icon-zcspm.svg
ZCSPM

Configuring GCP Organization Onboarding Prerequisites using Scripts

You can configure prerequisites for onboarding your GCP Organization on ZCSPM. Using the scripts is useful when you have a large set of projects on your GCP Organization or want to onboard a selected set of projects from your Organization, either as a list or as a .csv file.

Prerequisite Roles and Permissions

Action Required Roles and Permission Billing Account
Create Service Account & Key Project Owner/Editor
Assign roles to Service Account Organization Administrator
Enable Cloud APIs on the GCP project Project Owner/Editor, Organization Viewer All projects must be linked with the billing account

To configure prerequisites for onboarding your GCP Organization onto ZCSPM:

    1. Open the GCP cloud shell. To set the project, use the following command:
    gcloud config set project <Project_ID>
    
    1. Check if you are authenticated to the GCP cloud by using the following command:
    gcloud auth list
    
    1. Download the script by using the following command:
    wget -O - https://raw.githubusercontent.com/Cloudneeti/docs_cloudneeti/master/scripts/gcp-onboarding/download-gcp-onboarding-scripts.sh | bash
    
    1. Update the script's permissions and using the following command:
    chmod +x zcspm-gcp-onboarding/*.sh
    
    1. Change the directory by using the following command:
    cd zcspm-gcp-onboarding
    
    Close
    1. Run the following command to create a new service account:
    ./create-service-account.sh -p <project_id> -s <service_account_name>
    

    This command will generate a summary which will contain the Service Account email address and the key file path.

    1. Copy the key file path and download the key by using the following command:
    cloudshell download <service_account_key_file_path>
    

    Store the downloaded key in a secure location.

    Close
  • Promote the Service Account to Organization level by running the following command:

    ./promote-service-account.sh -s <service_account_email> -o <gcp_organization_id>
    
    Close
  • To enable APIs on all the projects on your GCP organization, run the following command:

    ./enable-gcp-api.sh -s <service_account_project_id> -o <gcp_organization_id> -a
    

    OR

    To enable APIs on a selected list of projects on your GCP organization, run the following command:

    ./enable-gcp-api.sh -s <service_account_project_id> -p “<project_id1>,<project_id2>,<project_id3>

    You can list up to 10 projects.

    OR

    To enable APIs on an allowed list of projects on a .csv file, run the following command:

    ./enable-gcp-api.sh -s <service_account_project_id> -c <file_name>.csv
    

    You can create a .csv file of allowed list of projects by running the following command:

    gcloud alpha asset list --organization=<gcp_organization_id> 
    --content-type=resource --asset-types=cloudresourcemanager.googleapis.com/Project 
    --filter=resource.data.lifecycleState=ACTIVE
    --format="csv(resource.data.projectId,resource.data.name)" > <file_name>.csv
    

    The script also enables the required Cloud APIs on the project in which the service account is created.

    Close
Related Articles
Onboarding a Google Cloud Platform Project AccountOnboarding a Google Cloud Platform Organization Account Configuring the ZCSPM Agent for Google Kubernetes EngineVerifying the Cloud Account Health Status for GCPConfiguring GCP Projects Onboarding Prerequisites using ScriptsConfiguring GCP Organization Onboarding Prerequisites using Scripts