Google Cloud Platform (GCP)

Follow these steps to set up a Read-Only Access Service Account on Google Cloud Platform (GCP).

Step 1: Log in to Google Cloud Console

Go to the Google Cloud Console.
Sign in with your administrator account.

Step 2: Create a Service Account

Navigate to IAM & Admin → Service Accounts.
Click Create Service Account.
Provide a Name (e.g., nebu-readonly).
Click Create and Continue.

Step 3: Assign the Predefined `Viewer` Role

Under Grant this service account access to the project, click Add Role.
Search for the predefined role:
- roles/viewer
Select the Viewer role and click Continue.

Step 4: Generate and Download a JSON Key

After creating the service account, go to the Keys tab.
Click Add Key → Create New Key.
Choose JSON format and download the file securely.

Step 5: Enable Required APIs

# Enable required APIs (Batch 1 - Core APIs)
gcloud services enable \
  compute.googleapis.com \
  storage-api.googleapis.com \
  storage-component.googleapis.com \
  sqladmin.googleapis.com \
  container.googleapis.com \
  cloudfunctions.googleapis.com \
  run.googleapis.com \
  pubsub.googleapis.com \
  monitoring.googleapis.com \
  logging.googleapis.com \
  iam.googleapis.com \
  cloudkms.googleapis.com \
  dns.googleapis.com \
  redis.googleapis.com \
  secretmanager.googleapis.com \
  cloudresourcemanager.googleapis.com \
  bigquery.googleapis.com \
  serviceusage.googleapis.com \
  file.googleapis.com \
  dataflow.googleapis.com \
  --project=YOUR_PROJECT_ID

# Enable remaining APIs (Batch 2)
gcloud services enable \
  binaryauthorization.googleapis.com \
  --project=YOUR_PROJECT_ID

Step 6: Create Custom Read-Only Storage Role

NEBU needs storage.buckets.getIamPolicy permission, which isn't included in roles/storage.objectViewer. We'll create a minimal custom role:

# Create custom read-only storage role
gcloud iam roles create nebuStorageReadOnly \
  --project=YOUR_PROJECT_ID \
  --title="NEBU Storage Read-Only Scanner" \
  --description="Minimal read-only permissions for storage Compliance & Security" \
  --permissions="storage.buckets.list,storage.buckets.get,storage.buckets.getIamPolicy,storage.objects.list,storage.objects.get"

🛡️ Step 7: Apply Read-Only Permissions

# 1. Core Service Usage (CRITICAL - needed for all APIs)
gcloud projects add-iam-policy-binding YOUR_PROJECT_ID \
  --member="serviceAccount:YOUR_SERVICE_ACCOUNT_EMAIL" \
  --role="roles/serviceusage.serviceUsageConsumer"

# 2. Project-level viewer access (read-only)
gcloud projects add-iam-policy-binding YOUR_PROJECT_ID \
  --member="serviceAccount:YOUR_SERVICE_ACCOUNT_EMAIL" \
  --role="roles/viewer"

# 3. Custom read-only storage permissions
gcloud projects add-iam-policy-binding YOUR_PROJECT_ID \
  --member="serviceAccount:YOUR_SERVICE_ACCOUNT_EMAIL" \
  --role="projects/YOUR_PROJECT_ID/roles/nebuStorageReadOnly"

# 4. IAM security reviewer (read-only)
gcloud projects add-iam-policy-binding YOUR_PROJECT_ID \
  --member="serviceAccount:YOUR_SERVICE_ACCOUNT_EMAIL" \
  --role="roles/iam.securityReviewer"

# 5. Cloud SQL viewer (read-only)
gcloud projects add-iam-policy-binding YOUR_PROJECT_ID \
  --member="serviceAccount:YOUR_SERVICE_ACCOUNT_EMAIL" \
  --role="roles/cloudsql.viewer"

# 6. Compute Engine viewer (read-only)
gcloud projects add-iam-policy-binding YOUR_PROJECT_ID \
  --member="serviceAccount:YOUR_SERVICE_ACCOUNT_EMAIL" \
  --role="roles/compute.viewer"

# 7. GKE viewer (read-only)
gcloud projects add-iam-policy-binding YOUR_PROJECT_ID \
  --member="serviceAccount:YOUR_SERVICE_ACCOUNT_EMAIL" \
  --role="roles/container.viewer"

# 8. Cloud Functions viewer (read-only)
gcloud projects add-iam-policy-binding YOUR_PROJECT_ID \
  --member="serviceAccount:YOUR_SERVICE_ACCOUNT_EMAIL" \
  --role="roles/cloudfunctions.viewer"

# 9. Cloud Logging viewer (read-only)
gcloud projects add-iam-policy-binding YOUR_PROJECT_ID \
  --member="serviceAccount:YOUR_SERVICE_ACCOUNT_EMAIL" \
  --role="roles/logging.viewer"

# 10. Pub/Sub viewer (read-only)
gcloud projects add-iam-policy-binding YOUR_PROJECT_ID \
  --member="serviceAccount:YOUR_SERVICE_ACCOUNT_EMAIL" \
  --role="roles/pubsub.viewer"

# 11. KMS viewer (read-only)
gcloud projects add-iam-policy-binding YOUR_PROJECT_ID \
  --member="serviceAccount:YOUR_SERVICE_ACCOUNT_EMAIL" \
  --role="roles/cloudkms.viewer"

# 12. Secret Manager viewer (read-only)
gcloud projects add-iam-policy-binding YOUR_PROJECT_ID \
  --member="serviceAccount:YOUR_SERVICE_ACCOUNT_EMAIL" \
  --role="roles/secretmanager.viewer"

# 13. BigQuery metadata viewer (read-only)
gcloud projects add-iam-policy-binding YOUR_PROJECT_ID \
  --member="serviceAccount:YOUR_SERVICE_ACCOUNT_EMAIL" \
  --role="roles/bigquery.metadataViewer"

# 14. Cloud Run viewer (read-only)
gcloud projects add-iam-policy-binding YOUR_PROJECT_ID \
  --member="serviceAccount:YOUR_SERVICE_ACCOUNT_EMAIL" \
  --role="roles/run.viewer"

# 15. Cloud DNS reader (read-only)
gcloud projects add-iam-policy-binding YOUR_PROJECT_ID \
  --member="serviceAccount:YOUR_SERVICE_ACCOUNT_EMAIL" \
  --role="roles/dns.reader"

# 16. Monitoring viewer (read-only)
gcloud projects add-iam-policy-binding YOUR_PROJECT_ID \
  --member="serviceAccount:YOUR_SERVICE_ACCOUNT_EMAIL" \
  --role="roles/monitoring.viewer"

# 17. Binary Authorization reader (read-only)
gcloud projects add-iam-policy-binding YOUR_PROJECT_ID \
  --member="serviceAccount:YOUR_SERVICE_ACCOUNT_EMAIL" \
  --role="roles/binaryauthorization.attestorsViewer"

# 18. Cloud Filestore viewer (read-only)
gcloud projects add-iam-policy-binding YOUR_PROJECT_ID \
  --member="serviceAccount:YOUR_SERVICE_ACCOUNT_EMAIL" \
  --role="roles/file.viewer"

# 19. Cloud Dataflow viewer (read-only)
gcloud projects add-iam-policy-binding YOUR_PROJECT_ID \
  --member="serviceAccount:YOUR_SERVICE_ACCOUNT_EMAIL" \
  --role="roles/dataflow.viewer"

# 20. Memorystore Redis reader (read-only)
gcloud projects add-iam-policy-binding YOUR_PROJECT_ID \
  --member="serviceAccount:YOUR_SERVICE_ACCOUNT_EMAIL" \
  --role="roles/redis.viewer"

Final Step: Use the JSON Key in NEBU Initialization

Use the values from the downloaded JSON key file in NEBU’s initialization process.
NEBU will securely use this key to analyze your cloud environment with read-only permissions.

PreviousMulti-Account / Control Tower NextDigitalOcean

Last updated 7 months ago

hashtagStep 1: Log in to Google Cloud Console

hashtagStep 2: Create a Service Account

hashtagStep 3: Assign the Predefined Viewer Role

hashtagStep 4: Generate and Download a JSON Key

hashtagStep 5: Enable Required APIs

hashtagStep 6: Create Custom Read-Only Storage Role

hashtag🛡️ Step 7: Apply Read-Only Permissions

hashtagFinal Step: Use the JSON Key in NEBU Initialization