>

Accessing Cloud SCC using an SDK

This guide walks you through creating a service account and setting it up for use with Cloud Security Command Center (Cloud SCC) client libraries.

Before you begin

To complete this guide, you'll need the following:

  • The Cloud Identity and Access Management (Cloud IAM) role Service Account Admin. For more information about Cloud SCC Cloud IAM roles, see Access control.
  • To complete this guide, you'll need an existing directory path in which a service account private key can be stored. This path is in the context of your Cloud Shell environment, such as /home/myuser/mykeys/.

Accessing Cloud SCC

To access Cloud SCC programmatically, you'll use Cloud Shell to get the client library and authenticate a service account.

Setting up environment variables

  1. Go to the Google Cloud Platform Console.
    Go to the Google Cloud Platform Console
  2. Click Activate Cloud Shell.
  3. Run the following commands to set environment variables:

    1. Set your organization name:

      export ORG_ID=[YOUR_ORGANIZATION_ID]
      
    2. Set the project ID:

      export PROJECT_ID=[CLOUD_SCC_ENABLED_PROJECT_ID]
      
    3. Set the custom ID you want to use for a new service account, like scc-sa. The service account name must be between 6 and 30 characters, must begin with a letter, and must be all lowercase alphanumeric characters that can be separated by hyphens:

      export SERVICE_ACCOUNT=[CUSTOM_ID]
      
    4. Set the path in which the service account key should be stored, like export KEY_LOCATION=/home/$USER/mykeys/$SERVICE_ACCOUNT.json:

      export KEY_LOCATION=[FULL_PATH]
      # This is used by client libraries to find the key
      export GOOGLE_APPLICATION_CREDENTIALS=$KEY_LOCATION
      

Setting up a service account

To access Cloud SCC programmatically, you'll need a private key from a service account to be used by the client. The service account must have the organization level role securitycenter.admin.

  1. Create a service account that's associated with your project ID:

    gcloud iam service-accounts create $SERVICE_ACCOUNT  --display-name \
     "Service Account for [USER]"  --project $PROJECT_ID
    
  2. Create a key to associate with the service account. The key will be used for the life of the service and persistently stored at the [KEY_LOCATION] you specify.

    gcloud iam service-accounts keys create $KEY_LOCATION  --iam-account \
     $SERVICE_ACCOUNT@$PROJECT_ID.iam.gserviceaccount.com
    
  3. Grant the service account the securitycenter.admin role for the organization.

    gcloud beta organizations add-iam-policy-binding $ORG_ID \
      --member="serviceAccount:$SERVICE_ACCOUNT@$PROJECT_ID.iam.gserviceaccount.com" \
      --role='roles/securitycenter.admin'
    

Installing client libraries for Cloud SCC

Python

Installing the Python library

To include the Cloud SCC Python library as a dependency in your project, follow the process below:

  1. Optional: Before you install the Python library, we recommend using Virtualenv to create an isolated Python environment.

    virtualenv onboarding_example
    source onboarding_example/bin/activate
    
  2. Install pip to manage the Python library installation.
  3. Run the following commands to install the Python library:

    pip install google-cloud-securitycenter
    

Java

To include the Cloud SCC Java library as a dependency in your project, select an artifact from the Maven repository.

Go

To download the library, run:

go get -u cloud.google.com/go/securitycenter/apiv1

Node.js

npm install --save @google-cloud/security-center

What's next

Using the SDK

Review the guides for all the features that Cloud SCC supports:

SDK References

See the complete SDK references:

Was this page helpful? Let us know how we did:

Send feedback about...

Cloud Security Command Center
Need help? Visit our support page.