Last Updated: 2021-02-05
Purpose
This article describes how to create access for Google Cloud Platform portal from a HIAB.
Introduction
Outpost24’s Google Registries Scanning with Container Inspection allows you to discover and assess container images stored in Google Container Registry through a HIAB appliance. By configuring GCP APIs and a service account with appropriate access, the platform can pull images via OAuth tokens and analyze them for vulnerabilities. This integration brings container-level visibility into your security program while leveraging existing infrastructure and standardized authentication.
Requirements
To use Google API, you need to ensure that the Cloud API are enabled.
-
Login to your Google Cloud Account open the left menu and select APIS & Services > Library entry.
-
Enter Cloud Resource Manager API in the search bar.
-
Select the Cloud Resource Manager API to ensure it is enabled.
Configuring Google Container Registry
To run Container Inspection on an Google container registry, the Google registry must be configured to provide access that later can be configured on the Outpost24 HIAB.
-
Enter Google Cloud Platform console and open IAM & Admin > Service Accounts console by clicking on the entry on the top left menu.
-
Create a service account with access to the Google Container Registry by clicking on the CREATE SERVICE ACCOUNT button on the top.
-
Fill the different settings for the service account and then click on CREATE button.
-
Grant access Container Registry access and then click DONE button.
-
Once the Service Account is created, create a Key as follow.
-
Choose JSON format to generate the credentials and save them locally (they will be needed later on while configuring GCP credentials in OUTPOST24 software).
-
Once you have created the service account with JSON key type, you need to then create an authentication token as described in Google documentation here: https://cloud.google.com/container-registry/docs/advanced-authentication#token
-
You need to install gcloud client and then run the following command line by replacing:
-
the <ACCOUNT> with your account name with following format [USERNAME]@[PROJECT-ID].iam.gserviceaccount.com (this is the email parameter in the JSON key file)
-
the <KEY_FILE> with the JSON key file you created in previous step
Google gcloud command to generate an access token
gcloud auth activate-service-account <ACCOUNT> --key-file=<KEY_FILE>
gcloud auth print-access-token
Later on you will need to use the following parameter in OUTPOST24 software to configure Google Container Registry:
-
oauth2accesstoken as Username
-
https://eu.gcr.io as Docker Registry
-
the access token as Password
Examples
Example of the gcloud command output:
Example of the OUTPOST24 software configuration.
Example of a Docker Discovery scan.
Reference
-
https://cloud.google.com/container-registry/docs/pushing-and-pulling
-
https://cloud.google.com/container-registry/docs/advanced-authentication#console
-
https://cloud.google.com/container-registry/docs/advanced-authentication#token
Related Articles
- Docker Image Assessment
- How to Scan AWS ECR Images
- Generate Azure Credentials
- Container Inspection - Azure
- Import Cloud Image on AWS
- Google Cloud Platform Credentials
- Microsoft Azure Credentials
- Azure Cloud Discovery
- Docker Credentials
- Amazon
- Cloud Discovery
- Scan a Docker Image
- Configure Application Gateway for HIAB on Azure
- Amazon Web Services Credentials
- Change Hard Drive Size on HIAB in Amazon Web Services
- Change Instance Type on HIAB on Amazon Web Services
- Cloud Discovery on HIAB
- Generate AWS Credentials
- Extend HIAB Disk Space on Azure
- AWS Scanning with OUTSCAN
- Cloud Assessment
- Generate GCP Credentials
- Google Registries Scanning with Container Inspection
- Deploy HIAB on Amazon Web Services
- Cloudsec Scan Configuration
- Docker Image Discovery
- Importing Tags for AWS Discovery
- Deploy HIAB on Microsoft Azure
- Vulnerabilities