Steps to offboard Google Cloud Platform (GCP) account from Prisma Cloud tenant so it can be re-added

Steps to offboard Google Cloud Platform (GCP) account from Prisma Cloud tenant so it can be re-added

15073
Created On 03/25/19 20:51 PM - Last Modified 12/10/19 19:17 PM


Objective


Steps to offboard a Google Cloud Platform (GCP) account from Prisma Cloud tenant and re-add it as a new, separate Cloud Account.
  • Delete GCP Organization account and add it back as GCP Organization account
  • Delete GCP Master Service Account (MSA) and add it as GCP MSA or GCP Organization account

Environment


Prisma Cloud, GCP

Procedure


Scenario:
  • There is a GCP Organization Account O with some child projects C1, C2, C3, and C4 in Prisma Cloud.
  • The service account key used for onboarding was created under project C4.
Steps to offboard GCP Organization account:
  1. Log into GCP Console
  2. And find the service account key (belonging to C4) which was used to onboard the organization in the GCP console
  3. Remove Project Viewer permissions from the service account key on the organization level in the GCP Console (keep project viewer permissions for the key with respect to the project C4 it was created in)
  4. Once this is done, wait 1 hour for Prisma Cloud Automatic Onboarding processor to remove all child projects (C1, C2, and C3) except the project service account key belonging to C4 in Prisma Cloud console
  5. After an hour, you will see Organization O and Project C4 under it in the Prisma Cloud console
  6. Disable Organization O in Prisma Cloud console (toggle the Enabled button under Settings-->Accounts tab).
  7. Contact customer support to remove it from the system
  8. DevOps will run a query to do two things: (a): deletes the organization from system (b): removes association of Organization O with Project C4, making C4 a standalone project in Prisma Cloud system
  9. Once Project C4 shows up as a single project in Prisma Cloud console with a delete icon next to it, you can delete it --this will soft-delete C4 from the system
  10. Wait 1 day (24 hours) for all data related to this organization to be purged
  11. The same GCP Organization can now be added back to Prisma Cloud.

Assumptions:
  • There is a GCP MSA C4 with child projects C1, C2, and C3 in Prisma Cloud.
  • The service account key SAK1 used for onboarding was created under Project C4.
  • Note: C4 is shown as a child of MSA in Prisma Cloud console however, it is the MSA itself
Steps to offboard GCP Master Service Account (MSA):
  1. Log into GCP console
  2. Create a new service account SAK2 in C4
    • This is to replace SAK1 with SAK2 in the cloud account setup.
  3. Give Project Viewer permissions to SAK2 for only C4 -- do not provide access to SAK2 for other projects
  4. Use the new SAK2 to update the GCP MSA in the Prisma Cloud console
  5. When you click "Confirm" button in cloud account edit mode on Prisma Cloud console, the other projects (C1, C2, and C3) will stop showing up as children as they are not associated with the MSA anymore
  6. Data for C1/C2/C3 will be deleted in 24 hours by the backend automatic cleanup.  Note: You do not need to wait for this to complete before contacting customer support
  7. Contact customer support to remove C4 as MSA and make it a single project
  8. DevOps will run a query which moves C4 from MSA to a single project
  9. Once confirmation for step 8 completion is received, you can delete C4 from Prisma Cloud console
  10. Wait 24 hours for C4 to be deleted from the system by the automatic cleanup

Additional Information


Refer to 
KA: 0000069391800Adding a GCP account after deleting it, fails with error: Internal Error:".  

on GCP account deleting and re-adding information.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000boQiCAI&lang=en_US%E2%80%A9&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language