Support
API docs
Product updates Sign up for free

Step 2: Create the Google service account (Web UI)

Recap You have downloaded the Terraform template declaring the Google service account for Snyk. Now you need to provision the infrastructure.

The process to create the Google service account is the same whether you are using the Snyk Web UI or Snyk API to onboard your Google Project.

To scan a Google Cloud Project, Snyk takes the permissions of a tightly-scoped Google service account that allows Snyk to scan the configuration of your Project resources.

The service account you create is granted the following read-only Identity and Access Management (IAM) roles:

Snyk Cloud's service account is granted the Service Account Token Creator IAM role to enable it to generate short-lived credentials for your service account.

Additionally, Snyk has a mechanism in place to lock a service account to the Organization that onboards it. This is a security feature to ensure that nobody can guess a service account name and onboard it into a separate Organization to see those resources.

Set Google Cloud Project ID

Snyk scans the Google Cloud Project specified by the project_id variable in the Terraform template. You must set the variable's value using one of the following methods:

  • Set the project_id variable directly in the Terraform template. On line 4 of the template, change the default value of the project_id variable to your Project ID:

default = "your-project-id"

  • Set the project_id variable when you apply the Terraform. In the following section, Apply Terraform, you will apply Terraform to create the Google service account. At that time, you can use Terraform's -var option to set the project_id variable to your Project ID:

terraform apply -var="project_id=your-project-id"

  • Use the GOOGLE_PROJECT environment variable. See Terraform's documentation.

Apply Terraform

Before you use the Terraform CLI, ensure you configure it to use your Google Cloud credentials.

To provision the Google service account using Terraform:

  1. In your terminal, navigate to the directory containing your .tf file (named snyk-permissions-google.tf if it has been downloaded from the Web UI).

  2. Using the Terraform CLI, initialize the Terraform Project:

terraform init

3. Review and apply the Terraform plan:

terraform apply

4. Enter yes when Terraform asks if you want to perform the actions.

Terraform then creates the Google service account. When it is finished, you will see the following output:

Apply complete! Resources: 22 added, 0 changed, 0 destroyed.

Outputs:

service_account_email = "snyk-cloud-mt-us-abcd1234@my-project.iam.gserviceaccount.com"

Copy the service account email for use in the next step.

What's next?

The next step is to create and scan the Cloud Environment. See Step 3: Create and scan a Cloud Environment for Google (Web UI).

PreviousStep 1: Download service account IaC template (Web UI)NextStep 3: Create and scan a Cloud Environment for Google (Web UI)

Last updated

More information

Snyk privacy policy

© 2023 Snyk Limited | All product and company names and logos are trademarks of their respective owners.