icon-zcspm.svg
ZCSPM

Onboarding a Google Cloud Platform Project Account

You can onboard a GCP project account to onboard single or multiple projects present within an organization or without any organization. Provide ZCSPM service account access on multiple projects to onboard multiple projects.

You need to be a GCP Admin and a ZCSPM Admin to onboard a GCP project account.

To onboard a GCP project account:

    1. In the GCP Cloud Console, go to IAM & Admin > Service Accounts.
    2. Click CREATE SERVICE ACCOUNT.
    3. Enter the Service account name and Service account description, then click CREATE.

    Create Service Account

    1. On the Service accounts permission screen, click CONTINUE.
    2. On the Grant user access page, click DONE to create the service account.
    3. Select the created service account, then click ADD KEY under Keys.
    4. Select JSON as the key type, then click CREATE. A JSON file will be created and downloaded. Keep the JSON file in a secure location. You will need it to finish onboarding your GCP project account in the ZCSPM Admin Portal.

    Create Key

    Zscaler recommends you to associate multiple projects you intend to onboard to a single service account.

    To associate a different GCP project with a single service account:

    1. Search for the created service account and copy the Email.
    2. In the left-pane menu, go to IAM & Admin > IAM.
    3. Click ADD.
    4. In the New members section, paste the service account email you copied earlier.
    5. From the Role drop-down menu, select Viewer.
    6. Click ADD ANOTHER ROLE.
    7. From the Role drop-down menu, select Cloud Asset Viewer.
    8. Click SAVE.
    Close

  • ZCSPM requires access to APIs across all your projects in the organization to collect configuration data for your GCP services.

    • You need to provide ZCSPM with the Viewer role for GCP APIs to onboard your GCP project and collect configuration metadata. List of GCP APIs required by ZCSPM:

      Close

    To enable the APIs on a GCP project:

    1. In the GCP Cloud Console, click the Active Cloud Shell icon.
    2. Enable the APIs by running the following command:
    gcloud services enable cloudresourcemanager.googleapis.com compute.googleapis.com sqladmin.googleapis.com storage.googleapis.com iam.googleapis.com logging.googleapis.com monitoring.googleapis.com bigquery.googleapis.com dns.googleapis.com cloudasset.googleapis.com cloudkms.googleapis.com serviceusage.googleapis.com
    1. In the left-pane menu, click APIs & Services and verify API access status.
    Close
    1. Go to Configurations > Cloud Accounts.
    2. Click Add Cloud Account.

    Add a Cloud Account

    1. From the License drop-down menu, select your license.
    2. Select GCP, then click Continue.
    3. From the Onboarding type drop-down menu, select Project.
    4. Upload a service account:
      • Select New, then click Upload Credentials to upload the service account credentials JSON file.
      • Select Existing. From the Service Account Name drop-down menu, select your service account.

    How to onboard GCP project on to ZCSPM

    1. Click Next.
    2. Select all the projects you want to onboard with the organization, then click Next.
    3. Click Save.
    Close
Related Articles
Onboarding a Google Cloud Platform Project AccountOnboarding a Google Cloud Platform Organization Account Configuring the ZCSPM Agent for Google Kubernetes EngineVerifying the Cloud Account Health Status for GCPConfiguring GCP Projects Onboarding Prerequisites using ScriptsConfiguring GCP Organization Onboarding Prerequisites using Scripts