Creating Google Cloud segments

Preview

This topic describes how to create a Google Cloud segment for scanning your Google Cloud Platform (GCP) environment to discover resources and later audit those you need.

NOTE: This feature is currently in preview and may change or evolve over time.

Google Cloud minimal permissions

Before creating a Google Cloud segment, prepare a Service Account with the minimal permissions required for resource discovery and auditing.

We recommend assigning the predefined Viewer role (roles/viewer). This role provides read-only access to Google Cloud resource metadata and does not allow modifying resources.

You will need a JSON key file when configuring the segment in AlloyScan.

Create a service account in Google Cloud

1. Sign in to the Google Cloud Console.

2. Go to IAM & Admin > Service Accounts.

3. Click Create Service Account.

4. Enter a name (for example, alloyscan-audit).

5. Assign the Viewer role roles/viewer.

6. Complete the creation process.

Create a JSON key

1. Open the created service account.

2. Go to the Keys tab.

3. Click Add Key > Create new key.

4. Select JSON.

5. Download the generated key file. You will upload this file when creating the segment.

Create a Google segment

Follow these steps to set up a new Google segment and provide the necessary credentials for scanning and auditing your cloud resources.

To create an Google segment:

1. In the left navigation sidebar, choose Network.

2. In the Network section, click on the Segments tile.

3. Click the + New Segment button.

4. Select the Google icon and click Next to open the new segment's configuration parameters.

5. In the Select or install Audit Service section, click the down arrow and choose a previously deployed Audit Service instance.

   TIP: If none of the registered services apply, click Download Alloy Audit Service to download a new Audit Service, and then run the installation package on a computer with internet access. Once the Alloy Audit Service is successfully installed, it will appear in the list above, so you can select it and proceed with the configuration.

6. Expand the Google section.

7. The Name of the new segment is assigned automatically, but you can edit it if necessary.

8. Under Available resources, select the cloud resources you want to scan.

9. Expand the Credentials section and enter the Google credentials for accessing your Google Cloud environment used for the audit:

   INFO: For details, refer to Segment audit credentials.

10. Creating a Scan schedule is entirely optional at this stage. You can opt to continue without setting a schedule by clicking Continue without a schedule. Alternatively, if you prefer to establish a schedule, you can choose the scan frequency from options like Daily, Weekly, or Monthly and specify the details accordingly.

11. The final Let's get started! Discover where to find the results step shows where you can find discovered resources.

    After creating the segment, it will appear in the Network section and can be scanned either automatically or on demand.

    The first scan performs discovery only, listing resources by name. To collect detailed information about a resource, you must run an audit. Audited resources are automatically added to the Inventory section.

    IMPORTANT: Scanning lists only resource names and does not count toward your licensed nodes. Auditing collects detailed information and does count. For details and best practices, see Scanning and auditing

12. To finalize the process, click Create.