GCP Collector Deployments

Collectors can be deployed directly on GCP using a template. Here are the details and security requirements for that installation.

Deploying a collector to a Google Cloud Platform Project

  1. Login to the BindPlane account to be used
  2. Navigate to the Collectors page
  3. Click the Add Collector button located at the top right of the page
2476

Collectors Page & Button to Add Collector

  1. For the platform, choose Google Cloud Platform
2470

Choosing a platform to deploy a BindPlane Collector

  1. Copy the install command that is provided
  2. Click the Open Cloud Shell button located directly beneath the install command.
828

Button that Launches the Google Cloud Shell

  1. Check to make sure that project that has been set for the shell session is the correct project where the collector is supposed to be deployed.
  2. Paste and execute the install command, then follow the instructions as they appear.

Network Requirements

Once the collector is installed it only needs the following network access:

  1. The ability to make outbound connections to all systems being monitored. This includes APIs for various cloud providers, if needed.

  2. The ability to make outbound connections to https://production.api.bindplane.bluemedora.com:443 to send collection data back to BindPlane, as well as to retrieve configuration information.

🚧

IP Address Fluctuation

The IP address of https://production.api.bindplane.bluemedora.com:443 can change. The endpoint can exist anywhere within the us-east-1 region on AWS.

To retrieve a list of subnets that are covered, run the following commands:

wget https://ip-ranges.amazonaws.com/ip-ranges.json

cat ip-ranges.json | jq '[.prefixes[]|select(.region=="us-east-1")]' | jq -r '.[].ip_prefix'> aws-useast1-ranges.txt

Least Privileged User

These are the minimum permissions needed to run the script to deploy the collector using the Google Cloud Deployment manager.

Collector Deployment LPU Permissions

compute.machineTypes.get
compute.machineTypes.list
compute.networks.list
compute.projects.get
compute.regions.list
compute.subnetworks.get
compute.subnetworks.list
compute.zones.list
container.deployments.get
deploymentmanager.deployments.create
deploymentmanager.deployments.get
deploymentmanager.deployments.list
deploymentmanager.manifests.get
deploymentmanager.manifests.list
deploymentmanager.operations.get
deploymentmanager.operations.list
deploymentmanager.resources.get
deploymentmanager.resources.list
resourcemanager.projects.get
resourcemanager.projects.list

Extremely Limited Least Privileged User

❗️

No attribute verification

This set of permissions will NOT allow the script to verify the attributes being passed into the script. Any misconfiguration will result in a failure of the deployment.

If all checks are removed from within the gcp_install.sh script, only the following permissions are required for the script to operate.

Collector Deployment Limited LPU Permissions

compute.subnetworks.get
compute.subnetworks.list
deploymentmanager.deployments.create
deploymentmanager.deployments.get
deploymentmanager.deployments.list
deploymentmanager.manifests.get
deploymentmanager.manifests.list
deploymentmanager.operations.get
deploymentmanager.operations.list
deploymentmanager.resources.get
deploymentmanager.resources.list

Creating a Google Cloud IAM Role

To create the Least Privileged User, or Limited LPU, a role needs to be created, using the permissions listed above.

  1. From the main menu within GCP, select the IAM & admin tab
  2. Click on the Roles option
1198

Steps 1 & 2

  1. Towards the top of the page, click on the + Create Role button
  2. Fill out the basic information for the form
  3. Click the + Add Permissions button
  4. Select the permissions that are required for the role.
  5. Click the Create button