This documents the steps to configure Prisma Cloud Agentless Scanning for GCP Projects, using the Same Account model, with Prisma Cloud Compute credentials.
In this document, the GCP Project, its Service Account, and its Prisma Cloud Account use the same name. Doing so creates a one-to-one mapping of projects, accounts, resources, and filenames. This mapping is not required, but results in a simple series of steps.
Set the following environment variable (locally, or in CloudShell) to define the name of the Project:
export PROJECT_NAME=example_project
Optionally, create the Project:
# export PROJECT_BILLING_ACCOUNT="ABCDE-12345-FGHIJ"
# gcloud projects create ${PROJECT_NAME}
# gcloud billing projects link ${PROJECT_NAME} --billing-account ${PROJECT_BILLING_ACCOUNT}
Enable the APIs required by Agentless Scanning:
gcloud config set project ${PROJECT_NAME}
gcloud services enable cloudresourcemanager.googleapis.com
gcloud services enable compute.googleapis.com
gcloud services enable iam.googleapis.com
gcloud services enable deploymentmanager.googleapis.com
Create the Service Account, and create and download the Service Account Key:
gcloud config set project ${PROJECT_NAME}
gcloud iam service-accounts create ${PROJECT_NAME} --display-name="Prisma Cloud Service Account for Agentless Scanning"
gcloud iam service-accounts keys create ${PROJECT_NAME}-service_account_key.json --iam-account=${PROJECT_NAME}@${PROJECT_NAME}.iam.gserviceaccount.com
[ "${GOOGLE_CLOUD_SHELL}X" == "trueX" ] && cloudshell download ${PROJECT_NAME}-service_account_key.json
In Prisma Cloud Compute > Cloud Accounts, onboard the Project:
- Click
Add Account
- In the
Service Account
field, paste theService Account Key
for the Project - Leave the
API Key
field blank - Click
Next
- Enable
Agentless Workload Scanning
- Click
Download
- Select Advanced Settings > Scanning Type > Same Account
- Optionally configure other Agentless settings
- Click
Next
- Optionally configure other settings
The Jinja templates provided by Prisma Cloud are applied via Deployment Manager, which requires the Roles > Role Administrator
and IAM > Security Admin
Roles to be added to the Google APIs Service Agent
Principle:
gcloud config set project ${PROJECT_NAME}
export PROJECT_NUMBER=$(gcloud projects list --filter=${PROJECT_NAME} --format="value(PROJECT_NUMBER)")
gcloud projects add-iam-policy-binding ${PROJECT_NAME} --member=serviceAccount:${PROJECT_NUMBER}@cloudservices.gserviceaccount.com --role=roles/iam.roleAdmin
gcloud projects add-iam-policy-binding ${PROJECT_NAME} --member=serviceAccount:${PROJECT_NUMBER}@cloudservices.gserviceaccount.com --role=roles/iam.securityAdmin
Those roles can be removed after deploying the Jinja templates.
Apply the permission templates downloaded from Prisma Cloud:
gcloud config set project ${PROJECT_NAME}
tar -xzf ${PROJECT_NAME}_templates.tar.gz
gcloud deployment-manager deployments create pc-agentless-hub-user-local --project ${PROJECT_NAME} --template ${PROJECT_NAME}_target_user_permissions.yaml.jinja
Test Agentless scanning.
Optionally, create an instance to scan:
# gcloud config set project ${PROJECT_NAME}
# gcloud compute instances create ${PROJECT_NAME}-agentless-test-instance --machine-type=e2-micro --zone=us-central1-a
In Prisma Cloud, in Compute > Cloud Accounts, test Agentless Scanning:
- Click Start Agentless Scan
- Monitor the scan, via Job Progress, or summarized in the list of Cloud Accounts
- Verify Agentless scan results in Compute > Monitor > Vulnerabilities > Hosts
Remove the roles required to deploy the Jinja templates:
gcloud config set project ${PROJECT_NAME}
gcloud projects remove-iam-policy-binding ${PROJECT_NAME} --member=serviceAccount:${PROJECT_NUMBER}@cloudservices.gserviceaccount.com --role=roles/iam.roleAdmin
gcloud projects remove-iam-policy-binding ${PROJECT_NAME} --member=serviceAccount:${PROJECT_NUMBER}@cloudservices.gserviceaccount.com --role=roles/iam.securityAdmin
- You can speed up testing by create VMs in just one Region, and configuring Prisma Cloud to scan that Region via
Custom Regions
. - You cannot use a default subnet (or specify a custom subnet via
Subnet
) provided by a Shared VPC (https://prismacloud.ideas.aha.io/ideas/PANW-I-4147). - If the APIs are not enabled and the Roles are not added, the
gcloud deployment-manager deployments create
commands will fail. If so, enable the APIs and add the Roles, and retry the command, replacingcreate
withupdate
if you receive adeployment already exists
error.