# Google GCP The Dropzone AI platform integrates with GCP (Google Cloud Platform) APIs for ingesting alerts and enriching investigations with data from GCP such as VM and service account information. This document describes how to set up API credentials and install them into the Dropzone platform. ## Integration Overview To enable these integrations you will perform the following actions: * Determine which section of your GCP environment to enable Dropzone visibility * Grant IAM access to the Dropzone service account * Enable the Alert and Data sources ## Determine Dropzone Visibilty Scope Dropzone requires some IAM access to query your GCP environment. You will later be granting the Dropzone service account access to a portion of your GCP environment, at either a folder level or for the whole organization. For example, in the screenshot below, if you were to grant access via the `production` folder then Dropzone would have access to the `Project FreezeRay` project, and any other folders or projects you add to `production` in the future. However, it would not be available to `alligator-apples`. If you grant access via the top level org, `example.net` then it would apply to all folders and projects going forward.

When enabling the integration you will be supplying the ID of the top level folder or organization, and Dropzone will recurse through all objects thereunder when making Data Source queries. When you've chosen your folder or org, record the ID value for use later in the Dropzone UI where it is called "Parent Resource"." ## Identify your service account email address To obtain the email address of your Dropzone service account, do the following: * Navigate to your Dropzone AI tenant home page e.g. https\://*mycompany*.dropzone.app * In the bottom left hand corner, navigate to Settings > Integrations

* Click "Available"

* In the Search bar, search GCP, then click "Configure"

* Record the "SERVICE ACCOUNT EMAIL" field for use in the GCP Console interface

## Grant GCP Access to Dropzone Service Account * Go to the GCP cloud console at

* Click the current project dropdown * Click "All" * Select the organization or the folder you've chosen for Dropzone visibility

* From the left menu, navigate to IAM & Admin > IAM

* Under "New principals," input the email address you copied earlier from the Dropzone UI "SERVICE ACCOUNT EMAIL"

Input the email address from the Dropzone UI Service Account Email

* Click "Select a role"

* Add the following roles: | Role Name | Purpose | Used By | | ----------------------------------------------------------------------------------------------------------------- | ------------------------------------------ | ------------------------ | | [Security Center Admin Viewer](https://cloud.google.com/iam/docs/understanding-roles#securitycenter.adminViewer) | View GCP entity details and configurations | Alert Source Integration | | [Browser](https://cloud.google.com/iam/docs/understanding-roles#browser) | View GCP resources | Data Source Integration | | [Cloud Asset Viewer](https://cloud.google.com/iam/docs/understanding-roles#cloudasset.viewer) | View cloud assets | Data Source Integration | | [Compute Viewer](https://cloud.google.com/iam/docs/understanding-roles#compute.viewer) | View compute resources | Data Source Integration | | [Folder Viewer](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.folderViewer) | View folders | Data Source Integration | | [Logs Viewer](https://cloud.google.com/iam/docs/understanding-roles#logging.viewer) | View GCP logs | Data Source Integration | | [Organization Role Viewer](https://cloud.google.com/iam/docs/understanding-roles#iam.roleViewer)\* | View organization roles | Data Source Integration | | [Organization Viewer](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.organizationViewer)\* | View organization resources | Data Source Integration | | [Private Logs Viewer](https://cloud.google.com/iam/docs/understanding-roles#logging.privateLogViewer) | View private logs | Data Source Integration | | [Security Reviewer](https://cloud.google.com/iam/docs/understanding-roles#iam.securityReviewer) | Review security configurations | Data Source Integration | | [Storage Object Viewer](https://cloud.google.com/iam/docs/understanding-roles#storage.objectViewer) | View storage objects | Data Source Integration | | [Tag Viewer](https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.tagViewer) | View tags | Data Source Integration | \* These roles should only be included if the top-level parent is an organization. {% hint style="info" %} Some of these roles are only necessary for the Data Source integration. If you don't intend to perform that integration, you may ignore them. {% endhint %} * Continue adding roles via the "Add another role" button until complete

* Click "Save" ## Enable GCP The Alert Source integration allows Dropzone AI to pull alerts from GCP for investigation. You'll need the following information: | Dropzone Field | Source | | --------------- | ------------------------------------------------------------- | | Parent Resource | The ID of the org or folder where you granted Dropzone access | To enable the Alert Source integration, do the following: * Navigate to your Dropzone AI tenant home page e.g. https\://*mycompany*.dropzone.app * In the bottom left hand corner, navigate to Settings > Integrations

* Click "Available"

* In the Search bar, search GCP, then click "Configure"

* Under the Alert Source heading, input the "Parent Resource" ID * Select the "Parent Resource Type" that matches the resource you've selected

The GCP Alert Source configuration (pt 1)

* Input your desired poll interval and lookback

The GCP Alert Source configuration (pt 2)

* Click "Test & Save" to finish You should begin ingesting alerts immediately. If you have any errors or questions, engage your Dropzone AI support representative.