Breadcrumbs

Add GCP to SaaS Agent

Task List

Task #

Task

Performed by

1

Prepare GCP for use with CI Sync

GCP Admin

2

Add GCP as a Source System using the CI Sync SaaS UI

CI Sync Admin

3

Check status of new GCP Source System connection

CI Sync Admin

4

Perform Updates in ServiceNow (if required)

ServiceNow Admin

Task 1: Prepare GCP for use with CI Sync

Click to expand for information about authentication types supported by CI Sync

Supported Authentication Types

The CI Sync Connector for GCP supports authentication using GCP Service Account with Certificate Based Authentication. Please contact your Syncfish representative to discuss support for other authentication methods if required.

Also, the CI Sync Connector for GCP relies upon GCP Cloud Assets API which reads from Google Cloud Asset Inventory.

Google state Cloud Asset Inventory is free to use, however customers are responsible for the costs associated with storing any data generated by Cloud Asset Inventory (i.e. the costs of data stored in a Cloud Storage account).

For customers not currently using Google Cloud Asset Inventory, Syncfish recommend the following:

  1. Engaging their internal cyber security team to discuss enabling/using this GCP service.

  2. Reviewing the potential cost of using this GCP service.

In this Task 1 you will create a new GCP Service Account and then in Task 2 (further below) you will declare the email address of the new Service Account in the CI Sync Web UI.

During Task 1 you will define perimission for the new Service Account. These permissions utlimately limit the range of resources CI Sync can read from GCP to synchronize ito the CMDB.

GCP service account permissions are typically as follows:

  1. The service account permissions are added to a Single GCP Project.

  2. The service account permissions are added to Multiple GCP Projects.

  3. The service account permissions are added to the GCP Organization.

For the purpose of CI Sync organisations will add permissions for the service account at the GCP Organization level. This allows CI Sync to read all resources within the GCP Organization (unless additional GCP controls/ACLs have further limited access).

The instructions in Task 1 assume permissions are being added to the GCP Organization.


  1. Either create a new CISync Project or navigate to an existing GCP project.

  2. With the project, enable the Cloud Assets API as follows:

    1. Navigate to APIs & Services and click the Enable APIs and services button

    2. Search for and enable the Cloud Asset API

      image-20250508-043115.png


  3. Create a Service Account credential to grant CISynchronizer access.

    1. Under APIs & Services, navigate to Credentials and create a new Service Account credential.

      image-20250508-043548.png


    2. Give the service account a valid name

  4. Now navigate back to Service Accounts and locate the Email address assigned to the newly created Service Account.

    image-20250520-034342.png

Data Capture Note

The Service Account Email address will be required by the CI Sync Admin when they use instructions further below to add GCP as a Source Connection when CI Sync.

  1. Add permission for the Service Account at the Organization level

    1. Navigate to your Organization

    2. Go to IAM and click Grant access

      image-20250812-052230.png


    3. Enter the email address of the service account as the Principal and assign the following permissions:

      1. Cloud Asset Service Agent

      2. Cloud Asset Viewer

      3. Viewer


        image-20250813-230640.png


  2. Next, generate a Key for the Service Account

    1. Navigate to the newly created Service Account and press Add key > Create new key

      image-20250508-044404.png


  3. Make sure it is a JSON type and click Create

    image-20251205-005020.png


Your browser will download the private key as a file to your local computer.

The contents of the downloaded file (i.e. the private key value) will be needed by the CI Sync Admin when they use instructions further below to add GCP as a Source Connection when CI Sync.

Make sure the downloaded file (i.e. the private key) is stored securely and in a way that can be shared with the CI Sync Admin so they can use it when following the instructions later in this page.

The contents of the downloaded JSON file should contain a private_key value


  1. Finally, make sure you capture the Organization ID so it can be provided to the CI Sync Admin when they use instructions futher below. One way of retrieving this Organization ID is to open the Project Picker and to find the organization in the resource list.

image-20250812-014220.png


Data Capture Summary

As a reminder, you should have captured the following information when completing the above steps.

  1. The Service Account Email address (from Step 4 above). This is the email that is assigned to the CI Sync Service Account.

  2. The downloaded JSON file for the Service Account Key (from Step 6 above). The contents of the downloaded file contain the private key which will be used when registering the connection in your CI Sync SaaS Instance

  3. The Organization ID (from Step 7 directly above). This represents the GCP Scope when inputting into the CI Sync Web UI later in these instructions.

These values will be used later by the person following the instructions in Task 2 immediately below.

Task 2: Add GCP as a Source System using the CI Sync SaaS UI

  1. Login to your CI Sync SaaS instance at https://YourCo.syncfish.app

  2. In the CI Sync UI, navigate to Settings > Connections.

  3. Find the “SaaS Agent” sub-heading under the Source Connections section. If you don’t see “SaaS Agent” it means your CI Sync instance hasn’t been configured for this feature. Please contact your Sync representative to discuss.

  4. On the right hand side of the form, click the +Add button.

CleanShot 2025-06-25 at 18.03.19@2x-20250625-080339.png

  1. The New Connection form now appears. Use the Connection Type drop down list to select the source system you wish to add (in this case Google Cloud).

CleanShot 2025-08-14 at 11.03.46@2x-20250814-010850-20250819-011134.png

  1. Update the fields using these instructions

    1. Connection name

      1. This is a friendly name that represents the source system connection.

      2. The name you enter here will appear when you create a new sync job and are selecting from the available source system list.

      3. Note: Syncfish recommend using a textual suffix on the connection name if for any reason you have setup multiple CI Sync Connections to AWS.

    2. Alias: Please ingore this field (it is not used for the CI Sync Cloud Agent and is being deprecated).

    3. Environments

      1. Select from the available choices Production, Test, or Production/Test (the latter being both).

      2. The selection you make for this field affects which source systems appear when you create a new sync job (i.e. when you are selecting the source system list based on the “Environment” you have chosen for the sync job). See this page for more details on creating a CI Sync job: Run a Small Initial Sync Job (then run more).

      3. FYI: CI Sync allows a source system to be both Production/Test because CI Sync only reads from a source system (it doesn’t write to it). Destination systems can only be Test or Production (not both).

    4. GCP Scope/s

      1. Paste the GCP Organization ID captured by your GCP Admin in Task 1 above.

      2. The format of the value to paste into this field must be as follows:
        organizations/1234567890

    5. Credential Type

      1. Select Service Account

    6. Service Account Email Address

      1. Paste the CI Sync GCP Service Account Email address captured by your GCP Admin in Task 1 above.

        1. Ensure that when pasting this value, there is no whitespace character at the end.

    7. Private Key

      1. The JSON file captured by your GCP Admin in Task 1 above should contain a private_key entry.

      2. Paste the value of the private_key entry to this field.

        1. See the additional note below for more information

    8. Then click the Consent to update fields checkbox.

    9. Finally click the Create connection button.

Additional note for the Private Key field

The contents of the JSON file will contain multiple different values. The value required for configuration is the private_key value. Copy this value, it should look like:

-----BEGIN PRIVATE KEY-----\nXXXX\n-----END PRIVATE KEY-----

Ensure that the copied value does not include any characters.

You will be returned to the main settings screen and your new source system connection will appear in the list as shown below.

image-20260210-044557.png

Task 3: Check status of new GCP Source System connection

  1. To check the status of the newly added GCP Source System connection click the green Check Status link. This will test whether your CI Sync GCP connection can successfully reach and authenticate to the GCP Entra ID defined in the connection itself.

  2. image-20260210-044910.png

    If the connection is successful, you will see a green dot next to the source connection name.

  3. image-20260210-045156.png

    To test again in the future, you can click the green Refresh Status button.

  4. If the test is unsuccessful, you will see a red dot next to the source connection name and an error message underneath. If you need assistance resolving an error, please contact Syncfish support.

This means you are ready to run a sync job using the new source connection using these high-level instructions: Run a Small Initial Sync Job (then run more).

Task 4: Perform Updates in ServiceNow (if required)

Guidance Note

Syncfish recommend the person setting up the source system described in this guide discusses this particular task with their ServiceNow system administrator. 

A ServiceNow administrator will need to perform these steps.

Syncfish recommend following these instructions in your non-production ServiceNow environment for testing synchronization jobs.

Only once exhaustive testing in non-production is complete, repeat this process in your ServiceNow production environment.

In this section your ServiceNow SME will assess various updates to ServiceNow to support this CI Sync connector:

  • Task 4a: Assess if the CMDB CI Class Models plug-in is required

  • Task 4b: Assess if additional permissions are required

  • Task 4c: (Optional though recommended) Assess your ServiceNow CI forms and update to include additional Related Lists

Task 4a: Assess if the CMDB CI Class Models plug-in is required

Context

A number of record sets (asset types/resource types) available to sync using the GCP Connector rely upon CMDB CI Classes that are only available via the CMDB CI Class Models plug-in. 

You therefore need to install the CMDB CI Class Models plug-in to your ServiceNow instance.

If you already have the plug-in you may want to upgrade it to the latest version (as ServiceNow occasionally updates the plug-in to include extra CI Classes/tables).

Source System

Specific Record Sets that require the CMDB CI Class Models plug-in

GCP

  • Many/most GCP resources supported by CI Sync.

  • Synchronizing of GCP Labels into the cmdb_key_value table.

Instructions

Follow these steps to add this plug-in (and similar steps to locate it and upgrade it if required):

  1. Assess the use/inclusion of this plug-in within your ServiceNow (ensure you are comfortable installing this plug-in).

  2. Search for Plugins via the ServiceNow navigation menu.

  3. Locate the CMDB CI Class Models plug-in.

  4. Click Add -> Install and follow the instructions provided.

image-20250328-005325.png

Task 4b: Assess if additional permissions are required

Use Case - If you are planning to use CI Sync to write GCP Labels to the CMDB

Context

CI Sync writes GCP Labels to the cmdb_key_value table in ServiceNow.

The standard/out-of-the-box roles provided by ServiceNow (and recommended by Syncfish during S3 - Configure ServiceNow for CI Sync) do not provide access to the cmdb_key_value table. Therefore, the CI Sync Integration User account created during S3 - Configure ServiceNow for CI Sync requires additional permissions to write to the cmdb_key_value table.

Syncfish provides a ServiceNow updateset to prepare your ServiceNow instance for CI Sync. The updateset does the following:

  • Creates a read/write ACL on the cmdb_key_value table.

  • Applies the ACL on the cmdb_key_value table and assigns the ACL to the ServiceNow role called “Asset” (which is one of the roles granted to the CI Sync Integration Account created during S3 - Configure ServiceNow for CI Sync).

Instructions

Follow these steps to apply the updateset provided by Syncfish:

  1. Download the update set from Syncfish at the below URL:
    https://downloads.syncfish.app/servicenow/cisync-cmdb-key-value.xml

  2. Login to your ServiceNow instance with Admin permissions.

  3. Open a browser and navigate to your ServiceNow instance

  4. In the left nav menu search for “Retrieved Update Sets” and click to open

  5. Right click on the column heading row and select “Import XML

CleanShot 2025-06-10 at 18.34.18@2x-20250610-083554.png

  1. Select “Choose File

  2. Select the downloaded file “cisync-cmdb-key-value.xml

  3. Click to open the Update Set

CleanShot 2025-08-04 at 18.45.24@2x-20250804-084545.png

  1. Click “Preview Update Set

  2. If there are no preview errors, Click “Close”.

  3. Click “Commit Update Set”.

  4. Your ServiceNow instance is now ready to receive Label data from GCP via sync jobs from CI Sync.

Context

CI Sync populates various child tables (related lists) associated with parent CIs. The following table shows the Related Lists (per CI Class) populated by the CI Sync GCP Connector.


CI Class

Related List
(i.e. friendly name)

Related List Name as it appears in the ServiceNow UI when adding it to a CI Form

Network

Key Values (Labels)

Key Value → Configuration Item

Projects

Key Values (Labels)

Key Value → Configuration Item

Redis

Key Values (Labels)

Key Value → Configuration Item

Storage Bucket

Key Values (Labels)

Key Value → Configuration Item

Subnet

Key Values (Labels)

Key Value → Configuration Item

VM Instance

Key Values (Labels)

Key Value → Configuration Item

Instructions

Below are the steps to modify a ServiceNow CI form to expose a new Related List.

  1. Login to your ServiceNow instance with Admin permissions.

  2. Navigate to any CI in the relevant CI Class (i.e. one/all of those listed in the table in the Context section above). For example, navigate to a Windows Server CI).

  3. Right-click in the heading area of the form, then click Configure and then Related Lists from the sub-menus.

image-20250402-073451.png


  1. Identify the Related List you want to expose on the CI form using the table in the Context section above.

  2. Find the Related List in the left hand column which lists all Available Related Lists.

  3. Click the Related List and then click add (the selection arrow) to move the item to the Selected column and then click Save.

image-20250402-073539.png

  1. Repeat for each additional CI Class listed in the table in the Context section above.