Setup inCloud Managed with GCP
Last updated
Last updated
inCloud Managed is one of our setup options, which install our platform's infrastructure in a cloud environment owned by your organization, allowing you to delegate its entire setup, update, and maintenance to groundcover.
inCloud Managed requires to create an isolated account within your GCP organization, that will be managed by groundcover's control plane and will establish, configure, and maintain the infrastructure and workloads within the account. These include GCP VPC, GCS, GKE, and LB services.
To complete the installation of inCloud Managed (total estimated time: 1 hour) you will need to follow these steps, all of which are detailed in the guide that follows:
Once that's done, select your inCloud project in the project picker.
To manage resources in your environment, you need a dedicated service account with project owner permissions. Here’s how:
Go to IAM & Admin > Service Accounts in the GCP Console.
Click "CREATE SERVICE ACCOUNT".
Name it something like groundcover-managed.
You can use the same name for the service account ID.
Click "CREATE AND CONTINUE".
In the "Grant this service account access to project" section, select Roles > Owner.
Then click "DONE" (you can skip the optional "Grant users access" part).
Next, you need to allow the service account to generate access tokens for project admin tasks:
Click on the newly created service account from the list.
Go to the "PERMISSIONS" tab.
Click "GRANT ACCESS".
Under Add principals, add the following service account: controlplane@groundcover-managed-prod.iam.gserviceaccount.com.
Under Assign roles, choose "Service Account Token Creator".
Press "SAVE".
Now, you need to enable the Service Usage API for the project:
Use the search bar in the GCP Console to find "Service Usage API".
Click on it, then hit "ENABLE".
Security of groundcover Control-Plane
groundcover Control-Plane is a secure reconciliation controller designed to manage enterprise inCloud infrastructure environments. It is compliant with ISO-27001 and SOC-2 standards.
The control plane can securely access your groundcover-incloud account by using a cross-account IAM role.
Certain groundcover workloads require service accounts with HMAC keys, which means a rule needs to be added in the new GCP Project to disable this policy.
The scope of the change will be limited to the new groundcover project only
Start by selecting the relevant project from the project picker, then browse to IAM & Admin > Organization policies and search for the "Disable service account key creation" constraint.
Choose the highlighted constraint and click on "MANAGE POLICY"
Click on "ADD A RULE" and set "Enforcement" to "Off".
To save, click on "SET POLICY".
The GCP project name you’ve created for inCloud.
The region where you would like inCloud to be deployed.
After you share with us the details in Step 5, we will need to setup the backend. Once we do, we will share with you the configuration details required for you to complete Step 7.
Start by creating a new GCP project for your groundcover deployment. We recommend following Google's guidelines to organize the project properly, using the right folder hierarchy and IAM rules for security. You can find the guide here: .
Starting from May 3rd 2024, GCP organizations have new restrictions that disable the option to create new service accounts HMAC keys - read more .
Users on an (prerequisite for inCloud Managed) have access to a private support channel on Slack for their organization. Use that channel to share the following information with the groundcover team:
Your control-plane Service Account (created in ).
The final step is to deploy our sensors into the environment. In order to do so, follow .
