Setup inCloud Managed with GCP

inCloud Managed is one of our setup options, which install our platform's infrastructure in a cloud environment owned by your organization, allowing you to delegate its entire setup, update, and maintenance to groundcover.

Note: inCloud Managed is available exclusively to Enterprise users.

inCloud Managed requires to create an isolated account within your GCP organization, that will be managed by groundcover's control plane and will establish, configure, and maintain the infrastructure and workloads within the account. These include GCP VPC, GCS, GKE, and LB services.

To complete the installation of inCloud Managed (total estimated time: 1 hour) you will need to follow these steps, all of which are detailed in the guide that follows:

Step 1: Create a GCP project

Start by creating a new GCP project for your groundcover deployment. We recommend following Google's guidelines to organize the project properly, using the right folder hierarchy and IAM rules for security. You can find the guide here: Google Cloud Resource Hierarchy.

Once that's done, select your inCloud project in the project picker.

Step 2: Create a service account with project owner access

To manage resources in your environment, you need a dedicated service account with project owner permissions. Here’s how:

  • Go to IAM & Admin > Service Accounts in the GCP Console.

  • Click "CREATE SERVICE ACCOUNT".

  • Name it something like groundcover-managed.

  • You can use the same name for the service account ID.

  • Click "CREATE AND CONTINUE".

  • In the "Grant this service account access to project" section, select Roles > Owner.

  • Then click "DONE" (you can skip the optional "Grant users access" part).

Step 3: Allow the service account to create access tokens

Next, you need to allow the service account to generate access tokens for project admin tasks:

  • Click on the newly created service account from the list.

  • Go to the "PERMISSIONS" tab.

  • Click "GRANT ACCESS".

  • Under Add principals, add the following service account: [email protected].

  • Under Assign roles, choose "Service Account Token Creator".

  • Press "SAVE".

Step 4: Enable the service usage API

Now, you need to enable the Service Usage API for the project:

  • Use the search bar in the GCP Console to find "Service Usage API".

  • Click on it, then hit "ENABLE".

Security of groundcover Control-Plane

groundcover Control-Plane is a secure reconciliation controller designed to manage enterprise inCloud infrastructure environments. It is compliant with ISO-27001 and SOC-2 standards.

The control plane can securely access your groundcover-incloud account by using a cross-account IAM role.

Setting up groundcover inCloud does not require access to your production data or workloads, nor does it grant it such access.

Step 5: Disable service account key creation constraint (For organizations created since May 3rd, 2024)

Starting from May 3rd 2024, GCP organizations have new restrictions that disable the option to create new service accounts HMAC keys - read more here.

Certain groundcover workloads require service accounts with HMAC keys, which means a rule needs to be added in the new GCP Project to disable this policy.

Start by selecting the relevant project from the project picker, then browse to IAM & Admin > Organization policies and search for the "Disable service account key creation" constraint.

Choose the highlighted constraint and click on "MANAGE POLICY"

Click on "ADD A RULE" and set "Enforcement" to "Off".

To save, click on "SET POLICY".

Step 6: Share the control-plane service account

Users on an Enterprise plan (prerequisite for inCloud Managed) have access to a private support channel on Slack for their organization. Use that channel to share the following information with the groundcover team:

  • The GCP project name you’ve created for inCloud.

  • Your control-plane Service Account (created in Step 2).

  • The region where you would like inCloud to be deployed.

Step 7: Get installation values

After you share with us the details in Step 5, we will need to setup the backend. Once we do, we will share with you the configuration details required for you to complete Step 7.

Step 8: Deploy our sensors

The final step is to deploy our sensors into the environment. In order to do so, follow this guide.

Last updated