Book a demo

Google

Introduction

Google Cloud Artifact Registry (GAR) is a unified registry service for managing and securing software artifacts.

GAR offers:

  • Centralized hosting for multiple artifact types like Docker images, language-specific packages (Maven, npm, Python) and OS packages.

  • Granular access control through Cloud IAM.

  • Direct integration with Google Cloud's deployment services, such as Cloud Run and Google Kubernetes Engine (GKE).

By connecting GAR to OX Security, you have a constant connection to GAR and scanned results are displayed in the Artifact’s BOM.

Prerequisites

Ensure the following requirements are met:

  • You have OX Security admin permissions to set up the connection.

  • You have a Google Cloud account with permissions to create projects and API tokens.

  • You have a project in Google Cloud.

Connection overview

These steps summarize the connection process.

  1. Enable API services in Google Cloud.

  2. Create a custom role in Google Cloud with specific permissions.

  3. Create a service account in Google Cloud.

  4. Create the service account API key in Google Cloud.

  5. Pass the credentials to OX Security

Connection steps

To connect GAR to OX Security, follow these steps:

Step 1: Enable API services in Google Cloud

  1. From the dashboard use the search bar to find API & Services and click Enable API & Services. This opens the API Library page.

  2. From the API Library page, use the search bar to find Cloud Resource Manager API and click the Cloud Resource Manager API link.

  3. Verify that the API is enabled (default). If not, click Manage to enable it.

  4. Next, use the same search action to open the Artifact Registry API page and verify that it is also enabled.

Step 2: Create a custom role in Google Cloud with specific permissions

  1. From the Google Cloud dashboard menu, select IAM & Admin > Roles.

  2. From the Roles page, click Create role.

  3. Enter a title and description.

    1. The ID is auto-generated.

    2. Leave the Role launch stage as is.

  4. Click Add permissions to open a dialog box. You’ll add two permissions Artifact Registry Reader and resourcemanager.projects.get.

  5. Locate the Artifact Registry Reader, activate the checkbox and click OK.

  6. You’ll see that there are multiple pages of related permissions. To select all permissions on a specific page, activate the “master” checkbox in the header.

  7. Use the navigation chevron at bottom to move to the next page and select all the permissions on that page.

  8. Repeat until all the related permissions are selected, then click Add.

  9. Next, locate the permission resourcemanager.projects.get and click Add.

  10. To complete and create the role, click Create.

Step 3: Create a service account in Google Cloud

  1. From IAM & Admin / Roles, select Service Accounts from the menu and click Create service account.

  2. Enter a Service account name and Service account description (the Service account ID is auto-generated). Then click Create and continue to assign permissions to the service account.

  3. To add the role you just created, open the Select a role dropdown, select Custom. Select the role (left screen), then click Continue (right screen).

  4. Leave the Principals with access as is. To complete the creation of the service account, click Done.

  5. To verify the service account, enter the service account name you just created in the filter.

Step 4: Create the service account API key in Google Cloud

  1. Continue from the previous screen, select the service account you created and select the Keys tab.

  2. On the Keys tab, click Add key and select JSON as the Key type.

  3. Read the warning about data security.

  4. To complete, click Close. The JSON key is now saved to your computer.

Step 5: Pass the credentials to OX Security

  1. Create a Base64 string including the Key and the Project name from the JSON key. There are several methods to do this. If you use Node.js/Browser, here is a code example.

  2. Sign in to OX Security. From the OX Connectors page open the GAR connector and enter these details:

    1. Project ID: The ID of the project you want to scan.

    2. API Token: The Base64 string you created.

  3. Click Connect. If the credentials are valid, a success message appears.

That’s it. OX Security is now connected to your Google Artifact Registry.

Post-setup checks

Use either or both of these steps.

  • From the OX Connectors page open the GAR connector and click Verify Connectivity.

  • From the same screen, click Settings. This displays a list of all images.

Logs and alerts

If your credentials are not accepted, an error message shows on the connection screen.

Troubleshooting

If your credentials are valid but you can’t connect to GAR, reach out to Customer Support.

Disconnection

To disconnect, open the GAR connector and select DELETE.

To reconnect, re-enter the Project ID and API Token.

Last updated