Skip to main content

Syncing data from multiple Google Cloud Platform projects

Written by Hyperproof Support
Updated over 3 weeks ago

๐Ÿ“ Note

Hyperproof connects to many third-party systems that frequently change, including the system interface. Contact your System Administrator or the third-party provider for assistance in meeting the requirements to integrate with Hyperproof and collect the proof you need.

The Google Cloud Platform Hypersync can be used to collect data from a single project or all projects within an organization or resource folder.
โ€‹

The process of syncing data from multiple projects is fairly similar to the process for syncing data from a single project. The main difference is that there are additional permissions needed to find other resource types for which to collect data. Setting up your this way allows you to select an organization or folder in the resource hierarchy to sync data from all projects that are immediate descendants of that resource.

Creating a Hyperproof service account

Click to view instructions

  1. Open any GCP project.

  2. From the left menu, select IAM & Admin and then select Service Accounts.

  3. Use the resource selector to target the organization or folder containing the projects you want to get data for. The projects must be a direct descendant of the folder or organization. We suggest creating the role at the organization level, so the role can be assigned to the service account on any resource later on.

  4. Click Create Service Account.

    The Create service account page opens.

  5. Enter a name for the service account and, optionally, a description. We suggest using the name Hyperproof Service Account.

  6. Click Done.

Generating JSON credentials

Click to view instructions

  1. Select the service account you just created.

  2. Click Keys.

  3. Click Add Key and the select Create new key.

    The Create private key forโ€ฆ window opens.

  4. Select the JSON radio button and click Create.

  5. Save the JSON file in a secure location. Click Close.

Creating an IAM role for the service account

Click to view instructions

  1. From within your GCP organization, select IAM & Admin from the left menu.

  2. Select Roles.

  3. Use the resource selector to target the organization or folder containing the projects you want to get data for. The projects must be a direct descendant of the folder or organization. We suggest creating the role at the organization level, so the role can be assigned to the service account on any resource later on.

  4. Click Create Role.

  5. Enter a name for the role and, optionally, a description. We suggest using the name Hypersync Org Role.

  6. Click Add Permissions and assign the role the following permissions:

  • cloudsql.backupRuns.list

  • cloudsql.instances.list

  • compute.firewalls.list

  • compute.images.list

  • compute.instanceGroupManagers.list

  • compute.instanceTemplates.list

  • compute.instances.list

  • compute.regions.list

  • compute.snapshots.list

  • compute.sslPolicies.list

  • compute.zones.list

  • container.clusters.get

  • container.clusters.list

  • container.deployments.list

  • container.podSecurityPolicies.list

  • iam.roles.list

  • resourcemanager.folders.get

  • resourcemanager.folders.getIamPolicy

  • resourcemanager.folders.list

  • resourcemanager.organizations.get

  • resourcemanager.organizations.getIamPolicy

  • resourcemanager.projects.get

  • resourcemanager.projects.getIamPolicy

  • resourcemanager.projects.list

  • storage.buckets.get

  • storage.buckets.list

  1. Click Create.

Adding the role to the service account

Click to view instructions

  1. From within your GCP organization, select IAM & Admin from the left menu.

  2. Select IAM.

  3. Use the resource selector to target the organization or folder containing the projects you want to get data for. The projects must be a direct descendant of the folder or organization.

  4. Click Add.

  5. Enter the email address associated with the service account.

    ๐Ÿ’ก Tip

    The email address should populate once you begin typing.

  6. From the Select a role drop-down menu, select the role you created in the previous section.

  7. Click Save.

Turning on APIs

Click to view instructions

Search for the following APIs in the project the service account was created in and turn them on:

  • Identity and Access Management (IAM) API

  • Cloud Resource Manager API

Turn on the following APIs for each project you want to retrieve data from. For example, if you select a folder to retrieve data from, you need to turn on these APIs in every project that is an immediate descendant of that folder.

  • Compute Engine API

  • Cloud Storage API

Related Articles
AWS proof types and permissions
Google Cloud Platform proof types
Google Workspace Platform proof types and permissions
Syncing multiple AWS accounts across a single Hypersync
Syncing data from a single Google Cloud Platform project
Did this answer your question?