GCP Configuration

Overview

Overmind's GCP infrastructure discovery capability provides comprehensive visibility into your Google Cloud Platform resources through secure, read-only access. Our solution uses Google Cloud's native Identity and Access Management (IAM) system with service account-based authentication to ensure both security and operational efficiency.

Why Service Account-Based Access?

Overmind implements a cross-platform direct access model using dedicated Google Cloud Service Accounts, which offers several key advantages:

• Enhanced Security: Each customer receives a unique service account with minimal, read-only permissions
• Audit Trail: All access is logged through Google Cloud's audit logging system
• Granular Control: You maintain complete control over permissions and can revoke access at any time
• No Shared Credentials: No API keys or shared credentials that could be compromised
• Google-Native Security: Leverages Google Cloud's robust IAM system and security controls

This approach aligns with Google Cloud's security best practices and provides enterprise-grade security for infrastructure discovery operations.

How It Works

When you create an Overmind GCP source:

1. A dedicated service account is created in Overmind's GCP project
2. You grant this service account read-only permissions in your GCP project(s)
3. Overmind uses this service account to discover and map your infrastructure
4. All operations are read-only and logged through Google Cloud's audit system

Prerequisites

Before beginning the setup process, ensure you have:

• GCP Project Access: Project IAM Admin role or equivalent permissions to grant IAM roles
• Required Tools: One of the following:
  • Google Cloud CLI (gcloud) installed and authenticated
  • Terraform with the Google Cloud Provider configured
• Project Information: Your GCP Project ID where Overmind will discover resources
• Regional Scope: List of GCP regions where your resources are located (mandatory for source configuration)

Authentication Setup

Ensure your local environment is authenticated with Google Cloud:

# Authenticate with Google Cloud
gcloud auth login

# Set your default project
gcloud config set project YOUR_PROJECT_ID

# Verify authentication
gcloud auth list

For Terraform users, configure Application Default Credentials (ADC):

gcloud auth application-default login

Step-by-Step Setup

Step 1: Create Your Overmind GCP Source

1. Navigate to the Overmind application
2. Go to Settings > Sources > Add Source > GCP
3. Configure your source:
   • Project ID: Your GCP Project ID
   • Name: A descriptive name for this source (optional: defaults to "GCP Source for project YOUR_PROJECT_ID")
   • Regions: Specify the regions where your resources are located (mandatory)
4. Click Create Source

You will be redirected to View Source Details, where you will find instructions to grant permissions to the Overmind service account. Important: Copy the service account email displayed on the View Source Details page - you'll need this for the next step

This service account will be referred to as OVERMIND_SA_EMAIL throughout the guide.

Step 2: Grant Permissions to Overmind Service Account

Overmind requires specific IAM permissions within your GCP project to enable infrastructure discovery and metadata analysis. The baseline requirement is the roles/browser role, which provides Read access to browse the hierarchy for a project, including the folder, organization, and allow policy.

For comprehensive resource visibility, Overmind recommends implementing a defined set of read-only IAM roles that enable resource enumeration and metadata inspection across all supported GCP services. This includes critical roles such as roles/compute.viewer for Compute Engine resources and equivalent viewer roles for other service domains.

Reference the Required GCP Roles Reference for the complete IAM permission list.

You have two options for granting the required permissions:

Option A: Using Google Cloud CLI (Recommended for Quick Setup)

1. Create the permission script(gcp-perm-for-ovm-sa.sh):

   #!/bin/bash
   
   # Script to add IAM policy bindings to a service account in GCP
   # Expects GCP_PROJECT_ID and GCP_OVERMIND_SA_EMAIL environment variables to be set
   #
   # NOTE: The GCP_OVERMIND_SA_EMAIL should be the service account email presented in the Overmind
   # application when creating a new GCP source.
   
   set -euo pipefail  # Exit on error, undefined vars, and pipe failures
   
   # Check if GCP_PROJECT_ID environment variable is set
   if [[ -z "${GCP_PROJECT_ID:-}" ]]; then
   echo "ERROR: GCP_PROJECT_ID environment variable is not set"
   exit 1
   fi
   
   # Check if GCP_OVERMIND_SA_EMAIL environment variable is set
   if [[ -z "${GCP_OVERMIND_SA_EMAIL:-}" ]]; then
   echo "ERROR: GCP_OVERMIND_SA_EMAIL environment variable is not set"
   echo "NOTE: Use the service account email presented in the Overmind application when creating a GCP source"
   exit 1
   fi
   
   echo "Using GCP Project ID: ${GCP_PROJECT_ID}"
   echo "Service Account: ${GCP_OVERMIND_SA_EMAIL}"
   
   # Define the array of roles
   ROLES=(
      "roles/bigquery.resourceViewer"
      "roles/bigquery.metadataViewer"
      "roles/cloudkms.viewer"
      "roles/browser"
      "roles/cloudsql.viewer"
      "roles/dataproc.viewer"
      "roles/dataform.viewer"
      "roles/certificatemanager.viewer"
      "roles/datastream.viewer"
      "roles/discoveryengine.viewer"
      "roles/networksecurity.interceptEndpointViewer"
      "roles/networksecurity.mirroringEndpointViewer"
      "roles/artifactregistry.reader"
      "roles/container.viewer"
      "roles/cloudfunctions.viewer"
      "roles/file.viewer"
      "roles/firebaserules.viewer"
      "roles/osconfig.viewer"
      "roles/appengine.appViewer"
      "roles/dlp.connectionsReader"
      "roles/firebase.viewer"
      "roles/networkconnectivity.hubViewer"
      "roles/networkconnectivity.regionalEndpointViewer"
      "roles/secretmanager.viewer"
      "roles/redis.viewer"
      "roles/securitycentermanagement.viewer"
      "roles/storagetransfer.viewer"
      "roles/networkmanagement.viewer"
      "roles/serviceusage.apiKeysViewer"
      "roles/datastore.viewer"
      "roles/notebooks.viewer"
      "roles/vpcaccess.viewer"
      "roles/securitycenter.adminViewer"
      "roles/cloudquotas.viewer"
      "roles/dialogflow.reader"
      "roles/compute.viewer"
      "roles/iam.roleViewer"
   )
   
   # Counter for successful operations
   SUCCESS_COUNT=0
   TOTAL_ROLES=${#ROLES[@]}
   
   echo "Starting to add ${TOTAL_ROLES} IAM policy bindings..."
   echo "----------------------------------------"
   
   # Loop through each role and add the policy binding
   for ROLE in "${ROLES[@]}"; do
   echo "Adding role: ${ROLE}"
   
       if gcloud projects add-iam-policy-binding "${GCP_PROJECT_ID}" \
           --member="serviceAccount:${GCP_OVERMIND_SA_EMAIL}" \
           --role="${ROLE}" \
           --quiet > /dev/null 2>&1; then
           echo "✓ Successfully added role: ${ROLE}"
           ((SUCCESS_COUNT++)) || true
       else
           echo "✗ Failed to add role: ${ROLE}"
           # Print the error output
           gcloud projects add-iam-policy-binding "${GCP_PROJECT_ID}" \
               --member="serviceAccount:${GCP_OVERMIND_SA_EMAIL}" \
               --role="${ROLE}" \
               --quiet
           exit 1
       fi
   done
   
   echo "----------------------------------------"
   echo "✓ All IAM policy bindings completed successfully!"
   echo "✓ Added ${SUCCESS_COUNT}/${TOTAL_ROLES} roles to service account: ${GCP_OVERMIND_SA_EMAIL}"
   echo "✓ Project: ${GCP_PROJECT_ID}"

2. Run the script with your project details:

   chmod +x gcp-perm-for-ovm-sa.sh
   GCP_PROJECT_ID=YOUR_PROJECT_ID \
   GCP_OVERMIND_SA_EMAIL=OVERMIND_SA_EMAIL \
   ./gcp-perm-for-ovm-sa.sh

   Replace:

   • YOUR_PROJECT_ID: Your GCP Project ID
   • OVERMIND_SA_EMAIL: The service account email from Step 1: Create Your Overmind GCP Source

Option B: Using Terraform (Recommended for Infrastructure as Code)

1. Create a new Terraform configuration file (overmind-permissions.tf):

   variable "overmind_service_account_email" {
     description = "The Overmind service account email provided during source creation"
     type        = string
   }
   
   # Get the current project configuration
   data "google_client_config" "default" {}
   
   # Define the required roles for Overmind service account
   variable "overmind_service_account_roles" {
     description = "List of IAM roles to assign to the Overmind Service Account"
     type        = list(string)
     default = [
       "roles/bigquery.resourceViewer",
       "roles/bigquery.metadataViewer",
       "roles/cloudkms.viewer",
       "roles/browser",
       "roles/cloudsql.viewer",
       "roles/dataproc.viewer",
       "roles/dataform.viewer",
       "roles/certificatemanager.viewer",
       "roles/datastream.viewer",
       "roles/discoveryengine.viewer",
       "roles/networksecurity.interceptEndpointViewer",
       "roles/networksecurity.mirroringEndpointViewer",
       "roles/artifactregistry.reader",
       "roles/container.viewer",
       "roles/cloudfunctions.viewer",
       "roles/file.viewer",
       "roles/firebaserules.viewer",
       "roles/osconfig.viewer",
       "roles/appengine.appViewer",
       "roles/dlp.connectionsReader",
       "roles/firebase.viewer",
       "roles/networkconnectivity.hubViewer",
       "roles/networkconnectivity.regionalEndpointViewer",
       "roles/secretmanager.viewer",
       "roles/redis.viewer",
       "roles/securitycentermanagement.viewer",
       "roles/storagetransfer.viewer",
       "roles/networkmanagement.viewer",
       "roles/serviceusage.apiKeysViewer",
       "roles/datastore.viewer",
       "roles/notebooks.viewer",
       "roles/vpcaccess.viewer",
       "roles/securitycenter.adminViewer",
       "roles/cloudquotas.viewer",
       "roles/dialogflow.reader",
       "roles/compute.viewer",
       "roles/iam.roleViewer"
     ]
   }
   
   # Assign the required roles to the Overmind service account
   resource "google_project_iam_member" "overmind_service_account_iam" {
     for_each = toset(var.overmind_service_account_roles)
     project  = data.google_client_config.default.project
     role     = each.value
     member   = "serviceAccount:${var.overmind_service_account_email}"
   }

2. Create a terraform.tfvars file:

   overmind_service_account_email = OVERMIND_SA_EMAIL

   Replace OVERMIND_SA_EMAIL with the service account email from Step 1: Create Your Overmind GCP Source.

3. Apply the Terraform configuration:

   terraform init
   terraform plan
   terraform apply

Step 3: Verify Source Status

1. Return to the Overmind application
2. Navigate to Settings > Sources
3. Locate your GCP source
4. Verify the status shows as Healthy

Validation

Verify IAM Permissions

You can verify that the permissions were granted correctly using the Google Cloud Console or CLI:

Using Google Cloud Console

1. Go to Google Cloud Console > IAM & Admin > IAM
2. Select your project
3. Search for the Overmind service account email
4. Verify that all required roles are listed

Using Google Cloud CLI

# List all IAM bindings for the service account
gcloud projects get-iam-policy YOUR_PROJECT_ID \
  --flatten="bindings[].members" \
  --format="table(bindings.role)" \
  --filter="bindings.members:serviceAccount:OVERMIND_SA_EMAIL"

Test Source Discovery

1. Navigate to the Overmind application
2. Navigate to Explore
3. Run a query to discover resources: GCP sources are prefixed with gcp-. To list all VMS: gcp-compute-instance > LIST
4. Verify that resources are being discovered

Validate Regional Coverage

Ensure your source is configured to discover resources in all required regions:

1. Review the Regions configuration in your source settings
2. Verify that discovered resources match your expected regional distribution

Troubleshooting

Common Issues and Solutions

Issue: "Insufficient Permissions" Error

Symptoms:

• Specific GCP services are not being discovered

Solutions:

1. Verify all required roles are assigned:

   gcloud projects get-iam-policy YOUR_PROJECT_ID \
     --flatten="bindings[].members" \
     --filter="bindings.members:serviceAccount:OVERMIND_SA_EMAIL"

2. Re-run the permission script or Terraform configuration

3. Check for organization-level policies that might restrict service account access

Issue: No Resources Discovered

Symptoms:

• Source is healthy but no resources are found
• Discovery completes successfully but with zero results

Solutions:

1. Verify Regional Configuration: Ensure the source is configured for the correct regions where your resources exist
2. Check API Enablement: Verify that required Google Cloud APIs are enabled:

   gcloud services list --enabled --project=YOUR_PROJECT_ID

3. Resource Permissions: Some resources may require additional organization-level permissions

Issue: Service Account Not Found

Symptoms:

• Error messages indicating the service account doesn't exist
• IAM binding operations fail

Solutions:

1. Verify you copied the correct service account email from the Overmind application
2. Ensure the service account email format is correct (should end with .iam.gserviceaccount.com)
3. Contact Overmind support if the service account appears to be missing

Issue: Terraform Apply Failures

Symptoms:

• Terraform operations fail with authentication or permission errors

Solutions:

1. Verify your Terraform authentication:

   gcloud auth application-default print-access-token

2. Ensure your Google Cloud credentials have the necessary IAM permissions
3. Check that the Google Cloud Provider is configured correctly

Getting Additional Help

If you continue to experience issues:

1. Check the Overmind Status Page: Visit the status page for any known issues
2. Contact Support: Reach out to Overmind support with:
   • Your GCP Project ID
   • The Overmind service account email
   • Specific error messages
   • Screenshots of the issue

Security Considerations

Principle of The Least Privilege

The provided roles follow the principle of the least privilege, granting only the minimum permissions required for infrastructure discovery. All roles are read-only and do not allow:

• Resource modification or deletion
• Data access (beyond metadata)
• Configuration changes
• Administrative operations

Monitoring and Auditing

To maintain security visibility:

1. Enable Cloud Audit Logs: Ensure Cloud Audit Logs are enabled for your project
2. Monitor Service Account Activity: Review audit logs for the Overmind service account activity
3. Set Up Alerts: Configure alerts for unusual service account behavior

Permission Management

• Regular Review: Periodically review granted permissions and remove access when no longer needed
• Revocation: You can revoke access at any time by removing the IAM bindings

Required Predefined GCP Roles Reference

Here are all the predefined GCP roles that Overmind requires:

Role	Purpose
roles/bigquery.resourceViewer	BigQuery resource discovery
roles/bigquery.metadataViewer	BigQuery metadata access
roles/cloudkms.viewer	Cloud KMS key discovery
roles/browser	Basic project resource browsing
roles/cloudsql.viewer	Cloud SQL instance discovery
roles/dataproc.viewer	Dataproc cluster discovery
roles/dataform.viewer	Dataform resource discovery
roles/certificatemanager.viewer	Certificate Manager discovery
roles/datastream.viewer	Datastream resource discovery
roles/discoveryengine.viewer	Discovery Engine resource access
roles/networksecurity.interceptEndpointViewer	Network security endpoint discovery
roles/networksecurity.mirroringEndpointViewer	Network mirroring endpoint discovery
roles/artifactregistry.reader	Artifact Registry repository discovery
roles/container.viewer	GKE cluster and resource discovery
roles/cloudfunctions.viewer	Cloud Functions discovery
roles/file.viewer	Cloud Filestore discovery
roles/firebaserules.viewer	Firebase Rules discovery
roles/osconfig.viewer	OS Config resource discovery
roles/appengine.appViewer	App Engine application discovery
roles/dlp.connectionsReader	DLP connection discovery
roles/firebase.viewer	Firebase project discovery
roles/networkconnectivity.hubViewer	Network Connectivity Hub discovery
roles/networkconnectivity.regionalEndpointViewer	Regional endpoint discovery
roles/secretmanager.viewer	Secret Manager secret discovery (metadata only)
roles/redis.viewer	Cloud Memorystore Redis discovery
roles/securitycentermanagement.viewer	Security Center management discovery
roles/storagetransfer.viewer	Storage Transfer Service discovery
roles/networkmanagement.viewer	Network management resource discovery
roles/serviceusage.apiKeysViewer	API Keys discovery
roles/datastore.viewer	Cloud Datastore discovery
roles/notebooks.viewer	AI Platform Notebooks discovery
roles/vpcaccess.viewer	VPC Access connector discovery
roles/securitycenter.adminViewer	Security Center findings discovery
roles/cloudquotas.viewer	Cloud Quotas discovery
roles/dialogflow.reader	Dialogflow resource discovery
roles/compute.viewer	Compute Engine resource discovery

All roles provide read-only access and are sourced from Google Cloud's predefined roles documentation.