View Categories

Onboarding a GCP Organization to Saner Cloud(Manual)

Print Friendly, PDF & Email

Pre-requisites

Make sure to log into the GCP Console as an Organization Administrator, Organization Role Administrator, Editor for the Project (where the service Account is Created) and have Super Admin access to the Google Workspace Admin Console.

Notes:

  1. Make sure that the target Google Cloud Platform (GCP) project is linked to an active Billing Account before initiating onboarding. Without an active billing configuration, the onboarding process will not complete successfully.
  2. Verify that the project where the Service Account gets created has less than 100 existing Service Accounts. Google Cloud Platform enforces a limit of 100 Service Accounts per project. If this limit exceeds, then onboarding fails.

      Create a New Account in Saner Cloud

      Step1: In the Control Panel, open the All Organizations drop-down menu and select the organization for which you want to create the new account.

      Step2: To create a new account, click the New Account button on the top-right of the page.

      Step3: Complete all the details required to create the New Account.

      • Provide the name of the cloud account
      • Key in a valid email address
      • Choose the account type “Cloud infrastructure” from the drop-down list
      • Choose the cloud provider as “GCP” from the drop-down list
      • Turn on the slider to provision the relevant tool for the account

      Step4: Click the Create button.

      The newly created account displays in the Accounts page within a tabular format with the following details:

      • Account Name
      • Email ID
      • Account Type
      • Subscription
      • Expiry Date
      • Action

      Note: In the Action column, you have the facility to set up the mail settings for the corresponding account, edit the current account details, delete the account, and redirect to the dashboard view of this account.

      Setup

      Step1: Login to Saner CNAPP platform.

      Step2: Click on “Control Panel” and select the account that you have created following the steps in prerequisites.

      Available Integration Methods

      There are two ways to connect your GCP account with Saner CNAPP listed in the order of recommendation.

      1. GCP CLI – Recommended
        1. Fastest and most secure method
        1. Automatically sets up all required permissions
        1. Minimal manual configuration needed
      2. Manual
        1. Requires manual setup of permissions
        1. Good for organizations requiring in-depth visibility of the onboarding process

      Steps to Use the Manual Method (Organization level onboarding)

      Step1: Under Saner CNAPP, click on “Onboard & Scan”.

      Step2: Select “Manual” as shown in the following image.

      Step3: Log into your GCP account.

      Enable GCP APIs

      To ensure all GCP Cloud APIs required for Onboarding are enabled for your project. You can enable APIs as described in the following steps:

      Step4: Login to Google Cloud Console, select the project that you want to use for creation of Service Account and onboarding.

      Click here to view which APIs are required to be enabled for onboarding.
      Navigate to “Enabled APIs and services” under “APIs and Services” to cross check.

      Step5: To enable an API, go to “Library” under “APIs and Services,” search for the API, and click “Enable”.

      Org Level Custom Role Creation

      Step6: Click here  to know the permissions need to be added in the Custom Role. Switch to the Organization View, navigate to “Roles” under “IAM and Admin” and click on “Create role”.

      Step7: Follow these steps:

      1. Enter the “Title” with “Saner_CNAPP_Remediation_Role” as Prefix (e.g. Saner_CNAPP_Remediation_Role_xxxx_xxxx)
      2. Enter the “ID” with “Saner_CNAPP_Remediation_Role” as prefix (e.g. Saner_CNAPP_Remediation_Role_xxxx_xxxx)
      3. Click on “Add permissions”, and in the Filter Section, copy and paste each of the permission and click on “Add”.
      4. After adding all permissions, click “Create” to complete the custom role creation.

      Create Service Account

      Step8: Follow these steps:

      1. Switch to the project that you want to use for creation of Service Account.
      2. Go to “IAM and Admin” and click on “Service Accounts”, then click on a “Create service account”.

      Step9: Enter the “Service Account” Name as sa-cnapp-<date> (e.g. sa-cnapp-16-03-2026) and a relevant description. Click on Done,  to create the Service Account.

      Step10: Verify the service account creation by searching the name of the service account in search bar. Make sure to copy the Service Account Name and keep it handy.

      GCP Service Account to Roles Binding

      Step11: Ensure you have Organization Admin or Organization Role Admin permissions for org-level bindings.

      Step12: Navigate to the Organization Page in Google Cloud Console. In “IAM” under “IAM and admin”, click on “Grant Access”.

      Step13: Add the Name of the Service Account created in Step 9 in “New Principals” section.

      Step14:  Follow these steps:

      1. Assign the roles such as Viewer, Organization Viewer, Folder Viewer
      2. Also, assign the Custom Remediator Role “Saner_CNAPP_Remediation_Role_xxxx_xxxx”, created in Step 7.
      3. Once assigned click on Save.

      Step15: To verify if above steps were done successfully, switch to the Project where the Service Account was created. Navigate to “IAM” under “IAM and admin” and check that the Service Account has Inherited Viewer and Custom Role which were assigned to the Service Account (e.g. “Saner_CNAPP_Remediation_Role_xxxx_xxxx”) at the Org Level.

      Step16: If you wish to see the GCP Billing data in Saner Cloud CSAE dashboard, Click on Grant access and Add the Name of the Service Account created in Step 9 in “New Principals” section.

      Assign “BigQuery Data Viewer” and “BigQuery Job User” Roles to the Service Account. Else, skip this step.

      Step17:  In order to acquire the Private key required for onboarding, go to Service account Page and navigate to the “Keys” tab.
      Click on “Add Key” and select “Create new key”, choose the “Key type” as JSON and click on Create.

      Step18: Once the key is generated, a popup message appears and the key is downloaded to the user’s local system.  Click “Close” on the confirmation popup window.

      Enable Domain Wide Delegation

      Step19: Key File generated contains the necessary information such as client_email, private_key and client_id necessary for onboarding.

      Scopes mentioned in Step 21 needs to be added to the Client id of Service account, by Google workspace Admin.

      Step20: Log in to admin.google.com and go to Security > Access and data control > API controls and click on Manage Domain Wide Delegation.

      Step21: Follow these steps:

      1. Click on “Add New”.
      2. Enter the Client ID from Service Account Key File generated.
      3. Add scopes mentioned below to the Client Id.

      Note: The Scopes could be added one by one to separate fields or they could also be added in a single field with comma separated values.

      https://www.googleapis.com/auth/admin.directory.user
      https://www.googleapis.com/auth/admin.directory.group
      https://www.googleapis.com/auth/cloud-identity
      https://www.googleapis.com/auth/cloud-platform
      https://www.googleapis.com/auth/admin.reports.audit.readonly
      https://www.googleapis.com/auth/cloudplatformprojects

      Step22: Once all the Scopes are added, click on Authorize to update the scopes.

      IMPORTANT: If you wish to see the GCP Billing data in Saner Cloud CSAE dashboard, and necessary roles [BigQuery Related] were added to the Service Account to support it as part of Step 16, you can continue from Step 23 onwards. Else jump to Step 30 to complete the Onboarding Process.

      [Optional] Steps to Enable Billing Export to BigQuery

      Note : Please keep a note of Project ID, Dataset ID, Dataset Location and Billing Account ID which you will use in below steps for future onboarding steps.

      Step23: Select the Project where the Service Account was created and navigate to the BigQuery Console.

      Step24: In the left panel, click on the arrow to expand options under the Project ID and click on the “Create dataset” as shown in the below image.

      Step25: Follow these steps:

      1. Enter a Dataset name in format such as, “sanercloud_export_YYYYMMDD”.
      2. Choose a location where you want the Dataset to be created (example: US , EU, us-central1, etc)
      3. Click on “Create data set”

      Step26: Navigate to the Billing Console, select the Billing Account which needs to be linked with the Dataset created in Step 25.

      Step27: From the left-hand-side menu, click “Billing Export”.

      Step28: Under “Detailed usage cost”, select the project where the Dataset was created, and select the Dataset that was just created and click on “Save”.

      Step 29: Onboarding Without and With Billing Information

      1. Onboarding without Billing Information
        1. Copy the details from the key file which was downloaded as part of Step 17
        2. Go to Saner Onboard & Scan page
        3. Paste the “Client Email” and “Private Key” in the respective fields and provide the email Id of Work Space Super Admin User in the field “Subject
      2. Click on “Onboard Organization” to complete the Onboarding Process

        2. Onboarding with GCP Billing Information

        Notes

        1. Google Cloud billing data is added covering the current and previous month from the time the data is being populated in the dataset. During the first data backfill, it can take up to five days for your Cloud Billing data to begin with exporting. You will start seeing your usage data only after this process is complete.
        2. Wait for 5 days for first billing data to appear on your Saner Cloud Dashboard. Please note that this is a one-time setup. After data linking activity is done, new data will be exported automatically. Go through the GCP Guide for more details. “Billing Account ID” can be found by navigating to “Billing account management” section.

        1. Copy the details such as “Client Email” and “Private Key” from the key file which was downloaded as part of Step 17.
        2. Get the email Id of Work Space Super Admin User for the “Subject” field.
        3. Collect the Project ID, Dataset ID, Dataset Location and Billing Account ID which were used for Step23 to Step28.
        4. Go to Saner Onboard & Scan page.
        5. Paste the “Client Email” and “Private Key” in the respective fields and provide the email Id of Work Space Super Admin User in the field “Subject”.
        6. Enable “Collect GCP Billing Data” and fill the Respective “Billing Project ID”, “Billing Dataset ID”, “Billing Account Id” and “Billing Location”.
        7. Click on “Onboard Organization” to complete the Onboarding Process.

        Step30: You have now completed the GCP Manual Onboarding.

        The Scan Configuration page opens automatically for you to make the necessary settings to initiate the scan. You have an option to:

        • Validate credentials (Test Credentials button) to prevent scan failures due to authentication issues
        • Setup the Scan Schedule run as needed
        • Start the scan or Pause the scan and then resume it from the point where it was paused

        Best Practices

        • Regularly review and audit access permissions
        • Keep private keys secure and rotate them regularly
        • Document any custom configurations
        • Regularly verify integration status

        Troubleshooting Guide

        If you encounter any issues during the onboarding or deployment process, follow these steps to diagnose and resolve them efficiently.

        Step 1: Verify All Permissions Are Correctly Set

        Ensure that the necessary IAM permissions are granted for the user or role performing the deployment. Missing or insufficient permissions may cause failures during onboarding.

        • Check IAM role assignments
        • Ensure the user has administrative privileges or the required set of permissions
        • Confirm that the APIs of the GCP services involved in the deployment have been enabled

        Step2: Clean Up Previous Failed Onboarding Attempts

        If you are retrying the onboarding process due to a previous failure, make sure all remnants of the prior attempt are removed before trying again.

        • Delete any incomplete Service Accounts created without any keys
        • Remove any IAM roles or permissions that may have been created in the failed attempt
        • Ensure there are no residual configurations that could cause conflicts in a new attempt

        Step4: Confirm Required Roles Are Attached to the User

        The onboarding process requires the user executing the deployment to have the correct IAM policies assigned. The required privileges include:

        • Organization Administrator – Ability to bind the Service Account at the Org Level
        • Organization Role Administrator – Permissions to create Custom Roles at the Org Level
        • Editor – Sufficient Permission to create a Service Account at the Project Level
        • Workspace Super Admin – Permission to add the necessary scopes for the client id generated

        Step5: Contact Support if Issues Persist

        If you have verified the above steps and are still facing issues, reach out to the support team for assistance.

        • Provide detailed logs and error messages
        • Mention the GCP services you are working with
        • Describe the steps already taken for troubleshooting