diff --git a/docs/getting-started/requirements.md b/docs/getting-started/requirements.md index 610989bd..07d4ef33 100644 --- a/docs/getting-started/requirements.md +++ b/docs/getting-started/requirements.md @@ -30,24 +30,6 @@ Those credentials must be associated to a user or role with proper permissions t > If you want Prowler to send findings to [AWS Security Hub](https://aws.amazon.com/security-hub), make sure you also attach the custom policy [prowler-security-hub.json](https://github.com/prowler-cloud/prowler/blob/master/permissions/prowler-security-hub.json). -## Google Cloud - -### GCP Authentication - -Prowler will follow the same credentials search as [Google authentication libraries](https://cloud.google.com/docs/authentication/application-default-credentials#search_order): - -1. [GOOGLE_APPLICATION_CREDENTIALS environment variable](https://cloud.google.com/docs/authentication/application-default-credentials#GAC) -2. [User credentials set up by using the Google Cloud CLI](https://cloud.google.com/docs/authentication/application-default-credentials#personal) -3. [The attached service account, returned by the metadata server](https://cloud.google.com/docs/authentication/application-default-credentials#attached-sa) - -Those credentials must be associated to a user or service account with proper permissions to do all checks. To make sure, add the following roles to the member associated with the credentials: - - - Viewer - - Security Reviewer - - Stackdriver Account Viewer - -> `prowler` will scan the project associated with the credentials. - ## Azure Prowler for azure supports the following authentication types: @@ -97,3 +79,21 @@ Regarding the subscription scope, Prowler by default scans all the subscriptions - `Security Reader` - `Reader` + +## Google Cloud + +### GCP Authentication + +Prowler will follow the same credentials search as [Google authentication libraries](https://cloud.google.com/docs/authentication/application-default-credentials#search_order): + +1. [GOOGLE_APPLICATION_CREDENTIALS environment variable](https://cloud.google.com/docs/authentication/application-default-credentials#GAC) +2. [User credentials set up by using the Google Cloud CLI](https://cloud.google.com/docs/authentication/application-default-credentials#personal) +3. [The attached service account, returned by the metadata server](https://cloud.google.com/docs/authentication/application-default-credentials#attached-sa) + +Those credentials must be associated to a user or service account with proper permissions to do all checks. To make sure, add the following roles to the member associated with the credentials: + + - Viewer + - Security Reviewer + - Stackdriver Account Viewer + +> `prowler` will scan the project associated with the credentials. diff --git a/docs/index.md b/docs/index.md index 2b8567ef..90c1a47a 100644 --- a/docs/index.md +++ b/docs/index.md @@ -256,25 +256,6 @@ prowler aws --profile custom-profile -f us-east-1 eu-south-2 See more details about AWS Authentication in [Requirements](getting-started/requirements.md) -### Google Cloud - -Prowler will use by default your User Account credentials, you can configure it using: - -- `gcloud init` to use a new account -- `gcloud config set account ` to use an existing account - -Then, obtain your access credentials using: `gcloud auth application-default login` - -Otherwise, you can generate and download Service Account keys in JSON format (refer to https://cloud.google.com/iam/docs/creating-managing-service-account-keys) and provide the location of the file with the following argument: - -```console -prowler gcp --credentials-file path -``` - -> `prowler` will scan the GCP project associated with the credentials. - -See more details about GCP Authentication in [Requirements](getting-started/requirements.md) - ### Azure With Azure you need to specify which auth method is going to be used: @@ -299,3 +280,22 @@ Prowler by default scans all the subscriptions that is allowed to scan, if you w ```console prowler azure --az-cli-auth --subscription-ids ... ``` + +### Google Cloud + +Prowler will use by default your User Account credentials, you can configure it using: + +- `gcloud init` to use a new account +- `gcloud config set account ` to use an existing account + +Then, obtain your access credentials using: `gcloud auth application-default login` + +Otherwise, you can generate and download Service Account keys in JSON format (refer to https://cloud.google.com/iam/docs/creating-managing-service-account-keys) and provide the location of the file with the following argument: + +```console +prowler gcp --credentials-file path +``` + +> `prowler` will scan the GCP project associated with the credentials. + +See more details about GCP Authentication in [Requirements](getting-started/requirements.md) diff --git a/docs/tutorials/gcp/authentication.md b/docs/tutorials/gcp/authentication.md new file mode 100644 index 00000000..f4f46d08 --- /dev/null +++ b/docs/tutorials/gcp/authentication.md @@ -0,0 +1,29 @@ +# GCP authentication + +Prowler will use by default your User Account credentials, you can configure it using: + +- `gcloud init` to use a new account +- `gcloud config set account ` to use an existing account + +Then, obtain your access credentials using: `gcloud auth application-default login` + +Otherwise, you can generate and download Service Account keys in JSON format (refer to https://cloud.google.com/iam/docs/creating-managing-service-account-keys) and provide the location of the file with the following argument: + +```console +prowler gcp --credentials-file path +``` + +> `prowler` will scan the GCP project associated with the credentials. + + +Prowler will follow the same credentials search as [Google authentication libraries](https://cloud.google.com/docs/authentication/application-default-credentials#search_order): + +1. [GOOGLE_APPLICATION_CREDENTIALS environment variable](https://cloud.google.com/docs/authentication/application-default-credentials#GAC) +2. [User credentials set up by using the Google Cloud CLI](https://cloud.google.com/docs/authentication/application-default-credentials#personal) +3. [The attached service account, returned by the metadata server](https://cloud.google.com/docs/authentication/application-default-credentials#attached-sa) + +Those credentials must be associated to a user or service account with proper permissions to do all checks. To make sure, add the following roles to the member associated with the credentials: + + - Viewer + - Security Reviewer + - Stackdriver Account Viewer diff --git a/mkdocs.yml b/mkdocs.yml index 8f1840a5..e820260c 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -51,6 +51,8 @@ nav: - Azure: - Authentication: tutorials/azure/authentication.md - Subscriptions: tutorials/azure/subscriptions.md + - Google Cloud: + - Authentication: tutorials/gcp/authentication.md - Developer Guide: tutorials/developer-guide.md - Security: security.md - Contact Us: contact.md