When you create a GCP Compliance, Audit Log, or GCR integration manually, it is important to enable the required APIs in the correct way in order for the integration to work as expected.
- For Project level integrations, the APIs need to be enabled only on the project where the Service Account was created.
- For Organization level integrations, the APIs need to be enabled across projects as described below.
Below the table are instructions for enabling the APIs.
| API Name | API URL | Enable API on | Integration(s) |
|---|---|---|---|
| BigQuery API | bigquery.googleapis.com | Project that hosts the Service Account AND Every project that the Service Account will access |
Compliance |
| Cloud DNS API | dns.googleapis.com | Project that hosts the Service Account | Compliance |
| Cloud Key Management Service (KMS) API | cloudkms.googleapis.com | Project that hosts the Service Account AND Every project that the Service Account will access |
Compliance |
| Cloud Logging API | logging.googleapis.com | Project that hosts the Service Account | Compliance |
| Cloud Pub/Sub API | pubsub.googleapis.com | Project that hosts the Service Account | Audit Log Compliance |
| Cloud Resource Manager API | cloudresourcemanager.googleapis.com | Project that hosts the Service Account | Audit Log Compliance GCR |
| Cloud Storage | storage-component.googleapis.com | Project that hosts the Service Account | Compliance |
| Cloud SQL Admin API | sqladmin.googleapis.com | Project that hosts the Service Account | Compliance |
| Compute Engine API | compute.googleapis.com | Every project that the Service Account will access | Compliance |
| Google Container Registry API | containerregistry.googleapis.com | Project that hosts the Service Account | GCR |
| Identity and Access Management (IAM) API | iam.googleapis.com | Project that hosts the Service Account | Audit Log Compliance |
| Kubernetes Engine API | container.googleapis.com | Project that hosts the Service Account | Compliance |
| Service Usage API | serviceusage.googleapis.com | Project that hosts the Service Account AND Every project that the Service Account will access |
Audit Log Compliance |
For each GCP project that you want to integrate with Lacework, enable each of the APIs listed in the above table by repeating the following steps:
Enable using GCP Console:
- Log in to the GCP Console and click
. - Select APIs & Services > Library.
In the Search for APIs & Services field, enter the API URL listed in the table above such as iam.googleapis.com.
Click on the result that matches the API name listed above, such as Identity and Access Management (IAM) API.
Click ENABLE.
If you are prompted to enable billing, click ENABLE BILLING.
- Repeat these steps for each GCP project that you want to integrate with and enable all APIs listed in the above table.
Enable using gcloud CLI:
Ensure that the gcloud config is set to use a Service Account with the permissions required to enable APIs.
For further information about enabling APIs, see Google Cloud's official documentation.
- Set the project that you wish to enable the APIs on:
bash gcloud config set project target_project
- Enable the required APIs for integration:
Audit Log:bash gcloud services enable pubsub.googleapis.com cloudresourcemanager.googleapis.com \ iam.googleapis.com serviceusage.googleapis.com
Compliance:bash gcloud services enable bigquery.googleapis.com dns.googleapis.com cloudkms.googleapis.com \ logging.googleapis.com pubsub.googleapis.com cloudresourcemanager.googleapis.com \ storage-component.googleapis.com sqladmin.googleapis.com compute.googleapis.com iam.googleapis.com \ container.googleapis.com serviceusage.googleapis.com
GCR:bash gcloud services enable cloudresourcemanager.googleapis.com containerregistry.googleapis.com
- Verify the APIs have been successfully enabled:
bash gcloud service list