ZCSPM
Configuring GCP Organization Onboarding Prerequisites using Scripts
You can configure prerequisites for onboarding your GCP Organization on ZCSPM. Using the scripts is useful when you have a large set of projects on your GCP Organization or want to onboard a selected set of projects from your Organization, either as a list or as a .csv file.
Prerequisite Roles and Permissions
Action | Required Roles and Permission | Billing Account |
Create Service Account & Key | Project Owner/Editor | |
Assign roles to Service Account | Organization Administrator | |
Enable Cloud APIs on the GCP project | Project Owner/Editor, Organization Viewer | All projects must be linked with the billing account |
To configure prerequisites for onboarding your GCP Organization onto ZCSPM:
- 1. Set your project and download the scripts
- Open the GCP cloud shell. To set the project, use the following command:
gcloud config set project <Project_ID>
- Check if you are authenticated to the GCP cloud by using the following command:
gcloud auth list
- Download the script by using the following command:
wget -O - https://raw.githubusercontent.com/Cloudneeti/docs_cloudneeti/master/scripts/gcp-onboarding/download-gcp-onboarding-scripts.sh | bash
- Update the script's permissions and using the following command:
chmod +x zcspm-gcp-onboarding/*.sh
- Change the directory by using the following command:
Closecd zcspm-gcp-onboarding
- 2. Create a Service Account
- Run the following command to create a new service account:
./create-service-account.sh -p <project_id> -s <service_account_name>
This command will generate a summary which will contain the Service Account email address and the key file path.
- Copy the key file path and download the key by using the following command:
cloudshell download <service_account_key_file_path>
Store the downloaded key in a secure location.
Close - 3. Promote the Service Account to Organization level and assign roles
Promote the Service Account to Organization level by running the following command:
Close./promote-service-account.sh -s <service_account_email> -o <gcp_organization_id>
- 4. Enable APIs on projects in your GCP Organization
To enable APIs on all the projects on your GCP organization, run the following command:
./enable-gcp-api.sh -s <service_account_project_id> -o <gcp_organization_id> -a
OR
To enable APIs on a selected list of projects on your GCP organization, run the following command:
./enable-gcp-api.sh -s <service_account_project_id> -p “<project_id1>,<project_id2>,<project_id3>”
You can list up to 10 projects.
OR
To enable APIs on an allowed list of projects on a .csv file, run the following command:
./enable-gcp-api.sh -s <service_account_project_id> -c <file_name>.csv
You can create a .csv file of allowed list of projects by running the following command:
gcloud alpha asset list --organization=<gcp_organization_id> --content-type=resource --asset-types=cloudresourcemanager.googleapis.com/Project --filter=resource.data.lifecycleState=ACTIVE --format="csv(resource.data.projectId,resource.data.name)" > <file_name>.csv
The script also enables the required Cloud APIs on the project in which the service account is created.
Close