Pre-Configuration
Google Cloud Project
Identify or create a new Google Cloud Project where the Protegrity solution will be installed. It is recommended to create a new project. This provides greater security controls and avoids conflicts with other applications that might impact regional account limits. An individual with the Owner role will be required for some of the subsequent installations.
Google Project ID: ___________________
Google Project Number: ___________________
Google Cloud Region: ___________________
Key Management Service
The Google Cloud Key Management Service (KMS) provides Protegrity Serverless solution the ability to encrypt and decrypt the Protegrity Security Policy.
To create KMS Key Ring and Asymmetric Encryption Master Key:
Log in to Google Account and select project where Protegrity service will be installed.
Navigate to Security > Key Management.
Select Create key ring.
Specify key ring name. For example, protegrity-policy-keyring.
select Key ring location which corresponds to the region where Protegrity solution will be installed.
Note
A key’s location impacts the performance of protect service.Select Create.
Select CREATE KEY to create encryption key.
Specify key name. For example, protegrity-policy-key.
under Purpose selection, select Asymmetric Decrypt .
Select Key Algorithm. For example, 3072-bit RSA with OAEP Padding and SHA256 digest.
Select Create.
Once the key is created, a screen opens on the key. If the screen does not appear, click on the key name.
Then click on the elipses under Actions that is next to the key version.
Select Copy Resource Name and record the value below, e.g., projects/{project-id}/locations/region/keyRings/{key-ring}/cryptoKeys/{key-name}/cryptoKeyVersions/1
Policy Encryption Key Version Resource Name: ___________________
Google Cloud Storage
Cloud Storage buckets are required for the Gen 2 Cloud Function sources, the Terraform backend, and the deployment of the Protegrity installation artifacts. It is recommended that you create 3 separate buckets to separate files used for different purposes. If you cannot create 3 separate buckets, you may reuse a bucket for multiple purposes.
Create the buckets:
Run the cloud command below to enable the Google Storage Transfer API.
gcloud services enable storagetransfer.googleapis.comCreate the Gen 2 Cloud Function sources bucket. This bucket is not required if you will be deploying to Gen 1 Cloud Functions. The bucket name much match the example below. Replace the <gcp-project-number> and <region> placeholders.
gcf-v2-sources-<gcp-project-number>-<region>Use the following gcloud command to obtain project number
gcloud projects describe <gcp-project-id> --format='value(projectNumber)'Create the deployment bucket or reuse an existing bucket. This bucket is used during the installation process to store the Protegrity installation artifacts.
Deployment Bucket Name:___________________
Create the Terraform backend bucket or reuse an existing bucket. This bucket is used by Terraform to store information about your Cloud Protect installation, and will be used if you upgrade to a later version of Cloud Protect in the future.
Terraform Backend Bucket Name:___________________
Note
You may delete the deployment bucket after you’ve completed the installation. A deployment bucket is required for upgrades, but it can be recreated at that time. The Terraform backend files must be retained for upgrading your Cloud Protect deployment in the future.Cloud Functions Service Accounts
Cloud Functions use the service accounts created in this deployment. You can create Service accounts manually or use the Protegrity Terraform installation script to create one. Each service account requires specific permissions, which must be granted through IAM roles. Run the following steps to create service accounts and configure the required IAM access. If you use Terraform scripts, skip these steps.
Agent Function IAM Role
To create Agent Function IAM Role:
Log in to Google Account and select project where Protegrity service will be installed.
Navigate to IAM & Admin > Roles, Select CREATE ROLE.
Specify role name and description.
Select ADD PERMISSIONS.
Select the following permissions:
- cloudkms.cryptoKeyVersions.useToEncrypt
- cloudkms.cryptoKeyVersions.viewPublicKey
- secretmanager.versions.access
- storage.objects.get
- storage.objects.create
- storage.objects.delete
- storage.objects.list
- storage.objects.update
- storage.buckets.get
- cloudfunctions.functions.get
- cloudfunctions.functions.update
- cloudfunctions.functions.sourceCodeGet
- cloudfunctions.functions.sourceCodeSet
- iam.serviceAccounts.actAs
Click Add and then Create.
Alternatively, you can run the following command from the Cloud Shell Terminal.
gcloud iam roles create role-id \
--project=project-id \
--title=role-title \
--description=role-description \
--permissions=cloudkms.cryptoKeyVersions.useToEncrypt,\
cloudkms.cryptoKeyVersions.viewPublicKey,\
secretmanager.versions.access,\
storage.objects.get,\
storage.objects.create,\
storage.objects.delete,\
storage.objects.list,\
storage.objects.update,\
storage.buckets.get,\
cloudfunctions.functions.get,\
cloudfunctions.functions.update,\
cloudfunctions.functions.sourceCodeGet,\
cloudfunctions.functions.sourceCodeSet,\
iam.serviceAccounts.actAs \
--stage=GA
role-id
is the name of the role, such as ptyProtectRole.
project-id
is the name of the project, such as my-project-id.
role-description
is a short description of the role, such as “My custom role description”.
Sample output:
Created role [role-id].
description: role-description
etag: *****************
includedPermissions:
- cloudfunctions.functions.get
- cloudfunctions.functions.sourceCodeGet
- cloudfunctions.functions.sourceCodeSet
- cloudfunctions.functions.update
- cloudkms.cryptoKeyVersions.useToEncrypt
- cloudkms.cryptoKeyVersions.viewPublicKey
- iam.serviceAccounts.actAs
- secretmanager.versions.access
- storage.buckets.get
- storage.objects.create
- storage.objects.delete
- storage.objects.get
- storage.objects.list
- storage.objects.update
name: projects/{project-id}/roles/{role-id}
stage: GA
title: role-title
Agent Service Account
To create Agent Service Account:
Log in to Google Account and select project where Protegrity service will be installed.
Navigate to IAM & Admin > Service Accounts.
Select CREATE SERVICE ACCOUNT.
Specify service account name and description.
Select Create and Continue.
In the next step, click Select Role.
Select Custom and select the role created above .
Click Done.
Once the service account is created, the screen should open on the service account. If the screen does not appear, refresh the page with the service account list and select the service account created.
Record the full email. For example, service-account-name@project-id.iam.gserviceaccount.com
Agent Function Service Account Email: ___________________
Protect Function IAM role
To create Protect Function IAM role:
Log in to Google Account and select project where Protegrity service will be installed.
Navigate to IAM & Admin > Roles, Select CREATE ROLE.
Specify role name and description.
Select ADD PERMISSIONS.
Select the cloudkms.cryptoKeyVersions.useToDecrypt permission.
Click Add and then Create.
Protect Service Account
To create Protect Service Account:
Log in to Google Account and select the project where Protegrity service will be installed.
Navigate to IAM & Admin > Service Accounts.
Select CREATE SERVICE ACCOUNT.
Specify service account name and description.
Select Create and Continue.
In the next step, click Select Role. Then select Custom and select the role created above .
Click Done.
Once the service account is created, the screen should open on the service account. If the screen does not appear, refresh the page with the service account list and select the service account created.
Record the full email. For example, service-account-name@project-id.iam.gserviceaccount.com.
Protect Function Service Account Email: ___________________
Feedback
Was this page helpful?