> ## Documentation Index
> Fetch the complete documentation index at: https://docs.levelblue.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Preparing Your GCP Environment for Sensor Deployment

After you have ensured that your Google Cloud Platform (GCP) environment meets the sensor requirements, you must complete both of the following tasks before deploying a GCP Sensor in your environment:

* [Enable required APIs](preparing-gcp-env-for-deployment)
* [Create a new service account](preparing-gcp-env-for-deployment)

## Enable Required APIs

Certain APIs must be enabled in your GCP environment to enable the features dependent on them to operate as designed.

<Warning>
  **Important:** APIs are enabled at the project level, so you must enable all five of these APIs for each project the GCP Sensor will monitor.
</Warning>

The following APIs are needed in your GCP environment:

* **Google Cloud Resource Manager API:** [https://console.cloud.google.com/apis/library/cloudresourcemanager.googleapis.com](https://console.cloud.google.com/apis/library/cloudresourcemanager.googleapis.com)
* **Google Cloud Pub/Sub Logging API:** [https://console.cloud.google.com/apis/api/pubsub.googleapis.com](https://console.cloud.google.com/apis/api/pubsub.googleapis.com)
* **Google Stackdriver Logging API:** [https://console.developers.google.com/apis/api/logging.googleapis.com](https://console.developers.google.com/apis/api/logging.googleapis.com)
* **Google Compute Engine API:** [https://console.cloud.google.com/apis/library/compute.googleapis.com](https://console.cloud.google.com/apis/library/compute.googleapis.com)
* **Google Cloud Identity and Access Management (IAM) API:** [https://console.developers.google.com/apis/api/iam.googleapis.com/overview](https://console.developers.google.com/apis/api/iam.googleapis.com/overview)

**To enable an API in your GCP environment**

1. Log in to your GCP environment.

2. Navigate to that API in the GCP API library (or follow the corresponding link in the list above).

   <Note>
     **Note:** If the API is already enabled, you may see a green check mark and the text "API enabled" instead of the Enable button. In some views, you will see a "Disable API" button to indicate that the API has already been enabled.
   </Note>

3. Click **Enable**.

   If the Enable button is grayed out, ensure that you have the appropriate permissions required to manage APIs.

## Create a New Service Account

The service account you have selected for your GCP Sensor must have adequate permissions for every GCP project it will monitor. Without these permissions, the sensor will not be able to accomplish the task that requires that access.

**To create a new service account**

1. In the Cloud Console, go to your project.
2. Go to the *IAM & admin tab* in the navigation pane and click **Service Accounts**.
3. Click Create Service Account and enter the required information for your new service account.
   a. **Service Account Name:** A display name for this service account
   b. **Service Account ID:** A name for your service account, which will be followed by "@\<name-of-project>.iam.gserviceaccount.com"
   c. **Service Account Description:** A description for this service account
4. Click **Create and Continue** to save your new service account.

   From here, if you are facing a screen that allows you to grant the service account access to the project, or users access to the service account, you can click **Done** without making any changes on that screen to skip that step and move forward.

Generally, you will use the pre-defined roles *Project: Viewer* and *Pub/Sub: Pub/Sub Subscriber* for your service account. The *Project: Viewer* role allows your sensor to discover all your services, and the *Pub/Sub: Pub/Sub Subscriber* role allows your sensor to collect logs from Cloud Pub/Sub.

**To assign the pre-defined roles to your service account**

<Warning>
  **Important:** This process must be followed for every project the GCP Sensor will be monitoring.
</Warning>

1. In the Cloud Console, go to your project.
2. Go to the *IAM & admin* tab in the navigation pane and click **IAM**.
3. Click **Grant Access**.
4. Enter the name of the service account you just created.
5. In the Role field, select **Project** and then **Viewer**.
6. Open a second Role field, this time selecting **Pub/Sub** and then **Pub/Sub Subscriber**.
7. Open a third Role field, this time selecting **Deployment Manager** and then **Deployment Manager Editor**.
8. (Optional) Open a fourth Role field, this time selecting **Service Accounts** and then **List**.
9. Click **Save** once you are finished assigning roles.

<Note>
  Note: This role is only required if you intend to enable User Behavior Analytics (UBA).
</Note>

If these roles are too expansive for your use, you can create a new role and limit its access according to your needs, so long as it has the minimum requirements necessary for the sensor to operate. See [Creating a Custom Role](custom-role-gcp) for instructions detailing how to create a custom role for your sensor. Also be sure to review the [Required IAM Policies](custom-role-gcp) table to see which functions depend on which IAM policies.

**To create and download a new service account key**

1. On the **Service Accounts** page, click the email address of the service account you just created and navigate to the **Keys** tab.

2. Using the **Add Key** drop-down, select **Create New Key**.

3. Select **JSON** for the key type and click **Create**.

   Clicking Create downloads a service account key file.

4. Save this key file in a safe location.

   You will need to reference this file when you [Deploy the GCP Sensor](manually-deploying-gcp-sensor).

## Create and Add an SSH Key

You will need to create an SSH key and add it to your GCP project. This SSH key will be used to connect to your sensor once it is deployed.

**To create and add an SSH key**

1. Follow the steps outlined in the [Google Cloud documentation](https://cloud.google.com/compute/docs/connect/create-ssh-keys#windows-10-or-later) (appropriate to your OS) to create an SSH key.

   You will save a copy of a newly generated SSH key and use it later in this process.

2. Within the Google Cloud console, navigate to your project.

3. Search for and select **SSH Keys**.

4. Click **Edit**, then **Add Item**.

5. Enter the key you copied earlier.

   This is the .pub file that was generated in step 1.

6. Click **Save**.

See [Deploy the GCP Sensor](manually-deploying-gcp-sensor).