How to Onboard a GCP Billing Account

This topic guides you to onboard a Google Cloud Platform (GCP) Billing Account ​into CoreStack.

Pre-onboarding

There are certain prerequisites that need to be set up in your GCP project before it can be onboarded into CoreStack.

GCP Projects can be onboarded as a Billing Account. Onboarding a Billing Account allows you to discover the cost information of all linked GCP Projects. 

Permissions

The following permissions must be configured in your GCP Project before onboarding.

API access:

  • Enable API Access for Cloud Resource Manager API, Cloud Services API, Cloud Billing API, Security Command Center API in the API & Services – Library screen.

User account permissions:

  • A user account must be created with the following permissions.
    • For Assessment: Project Viewer (Read only)
    • For Assessment + Governance: Project Editor (View and Modify).
    • Security Command Center Access: Either Security Center Admin or Security Center Admin Viewer role is required for security vulnerability and compliance.
    • Operations Governance: Logging Admin & Pub/Sub Admin. 

Service account permissions:

  • A service account must be created with the following permissions.
    • For Assessment: Project Viewer (Read only)
    • For Assessment + Governance: Project Editor (View and Modify).
    • Security Command Center Access: Either Security Center Admin or Security Center Admin Viewer role is required for security vulnerability and compliance.
    • Operations Governance: Logging Admin & Pub/Sub Admin. 

Billing Account Prerequisites:

  • Project Editor role or BigQuery admin role is required for BigQuery dataset associated with the billing account.
  • Enable Cloud Billing export to BigQuery dataset (Billing Account Administrator role is required to enable Cloud Billing export).
  • Enable BigQuery Data Transfer Service API.
  • Create a BigQuery dataset for storing the daily cost detail data.
  • Create a Bucket for BigQuery data transfer (under the same GCP Project where BigQuery is created).

Retrieving Onboarding Information from GCP Console

Based on the authentication protocol to be used in CoreStack, the following information must be retrieved from the GCP console.

1. OAuth2 Based:

The following values must be generated/copied from your GCP Project and configured in CoreStack.

Client ID & Client Secret:

  1. Login to the GCP console.
  2. Navigate to Credentials screen.
  3. Click Create credentials and select OAuth client ID.
  4. Select Web application in the Application type field.
  5. Specify the following URI in the Authorized redirect URIs by clicking the Add URI button: https://corestack.io/.
  6. Click Create button. The Client ID and Client secret values will be displayed.

Scope: The OAuth 2.0 scope information for GCP project is: https://www.googleapis.com/auth/cloud-platform.

 

Project ID:

The project ID is a unique identifier for a project and is used only within the console.

  1. Navigate to Projects screen in the GCP console.
  2. The Project ID will be displayed next to your GCP project in the project list.

Redirect URI: The following redirect URI that is configured while creating the client ID and client secret must be used: https://corestack.io/.

Authorization Code:

The authorization code must be generated with user consent and required permissions.

  1. Construct an URL in the following format: https://accounts.google.com/o/oauth2/auth?response_type=code&client_id=<Client ID>&redirect_uri=<Redirect URI>&scope=https://www.googleapis.com/auth/cloud-platform&prompt=consent&access_type=offline
  2. Open an InPrivate or Incognito mode of browser window and access the above URL.
  3. Login using your GCP credentials.
  4. The page will be redirected to the Redirect URI, but the address bar will have the Authorization Code specified after “code=”.

Note: The values retrieved in the earlier steps can be used instead of <Client ID> and <Redirect URI> specified in the URL format.

Copy these details and provide them while onboarding your GCP Project into CoreStack using OAuth2 option.

 

2. Service Account Based:

A service account must be created in your GCP Project. You need to create a service account key and download it as a JSON file. Also, Project ID must be retrieved as well from your GCP Project.

How to Download the Credentials File (JSON):

  1. Navigate to Credentials screen.
  2. Click Create credentials and select Service account. The Create service account page appears.
  3. Provide the necessary details to create a service account: Name, ID, Description.
  4. Click Create button.
  5. Click Select a role to select the required roles.
  6. Click Continue button.
  7. Click Create key.
  8. Select JSON as Key type.
  9. Click Create button. A JSON key file will be downloaded.
  10. Click Done.

Project ID: Refer the steps in Project ID topic of the OAuth2 Based section. 

Provide the JSON and Project ID while onboarding the GCP Project in CoreStack using Service Account option. 

3. Billing Account:

In addition to the prerequisites explained earlier, there are a few additional values that must be generated/copied from your GCP Billing Account and configured in CoreStack.

Bucket Name:

  1. Login to the GCP console.
  2. Navigate to the StorageBrowser screen.
  3. Click Create bucket. Create bucket screen appears.
  4. Provide a unique value in the Name your bucket field along with the other details required to create the bucket.
  5. Click Create button.
  6. Copy the value provided in the Name your bucket field.

Billing Account ID:

  1. Login to the GCP console.
  2. Navigate to Manage Billing Accounts screen.
  3. Click My Projects. The list of projects will be displayed.
  4. Copy the Billing Account ID for the required projects.

Dataset ID of the BigQuery dataset:

    1. Login to the GCP console.
    2. Navigate to the BigQuery screen.
    3. Select your project in the Explorer section.
    4. Click Create dataset. Create dataset screen appears.
    5. Provide a unique value in the Dataset ID field and a region in the Data location field along with the other details required to create the dataset.
    6. Click Create dataset button.

Copy the value provided in the Dataset ID field and proceed to enabling Cloud Billing data export to the created BigQuery dataset.

    1. Navigate to the Billing screen.
    2. Click Manage billing accounts and select your Billing Account.
    3. Click Billing export.
    4. Navigate to BigQuery export tab.
    5. Enable Daily cost detail in this tab to allow exporting of your detailed Cloud Billing usage and cost data.
    6. Click Edit settings button.
    7. Select your project from the Projects list.
    8. Select the created BigQuery dataset from the Dataset ID list. 
    9. Click Save.
  1.  

Provide these details in CoreStack for Billing Account onboarding along with either the OAuth2 or Service Account information explained above, based on your Authentication Protocol selection.

 

Onboarding

The following steps need to be performed to onboard GCP Billing Account.

  1. Click Add New button in the CoreStack dashboard and select Single Account.
  2. Click Start Now.
  3. Select GCP option in the Public Cloud field.
  4. Click Get Started button.
  5. Select the required option in the Access Type field. The options are: Assessment and Assessment + Governance.
  6. Select the Billing Account option in the Account Type field. 
  7. Select the required option in the Authentication Protocol field. The options are: OAuth2 and Service Account.
  8. Click Next.
  9. Provide the necessary details (Client ID, Client Secret, Scope, Project ID, Redirect URI, Authorization Code, Bucket Name, Billing Account IDand Dataset ID OR Bucket Name, Billing Account ID, Dataset ID, Project IDand Credentials File (JSON)) explained in the Pre-onboarding section based on the option selected in the Authentication Protocol field. 
  10. Click Validate button.
  11. The Advanced Settings section will be displayed with additional fields (Name and Scope). 
  12. Modify the prepopulated name of the account in the Name field, if required.
  13. Select the required option in the Scope field. The options are: Account, Private, and Tenant. 
  14. Click I’m Done button. 

The GCP Project will be onboarded successfully into CoreStack. Relevant insights and information about the resources available in the GCP Project will be populated under each cloud governance pillars in CoreStack.