Google Cloud Platform (GCP) asset inventory discovery is not discovering all projects
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎09-14-2023 06:02 AM
Hi All
We have GCP cloud discovery up and running in our PROD instance and there are quite a good number of classes which are not discovered part of this cloud discovery.
Product team has suggested us to implement GCP asset inventory discovery which will populate a generic class with resource type mentioned which covers these unsupported classes.
We are in the process of setting up GCP asset inventory discovery in our non-prod instance.
As per ServiceNow product documentation, https://docs.servicenow.com/bundle/utah-it-operations-management/page/product/service-mapping/refere..., below permissions have been given to service account.
Prerequisites
1.GCP authorization to use the API https://cloudasset.googleapis.com/v1/projects/<account_id>:exportAssets, and one or more of the following Google IAM permissions on the specified resource parent:
cloudasset.assets.exportResource
cloudasset.assets.exportIamPolicy
2.A storage bucket for storing the collected data. This bucket is used as input parameter in the pattern.
If a bucket must be created for this purpose, the same GCP user must have both Create and Edit access for it.
The Retention Policy for the storage bucket must not be active. Otherwise, the pattern does not delete the auto-generated inventory data file.
Below bucket permissions are also given to service account based on inputs given by HI support team
Bucket permission name | Description |
storage.buckets.create | Create new buckets in a project. |
storage.buckets.createTagBinding | Create a new tag binding to a bucket. |
storage.buckets.delete | Delete buckets. |
storage.buckets.deleteTagBinding | Delete the tag binding on a bucket. |
storage.buckets.get | Read bucket metadata, excluding IAM policies, and list or read the Pub/Sub notification configurations on a bucket. |
storage.buckets.getIamPolicy | Read bucket IAM policies. |
storage.buckets.getObjectInsights | Read object metadata in inventory reports. |
storage.buckets.list | List buckets in a project. Also read bucket metadata, excluding IAM policies, when listing. |
storage.buckets.listEffectiveTags | List all tags associated with a bucket, including tags inherited from higher in the resource hierarchy, such as from the bucket's project. |
storage.buckets.listTagBindings | List tags directly attached to a bucket. |
storage.buckets.setIamPolicy | Update bucket IAM policies. |
storage.buckets.update | Update bucket metadata, excluding IAM policies, and add or remove a Pub/Sub notification configuration on a bucket. |
We had a success with discovery run but noticed that It had pull resources related to only our service account. We do have around 900+ service accounts and resource inventory discovery is supposed to run for all these and discover resources under them. As per this KB article Google Cloud Platform (GCP) Resource Inventory' pattern should not be triggered via Cloud Discovery ..., We can only run resource inventory discovery as standalone serverless discovery and cant be included as part of cloud discovery
It might be too challenging to create one schedule per service account as the service account(projects in GCP) count will be increasing daily based on operations in the cloud space.
We wanted to understand if there is a possible way to achieve this.
There is a similar post on the same
Can someone help us here how to achieve this please
Thank you
Sirisha Chagantipati
