings

List tags directly attached to a bucket.

storage.buckets.setIamPolicy

Update bucket IAM policies.

storage.buckets.update

Update bucket metadata, excluding IAM policies, and add or remove a Pub/Sub notification configuration on a bucket.

 

 

We had a success with discovery run but noticed that It had pull resources related to only our service account. We do have around 900+ service accounts and resource inventory discovery is supposed to run for all these and discover resources under them. As per this KB article Google Cloud Platform (GCP) Resource Inventory' pattern should not be triggered via Cloud Discovery ..., We can only run resource inventory discovery as standalone serverless discovery and cant be included as part of cloud discovery

 

It might be too challenging to create one schedule per service account as the service account(projects in GCP) count will be increasing daily based on operations in the cloud space.

We wanted to understand if there is a possible way to achieve this.

 

There is a similar post on the same

https://www.servicenow.com/community/itom-forum/has-anyone-used-the-google-cloud-platform-gcp-asset-...

 

Can someone help us here how to achieve this please

 

 

 

 

Thank you

Sirisha Chagantipati

 

0 REPLIES 0