This article will guide you through the process of connecting your Google Cloud Platform (GCP) project to the Orca Security Platform.
Orca's SaaS deployment mode means that you do not have to run any code from Orca within your cloud accounts. Your payload will be scanned inside Orca's GCP cloud backend in the same availability zone where your assets reside.
- Before you begin
- Step 1: Enable API
- Step 2: Create Orca Security Role
- Step 3: Create a service account
- Step 4: Add KMS permissions
- Verify account connection
Before you begin
Access your Orca Security account and navigate to Settings from the lower-left corner of the main menu. You will land on the Connect Account page by default. From here, select the Google Cloud tab.
Step 1: Enable API
- Copy the Orca provided Cloud Shell script by clicking the copy icon.
- Log in to your GCP account by clicking the HERE link.
- From the projects dropdown menu in the upper-left of the GCP console, choose the GCP project you want to onboard.
- Launch the Cloud Shell terminal using the Activate Cloud Shell icon from the top-right menu of the GCP console.
Paste the Cloud Shell script into the CloudShell terminal and run it to enable the Compute Engine API.
Google Cloud may request your authorization to make an API call. Click Authorize to proceed. Allow about 60 seconds for the operation to finish successfully.
Before proceeding to Step 2 of the onboarding process, you need to locate the GCP Project ID and provide it to Orca.
One way to find the GCP Project ID is to click the projects dropdown menu in the upper-left of the GCP console.
This will bring up a modal with your recently accessed projects and corresponding ID values.
Copy the Project ID and paste it into the Project ID field in Orca.
Step 2: Create Orca Security Role
Launch the Cloud Shell terminal using the Activate Cloud Shell icon from the top-right menu of the GCP console.
Step 3: Create a service account
- You can now create a service account by clicking the HERE link. This link will open the GCP Create service account page in a new browser tab.
- Give your GCP service account a Service account name, Service account ID, and Service account description.
- Click Create.
- Next, grant your service account the following access permissions:
- Orca-side-scanner-role (created on the previous step)
- Compute Admin
- Service Account User
- Click Continue.
- Click Done.
The GCP console will display a list of all service accounts for the project you selected. Choose the newly created service account and navigate to the KEYS tab. Click ADD KEY, select Create new key, and click Create (note: ensure that JSON is selected as the key type).
A JSON file will be downloaded to the default download directory on your device.
Return to the Orca UI and drop the downloaded file into the JSON KEY drop file area. You can also click the drop file area to browse for the JSON file on your device.
You are now ready to proceed to the final step of the GCP account onboarding process.
Step 4: Add KMS permissions
- Copy the Orca service account email by clicking the copy icon.
- Open the GCP IAM page using the IAM PAGE link.
From the GCP IAM page, click ADD, paste the Orca service account email into the New Member field, expand the Select a Role dropdown field and search for the Cloud KMS CryptoKey Encrypter/Decrypter role.
Select the role when it appears in the filtered list and then click Save.
Return to the Orca UI and click the Connect Account button. Please allow several seconds for the connection to be established. After a successful connection, Orca will redirect you to the Accounts page, where you can check the status of the newly onboarded account.
Verify account connection
Scanning will begin immediately after the connection between Orca and your cloud account is established. The initial scan time will vary and may take anywhere from a few minutes to a few hours. We recommend that you wait at least 24 hours after onboarding a new account to get the complete picture of your security posture. Subsequent scans take significantly less time.
You can return to the Accounts page from the Settings menu to verify the status of your existing accounts.