HomeGuidesTerms & ConceptsAPI DocumentationPush APIRelease NotesStatus
Guides

Troubleshooting

Suggest Edits

This page outlines some common issues users have when connecting a GCP data source.

Activity log errors

The log message below is normal for GCP accounts, as not all accounts use every GCP service. However, if you see the following error in the activity logs for a service you know is enabled and should be collected:

failed to sync <gcp_resource>: rpc error: code = PermissionDenied desc = <Resource> API has not been used in project <project_name> before or it is disabled. Enable it by visiting ...

You likely are using a service account from a different project where the API indicated is not enabled. For multi-project setups, the project that contains the service account that Secberus is using must have all APIs enabled that are to be checked in the other projects.

For example, say you have a GCP account with a production project called production-1and have set up a secondary project to house your service accounts, called service-account-1, and the Secberus service account resides in the service-account-1 project.

You are running GCP Cloud SQL in the production-1 project and want Secberus to be able to collect those resources. You have to enable the Cloud SQL API in both the service-account-1 and production-1 projects.

Missing project data

If the Secberus collector is running against your GCP data source but it seems like there is data not being collected, here are some things to check.

  1. Make sure the Cloud Resource Manager API is enabled in the GCP project in which the Secberus service account resides. The Secberus collector needs to access this API to get the list of projects it will sync. Go to https://console.developers.google.com/apis/api/cloudresourcemanager.googleapis.com/overview to enable it.
  2. Ensure the Secberus service account in GCP has roles/permissions in every project it should. You can use the gcloud CLI to authenticate as the Secberus service account and list the projects it can access.


    Install the gcloud CLI


    Once the CLI is installed, you can create a new authentication key for the Secberus service account on your computer and use it to authenticate to GCP as the service account and list the projects.
    Create a new key 
     gcloud iam service-accounts keys create <output_file>.json --iam-account <service_account>@<project_name>.iam.gserviceaccount.com
    Authenticate using the key 
    gcloud auth activate-service-account <service_account>@<project_name>.iam.gserviceaccount.com --key-file=<output_file>.json
    List the projects 
    gcloud projects list
    If some projects you expected to be listed are missing, then it is likely the service account does not have any roles/permissions in those projects. Add the service account to the missing projects.

Updated about 1 month ago