This guide walks you through creating a service account and setting it up for use with Cloud Security Command Center (Cloud SCC) client libraries.
Before you begin
To complete this guide, you'll need the following:
- The Cloud Identity and Access Management (Cloud IAM) role Service Account Admin. For more information about Cloud SCC Cloud IAM roles, see Access control.
- To complete this guide, you'll need an existing directory path in which a
service account private key can be stored. This path is in the context of your
Cloud Shell environment, such as
/home/myuser/mykeys/.
Accessing Cloud SCC
To access Cloud SCC programmatically, you'll use Cloud Shell to get the client library and authenticate a service account.
Setting up environment variables
- Go to the Google Cloud Platform Console.
Go to the Google Cloud Platform Console - Click Activate Cloud Shell.
Run the following commands to set environment variables:
Set your organization name:
export ORG_ID=[YOUR_ORGANIZATION_ID]Set the project ID:
export PROJECT_ID=[CLOUD_SCC_ENABLED_PROJECT_ID]Set the custom ID you want to use for a new service account, like
scc-sa. The service account name must be between 6 and 30 characters, must begin with a letter, and must be all lowercase alphanumeric characters that can be separated by hyphens:export SERVICE_ACCOUNT=[CUSTOM_ID]Set the path in which the service account key should be stored, like
export KEY_LOCATION=/home/$USER/mykeys/$SERVICE_ACCOUNT.json:export KEY_LOCATION=[FULL_PATH] # This is used by client libraries to find the key export GOOGLE_APPLICATION_CREDENTIALS=$KEY_LOCATION
Setting up a service account
To access Cloud SCC programmatically, you'll need a private key
from a service account to be used by the client. The service account must have
the organization level role securitycenter.admin.
Create a service account that's associated with your project ID:
gcloud iam service-accounts create $SERVICE_ACCOUNT --display-name \ "Service Account for [USER]" --project $PROJECT_IDCreate a key to associate with the service account. The key will be used for the life of the service and persistently stored at the
[KEY_LOCATION]you specify.gcloud iam service-accounts keys create $KEY_LOCATION --iam-account \ $SERVICE_ACCOUNT@$PROJECT_ID.iam.gserviceaccount.comGrant the service account the
securitycenter.adminrole for the organization.gcloud beta organizations add-iam-policy-binding $ORG_ID \ --member="serviceAccount:$SERVICE_ACCOUNT@$PROJECT_ID.iam.gserviceaccount.com" \ --role='roles/securitycenter.admin'
Installing client libraries for Cloud SCC
Python
Installing the Python library
To include the Cloud SCC Python library as a dependency in your project, follow the process below:
-
Optional: Before you install the Python library, we recommend using Virtualenv to create an isolated Python environment.
virtualenv onboarding_example source onboarding_example/bin/activate
- Install pip to manage the Python library installation.
-
Run the following commands to install the Python library:
pip install google-cloud-securitycenter
Java
To include the Cloud SCC Java library as a dependency in your project, select an artifact from the Maven repository.
Go
To download the library, run:
go get -u cloud.google.com/go/securitycenter/apiv1
Node.js
npm install --save @google-cloud/security-center
What's next
Using the SDK
Review the guides for all the features that Cloud SCC supports:
- Listing assets
- Listing security findings
- Creating, modifying, and querying security marks
- Creating and updating security findings
- Creating, updating, and listing finding sources
- Configuring organization settings
SDK References
See the complete SDK references:
Need help? Visit our