Create a service account and set it up for use with Security Command Center client libraries.
Before you begin
To complete this guide, you need the following:
- The Service Account Admin IAM role. For more information about Security Command Center IAM roles, see Access control.
- An existing directory path in which a service account private key can be
stored. This path is in the context of your Cloud Shell environment, like
/home/myuser/mykeys/
.
Accessing Security Command Center
To access Security Command Center programmatically, use Cloud Shell to get the client library and authenticate a service account.
Setting up environment variables
- Go to the Google Cloud console.
Go to the Google Cloud console - Click Activate Cloud Shell.
Set environment variables by running:
Set your organization name:
export ORG_ID=[YOUR_ORGANIZATION_ID]
Set the project ID:
export PROJECT_ID=[CLOUD_SCC_ENABLED_PROJECT_ID]
Set the custom ID you want to use for a new service account, like
scc-sa
. The service account name must be between 6 and 30 characters, must begin with a letter, and must be all lowercase alphanumeric characters and hyphens:export SERVICE_ACCOUNT=[CUSTOM_ID]
Set the path in which the service account key should be stored, like
export KEY_LOCATION=/home/$USER/mykeys/$SERVICE_ACCOUNT.json
:export KEY_LOCATION=[FULL_PATH] # This is used by client libraries to find the key export GOOGLE_APPLICATION_CREDENTIALS=$KEY_LOCATION
Setting up a service account
To access Security Command Center programmatically, you need a private key from a
service account to be used by the client. The service account must have the
organization level role securitycenter.admin
.
Create a service account that's associated with your project ID:
gcloud iam service-accounts create $SERVICE_ACCOUNT --display-name \ "Service Account for [USER]" --project $PROJECT_ID
Create a key to associate with the service account. The key is used for the life of the service and persistently stored at the
[KEY_LOCATION]
you specify.gcloud iam service-accounts keys create $KEY_LOCATION --iam-account \ $SERVICE_ACCOUNT@$PROJECT_ID.iam.gserviceaccount.com
Grant the service account the
securitycenter.admin
role for the organization.gcloud organizations add-iam-policy-binding $ORG_ID \ --member="serviceAccount:$SERVICE_ACCOUNT@$PROJECT_ID.iam.gserviceaccount.com" \ --role='roles/securitycenter.admin'
Installing client libraries for Security Command Center
Python
To include the Security Command Center Python library as a dependency in your project, follow the process below:
Optional: Before you install the Python library, we recommend using Virtualenv to create an isolated Python environment.
virtualenv onboarding_example source onboarding_example/bin/activate
Install pip to manage the Python library installation.
Run the following commands to install the Python library:
pip install google-cloud-securitycenter
Java
To include the Security Command Center Java library as a dependency in your project, select an artifact from the Maven repository.
Go
To download the Go library, run:
go get cloud.google.com/go/securitycenter/apiv1
Node.js
To install the Node.js library, run:
npm install --save @google-cloud/security-center
What's next
Using the SDK
Review the guides for all the features that Security Command Center supports:
- Listing assets
- Listing security findings
- Creating, modifying, and querying security marks
- Creating and updating security findings
- Creating, updating, and listing finding sources
- Configuring organization settings
SDK References
See the complete SDK references: