Skip to main content

GCP Configuration Guide

One-Click Least Privilege. Zero Disruption.



© 2025 Sonrai Security. All rights reserved.

Overview

Learn how to add accounts to fully enable Sonrai's cloud monitoring capabilities for your GCP organization(s).

Pre-Deployment Prerequisites

Required

Review/implement the required prerequisites before progressing onto Account configuration:

Adding Accounts - Onboarding Your GCP Organization

How do I onboard a GCP organization in the Accounts section of the Cloud Permissions Firewall?

In the left-hand navigation menu, click Manage > Accounts

Click to add a new account, and click Google Cloud. The GCP flow is then displayed, ready for you to begin onboading.

GCP Organizations

The Cloud Permissions Firewall requires a main Service Account that it can impersonate to monitor your cloud. This Service Account is created in a GCP project of your choosing.

During onboarding, Sonrai will bind roles to that Service Account at the Organization-level. This allows convenient discovery and protection of all Projects in your Organization.

Sonrai Service Account Creation

Log in to your GCP Organization.

In GCP Console, locate the specific Project ID that will be used for Sonrai onboarding, and copy this value.

tip

We recommend creating a new Project specifically for your Sonrai Service Account configuration.

In the Sonrai application, paste the Project ID you copied earlier into the available box and click . CPF will use the value to specified to create a custom script for your Project.

note

The CLI command to download your customized script for is unique for your organization, and must be copied from the onboarding wizard.

Note that the download location provided isn't permanent; if you don't continue with the configuration process, then you may need to re-generate this script to download the file.

Use one of the following options to run the custom script:

  • Click on the link provided in the Sonrai onboarding wizard to download your script, and run it manually using GCP CLI.
  • Use GCP Cloud Shell terminal (inside the Project you created for the Sonrai Service Account), and copy and paste the commands shown by the Sonrai onboarding wizard to automatically download and run the custom script for your organization.
wget "https://sonrai-crc-cloud-artifacts.s3.amazonaws.com/populated/gcp/<... CUSTOMIZED FOR YOUR ORG ...>" -O sonrai_onboarding.sh

bash ./sonrai_onboarding.sh

Click to confirm that the script has configured your Service Account correctly, and onboarding is ready to begin.

Click to begin onboarding your GCP Organization.


Supplementary visuals

In your GCP Console, locate the project you created for the Sonrai Collector and confirm the Project ID in the related Dashboard:


Return to the Account Onboarding screen in your Sonrai application, paste in the project ID, and click :


Sonrai uses the Project ID you submit to customize a script that will create the GCP Service Account for your organization, set up required logging, and allow Sonrai to impersonate the service account. Once generation is complete, you can download the script using either the link or the CLI command provided.


In your GCP Console, use Cloud Shell within the Project you created for the Sonrai Service Account to run the customized script (bash ./sonrai_onboarding.sh) and complete your GCP configuration.


This script will go through the following steps, checking at each step if the related resources already exist:

  • Service account creation
  • Organization detection
  • Project detection
  • Service account tagging
  • Custom role creation
  • IAM role assignments
  • API Enablement
  • Audit PubSub setup
  • Audit Log Sink setup
  • POD PubSub setup
  • POD Log Sink setup
  • Token creation setup

Once the Cloud Shell script finishes, return to your Sonrai application and click to confirm that your GCP organization is properly configured and ready to proceed:


Click to complete the setup process and have Sonrai begin the discovery process, for your organization.

Post-Deployment

Discovery can take anywhere from 10 minutes to ~24 hours to complete, depending on the size of your GCP Organization and the number of Proejcts added. As information is collected and processed by Sonrai, the Services page will begin to populate entries.

tip

While you wait for cloud ingestion to complete, take a look at how the Cloud Permissions Firewall works:


How does the firewall work?

Roles & Permissions

Service Control Policies

Customer Managed Policies
Last updated on