connectors instructions take 2

GCP and GKE Connector Integration Guide

OX Security supports integrations with both GCP (Google Cloud Platform) and GKE (Google Kubernetes Engine) to enhance visibility into your cloud and Kubernetes environments.

• The GCP Connector is primarily used to run Prowler for cloud misconfiguration scanning at the project level.

• The GKE Connector is used to ingest Kubernetes workload data into OX's Cloud Graph, helping visualize how code travels through the CI/CD pipeline into production and identify attack paths.

These connectors are independent—unlike Azure or AWS integrations, there's no dependency between the GCP and GKE connectors. Both require the same setup: a GCP project ID and an API token (service account credentials).

Prerequisites

• A GCP project with IAM permissions to:

  • Create service accounts

  • Manage service account keys

• Enable required APIs (e.g., Compute Engine API, IAM API, Kubernetes Engine API)

• Optional: gcloud CLI installed and configured

• (For GKE only) A running GKE cluster in the selected GCP project, with Kubernetes API enabled

Creating a service account

1. Log in to the Google Cloud Console.

2. Select your GCP project.

3. Navigate to IAM & Admin.

4. Select Service Accounts.

1. Select + Create Service Account.

1. Add a meaningful name and an optional description.

2. Select Create and Continue.

1. Grant the Viewer role to the new service account and select Done. The new service account appears in the service accounts table.

3. Generate Service Account Key

1. In the Service Accounts list, find your newly created account.

2. Click the three-dot menu → Manage Keys.

3. Click Add Key → Create New Key.

4. Choose JSON format and click Create.

5. Download and securely store the JSON key file.

4. Encode the Key File in Base64

• On macOS/Linux, run: base64 <filename>.json

• On Windows, use a tool or plugin to convert the JSON to a one-line Base64 string.

The Base64 encoding ensures multi-line keys are compacted into a single string.

5. Enable Required Google Cloud APIs

In the Google Cloud Console:

1. Navigate to APIs & Services → Library.

2. Search for and enable the following APIs:

   • Compute Engine API

   • Kubernetes Engine API

   • IAM API

   • IAM Service Account Credentials API

   • Cloud Resource Manager API

Alternatively, administrators can use a gcloud CLI command to enable all required APIs in one step.

6. Connect in OX Security

1. In the OX Security platform, go to Connectors.

2. Select GCP or GKE.

3. Enter:

   • project_id (copied from your GCP project)

   • API token (Base64-encoded key)

4. Click Connect.

For GKE, you’ll also be prompted to select which clusters to scan.

Once connected, OX will automatically use the credentials to run scans.

Multi-Project Access

To reuse one service account across multiple GCP projects:

1. In the source project, copy the email of the service account.

2. For each target project:

   • Go to IAM & Admin → IAM

   • Click Grant Access

   • Add the copied email as a new principal

   • Assign the Viewer role

   • Click Save

After assigning access to all desired projects, reconnect the service account in OX.

Advanced Option

To simplify multi-project access:

• In the project_id field, enter an asterisk (*) instead of a specific ID.

• This instructs OX to scan all projects the token has access to.

This is currently an undocumented capability but supported for users who prefer centralized access control.

Connector Use Cases

Both connectors provide data that enriches OX Security’s attack path analysis, helping link code commits to live workloads and identify misconfigurations or public exposures across environments.