Accessing Security Command Center using an SDK

Create a service account and set it up for use with Security Command Center client libraries.

Before you begin

To complete this guide, you need the following:

  • The Service Account Admin IAM role. For more information about Security Command Center IAM roles, see Access control.
  • An existing directory path in which a service account private key can be stored. This path is in the context of your Cloud Shell environment, like /home/myuser/mykeys/.
  • The activation level of Security Command Center: project or organization level. Depending on your activation level, some of the commands that you use to set up the SDK access are different. To check your activation level, see Check the activation level of Security Command Center.

Accessing Security Command Center

To access Security Command Center programmatically, use Cloud Shell to get the client library and authenticate a service account.

Setting up environment variables

  1. Go to the Google Cloud console.
    Go to the Google Cloud console
  2. Click Activate Cloud Shell.
  3. Set environment variables by running:

    1. Set your organization name:

      export ORG_ID=ORGANIZATION_ID
      

      Replace ORGANIZATION_ID with the ID of your organization.

    2. Set the project ID:

      export PROJECT_ID=CLOUD_SCC_ENABLED_PROJECT_ID
      

      Replace CLOUD_SCC_ENABLED_PROJECT_ID with the ID of a project in which Security Command Center is active at the project level or for which scans are enabled.

    3. Set the custom ID you want to use for a new service account, like scc-sa. The service account name must be between 6 and 30 characters, must begin with a letter, and must be all lowercase alphanumeric characters and hyphens:

      export SERVICE_ACCOUNT=CUSTOM_ID
      

      Replace CUSTOM_ID with an ID of your choosing.

    4. Set the path in which the service account key should be stored, like export KEY_LOCATION=/home/$USER/mykeys/$SERVICE_ACCOUNT.json:

      export KEY_LOCATION=FULL_PATH
      # This is used by client libraries to find the key
      export GOOGLE_APPLICATION_CREDENTIALS=$KEY_LOCATION
      

Setting up a service account

To access Security Command Center programmatically, you need a private key from a service account to be used by the client.

You also need to grant the securitycenter.admin IAM role to the service account. Depending on the level of access the service account needs, you can grant the role at project, folder, or organization level.

  1. Create a service account that's associated with your project ID:

    gcloud iam service-accounts create $SERVICE_ACCOUNT  \
    --display-name "Service Account for USER"  \
    --project $PROJECT_ID
    

    Replace USER with the username of the person or entity that will use the service account.

  2. Create a key to associate with the service account. The key is used for the life of the service account and persistently stored at the path you assign to KEY_LOCATION.

    gcloud iam service-accounts keys create $KEY_LOCATION  \
    --iam-account $SERVICE_ACCOUNT@$PROJECT_ID.iam.gserviceaccount.com
    
  3. Grant the service account the securitycenter.admin role for either the organization or the project, depending on the activation level of Security Command Center.

    • For organization-level activations:

      gcloud organizations add-iam-policy-binding $ORG_ID \
      --member="serviceAccount:$SERVICE_ACCOUNT@$PROJECT_ID.iam.gserviceaccount.com" \
      --role='roles/securitycenter.admin'
      
    • For project-level activations:

      gcloud projects add-iam-policy-binding $PROJECT_ID \
      --member="serviceAccount:$SERVICE_ACCOUNT@$PROJECT_ID.iam.gserviceaccount.com" \
      --role='roles/securitycenter.admin'
      

Installing client libraries for Security Command Center

Python

To include the Security Command Center Python library as a dependency in your project, follow the process below:

  1. Optional: Before you install the Python library, we recommend using Virtualenv to create an isolated Python environment.

    virtualenv onboarding_example
    source onboarding_example/bin/activate
    
  2. Install pip to manage the Python library installation.

  3. Run the following commands to install the Python library:

    pip install google-cloud-securitycenter
    

Java

To include the Security Command Center Java library as a dependency in your project, select an artifact from the Maven repository.

Go

To download the Go library, run:

go get cloud.google.com/go/securitycenter/apiv1

Node.js

To install the Node.js library, run:

npm install --save @google-cloud/security-center

What's next

Using the SDK

Review the guides for all the features that Security Command Center supports:

SDK References

See the complete SDK references: