Connect your Google Cloud Platform Environment
From the list of platforms, select Google Cloud Platform.
You will be prompted with the two following options to connect your GCP Environment:
- Service Account (Recommended)
- Google Sign-In
Service Account (Recommended)
STEP 1 – CREATE A SERVICE ACCOUNT
Sign in to the GCP Console and click on IAM & Admin/Service Accounts
Select the project where you want to create the Service Account (you will then be able to give the appropriate permissions to the other projects with the same service account)
Click on Create Service Account and enter the Service Account Name. (e.g., use Cloudockit). Then click on Create
Select the role Project/Viewer.
Click on Continue
Click on Create Key and select JSON
Click on Create
Save the file locally
To save the service account, click Done
STEP 2 – ACTIVATE THE APPROPRIATE APIs
Since Cloudockit is using the Cloud Resource Manager API to list all the projects, you need to Enable this API in order for Cloudockit to view your resources. You also need to activate other APIs (see complete list below) depending on the workload you want to document.
Please note that these APIs need to be activated in the Project where you created your service account (created in step 1)
To do so, click on API & Services and then click on Enable APIs and Services.
In the search box, enter Resource Manager
Click on Cloud Resource Manager API and ENABLE.
Once you have activated this API, you should also activate the APIs that are used by Cloudockit to automatically create the documents and diagrams:
- Compute Engine API
- Kubernetes Engine API
- Cloud Resource Manager
- App Engine Admin
- Cloud Pub/Sub
- Cloud Spanner API
- Dataflow API
- Cloud Bigtable Admin
- Cloud SQL Admin API
- Cloud IoT API
- Google Cloud Memorystore for Redis API
- Cloud Functions API
STEP 3 – LOG IN TO CLOUDOCKIT
When you are prompted for a GCP authentication, select Service Account
Click on Browse and select the JSON file you have just downloaded in the previous step
Click on Login. You should now see your GCP Account
Why we recommend Service Account: Google Cloud does not allow OAuth 2 User Authentication to the scope cloud-platform read-only. You should use Service Account to ensure to receive all the information.
To use your Google Account, you simply need to log in using your Google Account that has the required privileges to your Google Cloud Project.
Permissions and Privileges
To generate documentation using Cloudockit, only Viewer role is required at the project level.
To drop off documentation in the storage, the credentials used to generate the documentation must have the following permissions:
- storage.buckets.get and storage.objects.create.
GCP SECURITY COMMAND CENTER
To read information from the GCP Security Command Center through the compliance rules, the credentials used to generate the documentation must have roles/securitycenter.adminViewer.
Cloudockit supports billing information extraction only in a JSON output format.
Cloudockit uses BigQuery Dataset to retrieve the billing information.
To get the billing information into your documentation, you need to:
- Ensure the Service Account you are using has read permission to the BigQuery dataset where the billing information is stored.
- Enter the following information in the Billing Details section in the Workload tab (the information is found in the Google Cloud Console/Billing/Billing Export/Daily cost detail/Dataset name)
- Dataset that contains the billing data: Specify the name of the BigQuery Dataset that contains billing data.
- Table that contains the billing data: Specify the name of the BigQuery Table that contains the billing data.
GOOGLE KUBERNETES ENGINE
The credentials used to generate the documentation must have Kubernetes Engine Service Agent, on the Kubernetes Cluster only. This allows Cloudockit to connect to the cluster and retrieve the details.