By default, Forseti is designed to be installed with complete organization access, and run with the organization as the root node in the resource hierarchy.
But, you also have the option to run Forseti on a subset of resources:
Inventory, Data Model, and Scanner will be supported for use on these subset of resources, but Explain will not be supported.
Run the Forseti Installer.
By default, the installer will try to assign org-level roles. If you are not an Org Admin, there will be errors, but you can safely disregard, as you will manually assign the correct roles later.
Edit forseti_conf_server.yaml
and point the root_resource_id
to the target folder:
folders/<foo_folder_id>
.
NEW for version 2.12.0+: You can use the composite_root_resources
configuration to include multiple resources in a single Forseti installation.
See Configure Inventory
for more details.
If Forseti was installed with Org Admin credentials, then the org-level roles will be inherited on the folder-level.
If Foresti was not installed with Org Admin credentials, then you need to grant the Forseti server service account to have the same roles on the target resources, as was originally granted on the organization.
forseti_conf_server.yaml
file.forseti_conf_server.yaml
to GCS bucket.forseti_conf_server.yaml
file from GCS
bucket to /home/ubuntu/forseti-security/configs/
.storage.buckets.get
permission
and assign it to your Forseti server service account.NEW for version 2.12.0+: As an alternative, you can use the
composite_root_resources
configuration to include multiple resources in a
single Forseti installation.
See Configure Inventory
for more details.
This assumes that Forseti is not installed with Org Admin credential, and you want Forseti to run on projects that you own. If Forseti is installed with Org Admin credential, then all the resources in the organization will be returned.
Leave the root_resource_id
pointed to the organization that the Installer
inferred from the environment.
Grant project viewer role to the Forseti server service account, on the projects that you own.
Create a custom role with storage.buckets.get
permission
and assign it to your Forseti server service account.
When you run Forseti again, all the resources from the target root will be collected in Inventory and audited.