This guide walks you through creating a service account and setting it up for use with Cloud Security Command Center (Cloud SCC) client libraries.
Before you begin
To complete this guide, you need the following:
- The Cloud Identity and Access Management (Cloud IAM) role Service Account Admin. For more information about Cloud SCC Cloud IAM roles, see Access control.
- An existing directory path in which a service account private key can be
stored. This path is in the context of your Cloud Shell environment,
Accessing Cloud SCC
To access Cloud SCC programmatically, use Cloud Shell to get the client library and authenticate a service account.
Setting up environment variables
- Go to the Google Cloud Platform Console.
Go to the Google Cloud Platform Console
- Click Activate Cloud Shell.
Set environment variables by running:
Set your organization name:
Set the project ID:
Set the custom ID you want to use for a new service account, like
scc-sa. The service account name must be between 6 and 30 characters, must begin with a letter, and must be all lowercase alphanumeric characters and hyphens:
Set the path in which the service account key should be stored, like
export KEY_LOCATION=[FULL_PATH] # This is used by client libraries to find the key export GOOGLE_APPLICATION_CREDENTIALS=$KEY_LOCATION
Setting up a service account
To access Cloud SCC programmatically, you need a private key from a
service account to be used by the client. The service account must have the
organization level role
Create a service account that's associated with your project ID:
gcloud iam service-accounts create $SERVICE_ACCOUNT --display-name \ "Service Account for [USER]" --project $PROJECT_ID
Create a key to associate with the service account. The key is used for the life of the service and persistently stored at the
gcloud iam service-accounts keys create $KEY_LOCATION --iam-account \ $SERVICE_ACCOUNT@$PROJECT_ID.iam.gserviceaccount.com
Grant the service account the
securitycenter.adminrole for the organization.
gcloud beta organizations add-iam-policy-binding $ORG_ID \ --member="serviceAccount:$SERVICE_ACCOUNT@$PROJECT_ID.iam.gserviceaccount.com" \ --role='roles/securitycenter.admin'
Installing client libraries for Cloud SCC
To include the Cloud SCC Python library as a dependency in your project, follow the process below:
Optional: Before you install the Python library, we recommend using Virtualenv to create an isolated Python environment.
virtualenv onboarding_example source onboarding_example/bin/activate
Install pip to manage the Python library installation.
Run the following commands to install the Python library:
pip install google-cloud-securitycenter
To include the Cloud SCC Java library as a dependency in your project, select an artifact from the Maven repository.
To download the Go library, run:
go get -u cloud.google.com/go/securitycenter/apiv1
To install the Node.js library, run:
npm install --save @google-cloud/security-center
Using the SDK
Review the guides for all the features that Cloud SCC supports:
- Listing assets
- Listing security findings
- Creating, modifying, and querying security marks
- Creating and updating security findings
- Creating, updating, and listing finding sources
- Configuring organization settings
See the complete SDK references: