This article will guide you through the process of connecting multiple Google Cloud Platform (GCP) projects to the Orca Security Platform.
Orca's SaaS deployment mode means that you do not have to run any code from Orca within your cloud accounts. Your payload will be scanned inside Orca's AWS cloud backend in the same data center where your assets reside.
- Before you begin
- Step 1: Create a custom role
- Step 2: Create a service account
- Step 3: Connect projects or folders
- Verify account connection
Before you begin
- Access your Orca Security account and navigate to Settings ( icon) from the lower-left corner of the main menu.
- You will land on the Connect Account page by default.
- From here, select the Google Cloud tab.
- Change the Policy mode from DEFAULT to MULTIPLE.
Step 1: Create a custom role
First, let’s create a custom GCP role at the organization level and add to it the necessary permissions so that Orca can perform SideScanning in your GCP organization. We will add this role to a specific GCP resource in Step 3 of the onboarding process.
- Copy the recommended role TITLE by clicking the copy icon.
- Click the HERE link to open the GCP console.
- Select your organization from the projects dropdown menu in the upper-left of the GCP console.
- Paste the recommended role title (orca-side-scanner-role) into the Title field.
- Modify the Description, ID, and Role launch stage fields as necessary.
- Click the Add Permissions button to open the “Add permissions” dialog window.
- One by one, copy each of the role permissions listed in the Orca UI and paste them into the GCP permissions Filter field. Separate each permission with an OR operator.
Your GCP permissions dialog window should look similar to ours when all permissions have been added.
- Select the checkbox next to the Permission column to highlight all permissions you entered in the previous step.
- Click Add. The “Add permissions” dialog window will close and you will return to the “Edit Role” page.
- Finally, double check that all permissions have been added, and then click Create.
Step 2: Create a service account
Create a new GCP service account for Orca by clicking the HERE link.
The GCP console will prompt you to select the project for which you want to create a service account. You can select from the recent projects list or use the Select Project link to browse all projects in your organization.
- Give the Orca service account a Service account name (suggested name: Orca security service), Service account ID, and Service account description.
- Click Create.
- Click Done.
The GCP console will display a list of all service accounts for the project you selected. Choose the newly created service account and navigate to the KEYS tab. Click ADD KEY, select Create new key, and click Create (note: ensure that JSON is selected as the key type).
A JSON file will be downloaded to the default download directory on your device.
Return to the Orca UI and drop the downloaded file into the JSON KEY drop file area. You can also click the drop file area to browse for the JSON file on your device.
Step 3: Connect projects or folders
- Copy the now populated service account email by clicking the copy icon.
- Open the GCP resources page using the MANAGE RESOURCES link.
You can onboard all projects under your organization or all projects under a project folder. Because of the way service account permissions are granted in the GCP resource hierarchy, you must choose either your organization or a project folder, as opposed to individual projects. For information about how to onboard a single GCP project, please see the GCP Account (Project) Onboarding.
- Select the organization or project folder you want to onboard. In this example, we have selected the checkbox next to the organization name in order to onboard all projects under our organization.
- Click the Add Member button on the right side of the page.
- Paste the service account email into the New Member field.
- Next, assign the following roles to the service account:
- Orca-side-scanner-role (created in Step 1)
- Storage Object Viewer
- Security Reviewer
- Click Save.
Now, we need to assign Orca’s service account the Cloud KMS CryptoKey Encrypter/Decrypter role.
- From the Orca UI, copy the Orca service account email by clicking the copy icon (this is for the 788120191304 service account).
- Return to the GCP console and, with your organization or project folder still selected, click the Add Member button once again.
- Paste the Orca service account email into the New Member field.
- Expand the Role dropdown field and select the Cloud KMS CryptoKey Encrypter/Decrypter role.
- Click Save.
Return to the Orca UI and click the Connect Accounts button. You can also use the Check Accounts Count button to return the number of GCP projects that will be onboarded.
Please allow several minutes for the connection to be established. After a successful connection, Orca will redirect you to the Accounts page, where you can check the status of the newly onboarded GCP projects.
Verify account connection
Scanning will begin immediately after the connection between Orca and your cloud accounts is established. The initial scan time will vary and may take anywhere from a few minutes to a few hours. We recommend that you wait at least 24 hours after onboarding a new account to get the complete picture of your security posture. Subsequent scans take significantly less time.
You can return to the Accounts page from the Settings menu to verify the status of your existing accounts.