GCP Compute Engine - User Guide

In this article, you will understand step by step how to easily integrate with GCP Compute Engine

The integration with GCP Compute Engine allows you to track the configurations of your GCP logging and accelerate your compliance goals. This integration will assist in satisfying the audit logging controls in the SOC 2 framework. 


All the permissions that are required for the integration with GCP IAM are read-only permissions and do not allow Scytale to perform any actions within your GCP account.

  • serviceusage.services.list
  • compute.zones.list
  • compute.instances.list
  • compute.disks.list

How to connect GCP Compute Engine integration?

Before connecting to GCP Compute Engine, the following links must be enabled in Google API:

  1. https://console.developers.google.com/apis/api/serviceusage.googleapis.com/overview
  2. https://console.developers.google.com/apis/api/cloudresourcemanager.googleapis.com/overview
  3. https://console.developers.google.com/apis/api/sqladmin.googleapis.com/overview


Step 1: Create a role within the GCP Console

  • Log in to GCP Console
  • Select IAM & Admin
  • Select Roles
  • Click on "Create Role" - create a custom role for Scytale with the relevant permissions for the integration

  • Fill in the details:
    Title - Compute Engine Scytale
    ID - ScytaleCompute

  • Select "Add Permissions", click on the specific permissions and add them:

      • serviceusage.services.list
  • As shown in the image below, once all permissions have been added, a list of the assigned permissions will appear

  • Click on "Create"


Step 2: Create service account within GCP Console

  • Go to IAM & Admin
  • Select Service Accounts
  • Click on "Create service account"

  • Fill in the details:

    • Phase 1 - Service account details

      Service account name - scytale_compute 
      Service account ID - after writing the service account name, this field is automatically filled in
      Click "Create and continue"

    • Phase 2 - Grant service account access to role

      Select the role that you created in the previous step above (Compute Engine Scytale)
      Click "Continue"

    • Phase 3 - Grant users access to this service account (optional)
      No need to fill

  • Click on "Done"




Step 3: Generate JSON file

  • Go to IAM & Admin
  • Select Service Accounts.You can see the list of all the service accounts that you have.
  • Select the service account that you created in the previous step - scytale_compute
  • Go to the "Keys" tab

  • Click on "Add Key" and select the "Create new key" option

  • In "Key type", select JSON and "Create"

Copy the following fields from the JSON that was downloaded:

  • client email -  please copy without ""
  • private_key - Verify that you included all key values, including "-----BEGIN PRIVATE KEY-----  n-----END PRIVATE KEY-----\n"
  • project_id - please copy without ""




Step 4: Log in to the Scytale web app

  • Click on the "Integrations" menu screen to the left

  • Click on the "Connect" button under the GCP Compute Engine icon

  • Paste the generated keys from the JSON file (see step 3 above) from the GCP Console: Client Email, Private Key, Project ID
  • Connection Name - is used to differentiate between your connections.
    For instance, if you manage multiple accounts or would like to connect multiple times to the integration. It's automatically titled (Connection 1,2,3 etc), but you can change it to a custom name to make it easier to identify.
    For example: scytale-production-env.
  • Click on Connect