BYOC is one of our setup options, which install our platform's infrastructure in a cloud environment owned by your organization, allowing you to delegate its entire setup, update, and maintenance to groundcover.
BYOC requires to create an isolated account within your GCP organization, that will be managed by groundcover's control plane and will establish, configure, and maintain the infrastructure and workloads within the account. These include GCP VPC, GCS, GKE, and LB services.
To complete the installation of BYOC (total estimated time: 1 hour) you will need to follow these steps, all of which are detailed in the guide that follows:
Before proceeding with the steps below, please log in to app.groundcover.com and create a workspace.
If you already have a workspace in groundcover, skip this step.
If you've previously set up a workspace with groundcover, skip this step
Follow the steps in the link below to signup and create a workspace in groundcover:
Start by creating a new GCP project for your groundcover deployment. We recommend following Google's guidelines to organize the project properly, using the right folder hierarchy and IAM rules for security. You can find the guide here: .
Once that's done, select your inCloud project in the project picker.
To manage resources in your environment, you need a dedicated service account with project owner permissions. Here’s how:
Go to IAM & Admin > Service Accounts in the GCP Console.
Click "CREATE SERVICE ACCOUNT".
Name it something like groundcover-managed.
You can use the same name for the service account ID.
Click "CREATE AND CONTINUE".
In the "Permissions" section, select Role > Owner.
Then click "Continue" and "DONE" (you can skip the optional "Principals with access" part).
Next, you need to allow the service account to generate access tokens for project admin tasks:
Click on the newly created service account from the list.
Go to the "Principals with access" tab.
Click "Grant Access".
Under Add principals, add the following service account: [email protected].
Under Assign roles, choose "Service Account Token Creator".
Press "SAVE".
Now, you need to enable the Service Usage API for the project:
Use the search bar in the GCP Console to find "Service Usage API".
Click on it, then hit "ENABLE".
Security of groundcover Control-Plane
groundcover Control-Plane is a secure reconciliation controller designed to manage enterprise inCloud infrastructure environments. It is compliant with ISO-27001 and SOC-2 standards.
The control plane can securely access your groundcover-incloud project by using a cross-project service account impersonation.
Certain groundcover workloads require service accounts with HMAC keys, which means a rule needs to be added in the new GCP Project to disable this policy.
The scope of the change will be limited to the new groundcover project only
Start by selecting the relevant project from the project picker, then browse to IAM & Admin > Organization policies and search for the "Disable service account key creation" constraint.\
Choose the highlighted constraint and click on "MANAGE POLICY"
Click on "ADD A RULE" and set "Enforcement" to "Off".
To save, click on "SET POLICY".
Users on an (prerequisite for BYOC) have access to a private support channel on Slack for their organization. Use that channel to share the following information with the groundcover team:
The GCP project name you’ve created for BYOC.
Your groundcover-managed Service Account (created in ).
The region where you would like BYOC to be deployed.
After you share with us the details in Step 6, we will need to setup the backend. Once we do, we will share with you the configuration details required for you to complete Step 7.
The final step is to deploy our sensors into the environment. In order to do so, follow .
