Skip to main content

Check out Port for yourselfย 

Installation

Installation Methodsโ€‹

The Google Cloud Ocean integration relies on the Google Cloud Client libraries, which are authenticated using Application Default Credentials.

In these guides, you can install the integration in various ways, according to the authentication method + platform you choose to run the integration on.

First Time Installation

For your first deployment of the GCP exporter, we recommend starting with the Helm/scheduled installation method to perform the initial data sync. Once the initial data sync is complete, you can switch to the Terraform deployment method for real-time data sync.

The Ocean Google Cloud integration uses Google's ADC (Application Default Credentials). In order to properly set-up, this guide will be divided into two parts:

  1. Creating a service account.
  2. Running the Helm Command.

Creating a service account

  1. Make sure you have your selected project in the top left toggle.



  2. In the search text box, search for service accounts. Click the IAM & Admin option.



  3. Click on CREATE SERVICE ACCOUNT.



  4. Fill up an ID and a description, continue.



  5. Click the Select a role dropdown, then search and add the following Roles:

    1. Browser
    2. Cloud Asset Viewer
    3. Pub/Sub Viewer

    Should look like this:



  6. Click on continue -> Done

  7. You've successfully finished creating a Service account!



Fetching Key file

There are multiple ways to use the service account we just created. In this guide, we'll use the Service Account Key method.

warning

According to Google Cloud, This isn't the preferred way for Production purposes. The Terraform Installation is using Google's native method to authenticate, and is the one we propose for a Production setup.

  1. Make sure you have your selected project in the top left toggle.



  2. In the search text box, search for service accounts. Click the IAM & Admin option



  3. Click on the Service account.

    Should look like this:



  4. Click on Keys -> Add Key -> Create new key -> JSON -> CREATE

  5. This will download your new Service Account Key configuration file.

  6. Done!

Running the Helm command

Data security

The Ocean integration does not store the encoded file anywhere.
It is saved locally, and is NOT sent to Port at any time.

  1. Take the service account key file you create, and run this command:

Linux/Mac (Bash/Zsh):

cat <new-configuration-file> | base64 | pbcopy

PowerShell:

[Convert]::ToBase64String([System.IO.File]::ReadAllBytes("<new-configuration-file>")) | Set-Clipboard

Windows Command Prompt (creates a file : new-configuration-file.b64):

certutil -encode <new-configuration-file> new-configuration-file.b64 && type new-configuration-file.b64 | clip
  1. Run the following command:

    helm repo add --force-update port-labs https://port-labs.github.io/helm-charts
    helm upgrade --install gcp port-labs/port-ocean \
    --set port.clientId="$PORT_CLIENT_ID" \
    --set port.clientSecret="$PORT_CLIENT_SECRET_ID" \
    --set port.baseUrl="https://api.getport.io" \
    --set initializePortResources=true \
    --set sendRawDataExamples=true \
    --set scheduledResyncInterval=1440 \
    --set integration.identifier="ocean-gcp-integration" \
    --set integration.type="gcp" \
    --set integration.eventListener.type="POLLING" \
    --set integration.config.encodedADCConfiguration="<paste_the_encoded_file_content_here>"

Optional- Scale permissions for a Service account

The above gives a service account permissions in it's Project's scope. You are able to add permissions at other projects/folders/organization level.

  1. Make sure you have your selected project in the top left toggle.



  2. In the search text box, search for service accounts. Click the IAM & Admin option



  3. Click on the Service account.

    Should look like this:



  4. Copy the service account's email.

  5. Switch the top left toggle to your organization



  6. In the search text box, search for manage resources. Click the IAM & Admin option.



  7. In the Resources Table, you see all projects+folders connected to your organization.



  8. Pick your desired scope (organization/folders/projects), using the left checkboxes.



  9. This will open up a menu on the right side.



  10. Click on ADD PRINCIPLE

  11. In the Add principals tab add the email to your service account. In the Assign roles, give these three roles to your service account:

    1. Browser
    2. Cloud Asset Viewer
    3. Pub/Sub Viewer

Should look like this:



  1. Click on Save

Further Examplesโ€‹

Refer to the examples page for practical configurations and their corresponding blueprint definitions.