Getting Started with Cloud Connection

1.0 Introduction

This article helps you get started with the Fortanix Key Insight cloud connection.

It also describes:

How to sign up and log in to Fortanix Armor.
How to access the Fortanix Key Insight solution.
How to configure the Amazon Web Services (AWS) connection.
How to configure the Azure cloud connection.
How to configure the Google Cloud Platform (GCP) connection.

2.0 Terminology Reference

For AWS connection concepts and supported features, refer to AWS Connection Concepts.
For Azure connection concepts and supported features, refer to Azure Connection Concepts.
For GCP connection concepts and supported features, refer to GCP Connection Concepts.

3.0 Log In and Create an Account

Fortanix Key Insight is a solution on the Fortanix Armor platform. Therefore, you need to create an account on the Fortanix Armor platform if you do not already have one.

3.1 Sign Up and Log In to Fortanix Armor Platform - New Users

If you are accessing Fortanix Key Insight for the first time, you need to sign up for Fortanix Armor to access Key Insight. For subsequent access, you can log in to Fortanix Armor directly.

For more information on how to sign up, log in, and create an account for Fortanix Key Insight, refer to Fortanix Armor – Getting Started.

3.2 Log In to Fortanix Armor Platform - Existing Users

You can directly log in to the Fortanix Armor platform to access Key Insight if you have already signed up and have an account.

For more information on how to log in and create an account on Fortanix Armor, refer to Fortanix Armor – Getting Started.

4.0 Access Fortanix Key Insight

After creating and selecting your Fortanix Armor account, you are redirected to the Available Solutions page in Fortanix Armor. From this page, you can access Fortanix Key Insight.

Perform the following steps:

Ensure the appropriate region (European Union or North America) is selected from the Region drop down. The selected region determines where your data is processed and stored. It also ensures that connections, scans, and UI elements are displayed based on the selected region. For more information on configuring regions, refer to Fortanix Armor – Solutions.
Click GO TO KEY INSIGHT to access Fortanix Key Insight and begin onboarding cloud connections.

**Figure 1: Access Fortanix Key Insight solution**

5.0 Configure an AWS Connection

After accessing the Fortanix Key Insight solution from Fortanix Armor, you can configure and onboard an AWS connection to scan your cryptographic materials (Keys, Services, and Certificates).

5.1 Prerequisites

The following are the prerequisites before configuring an AWS connection on Fortanix Key Insight:

5.1.1 Set Up an AWS Role in an AWS Organization

Before onboarding an AWS connection, perform the steps described in AWS Connection Scanning Configuration to set up your AWS Role in the AWS organization before onboarding an AWS connection.

5.1.2 IP Whitelisting Requirements in AWS

To enable secure and reliable communication between Fortanix Key Insight and your AWS cloud environment, certain network connections may need to be allowed.

If your AWS accounts enforce inbound restrictions, the following Internet Protocol (IP) addresses must be whitelisted in your firewall to allow Fortanix Key Insight to initiate scanning connections into your AWS resources:

149.14.69.36/32
149.14.123.28/32
184.104.204.100/32

IP whitelisting is not mandatory. It is required only if there are network restrictions on your AWS accounts for inbound traffic.

5.2 AWS Authentication Methods

AWS supports the following authentication mechanisms to control how users and applications obtain credentials for accessing AWS services:

Secret based authentication: An authentication method in which an application stores long-lived AWS access keys (Access Key ID and Secret Access Key) and uses them directly to sign AWS API requests.
Federated authentication: An authentication method where users or applications access AWS resources using existing credentials from an external identity provider (IdP), such as PingOne or Microsoft Entra ID. This eliminates the need to store long-lived secrets.
AWS commonly uses the following OAuth flows in federated authentication scenarios:
- Authorization code flow: Used when a user is involved. The user authenticates with the IdP, the application receives an authorization code, and the code is exchanged for tokens (ID, access, and/or refresh tokens).
- Client credentials flow: Used for machine-to-machine communication. The application authenticates directly with the IdP using its client ID and secret to obtain tokens, with no user interaction required.
  - API gateway (Optional): In AWS, an API gateway (such as Kong Gateway) validates tokens, signs AWS requests when required, and proxies them to AWS services, providing centralized authentication and authorization.

5.3 Select Connection Type

Perform the following steps to select the AWS connection type:

On the Select Connection Type step, select Cloud Connections type and the Amazon Web Services cloud provider.
Click NEXT.
Figure 2: Select the AWS cloud provider

NOTE
You can also add an AWS connection by clicking ADD CLOUD CONNECTION in the top-right corner of the CLOUD tab on the Connections page.

5.4 Select Authentication

AWS supports the secret-based and federated authentication methods to control how users and applications obtain credentials to access AWS services.

For more information on the definitions of the AWS authentication methods, refer to Section 5.2: AWS Authentication Methods.

5.4.1 Secret-based Authentication

Perform the following steps to add a secret-based AWS authentication:

On the Select Authentication step, select the Secret based authentication.
AWS access key: Enter an AWS access key.
AWS secret access key: Enter an AWS secret access key.
For more information on how to fetch the secret-based authentication credentials, refer to AWS Connection Scanning Configuration.
Click NEXT.

**Figure 3: Select AWS secret-based authentication**

5.4.2 Federated Authentication - Authorization Code Flow

Fortanix Key Insight supports configuring AWS connections using the Authorization code flow with PingOne and Microsoft Entra ID as the identity providers.

For more information on how to configure the IdPs and obtain the credentials (Client ID, Well-known URL, and Scopes), refer to the following:

NOTE
Fortanix Key Insight recommends creating a dedicated user account in the respective IdP for AWS federated authentication. This account is used to authenticate with the IdP or authorization server and to grant the necessary authorization consent during the connection setup.
The dedicated user account must remain active, and any modifications to the account will require re-authorization to update and refresh the authentication configuration.

Perform the following steps to add an IdP configuration using the Authorized Code flow:

On the Select Authentication step, select Federated authentication.
In the Select Configuration section, click ADD CONFIGURATION to add a new Identity Provider (IdP) configuration.
In the Add New Configuration dialog box, the Authorization code flow option is selected by default.
1. Name of configuration: Enter a name for the configuration.
2. Well-known URL: Enter the Well-known URL of your IdP.
3. Client ID: Enter the Client ID of your IdP.
4. Scope: Add the required Scope(s). The default scopes are available to select. You can also add custom scopes if they are already configured.
  NOTE
  Ensure to include the offline_access scope when configuring a Microsoft Entra ID IdP.
5. Click AUTHORIZE.
  A new browser window opens for authorization, depending on the IdP. After you complete the required steps, the new IdP is added to the Select configuration list.
  Figure 4: Add a Configuration using Authorization Code Flow
After adding and selecting the IdP, enter the Amazon Resource Name (ARN) in the Role ARN field.
For more information on how to fetch the ARN, refer to AWS Connection Scanning Configuration.
NOTE
The Role ARN field is visible only if you have added and selected an IdP configured with the Authorization code flow.
Click NEXT.

NOTE
You can also add an IdP using the Authorization code flow by clicking ADD CONFIGURATION in the top-right corner of the Authentication page.
For more information on managing the Federated Authentication IdP configurations, refer to Federated Authentication Identity Provider Configurations.

5.4.3 Federated Authentication - Client Credentials Flow

Fortanix Key Insight supports configuring AWS connections using the Client Credentials flow with Kong as the API Gateway and Okta and Auth0 as supported IdPs.

For more information on configuring the IdPs and obtaining the required credentials, refer to the following:

Set Up Kong API Gateway for AWS (API Gateway URL)
Okta Configuration for Client Credentials Authentication (Client ID, Client Secret, Well-known URL, and Scopes)
Auth0 Configuration for Client Credentials Authentication (Client ID, Client Secret, Well-known URL, and Scopes)

NOTE
A dedicated application registration in each identity provider is required to securely validate tokens.
If the IdP configuration is updated (for example, Client ID, Client Secret, Issuer URL, or scopes), re-authorization is required to maintain a valid onboarding configuration.

Perform the following steps to add an IdP configuration using the Client credentials flow:

On the Select Authentication step, select Federated authentication.
In the Select Configuration section, click ADD CONFIGURATION to add a new IdP configuration.
In the Add New Configuration dialog box:
1. Client credentials flow: Select this option to authenticate to GCP services using client credentials.
2. Name: Enter a name for the configuration.
3. Client ID: Enter the Client ID of your IdP.
4. Client Secret: Enter the Client Secret of your IdP.
5. Well-known URL: Enter the Well-known URL of your IdP.
6. Scope(s) (optional): Add custom scopes if required.
7. Add API Gateway URL (Required for AWS connections): Select this check box to enter the API gateway URL. This is the public URL of the API Gateway deployed in your environment (for example, Kong Gateway). You can obtain this URL from your API Gateway deployment or from the administrator managing the gateway.
  For example, https://kong.westus2.cloudapp.azure.com:8443/auth0.
8. Click AUTHORIZE to complete the authorization.
Figure 5: Add a configuration using Client Credentials flow
After adding and selecting an IdP, click NEXT.

NOTE
When adding or editing the configuration, an Authorization Failed error message may appear if authorization cannot be completed due to incorrect credentials, invalid scope, or other configuration issues.
You can also add an IdP using the Client credentials flow by clicking ADD CONFIGURATION in the top-right corner of the Authentication page. For more information on managing the Federated Authentication IdP configurations, refer to Federated Authentication Identity Provider Configurations.

5.5 Set Up Cloud Connections

Perform the following steps on the Set Up Cloud Connections step:

AWS cloud connection name: Enter a name of your AWS connection. For example, AWS connection1.
On the Select scope section:
- Organization: Select this option if you want to onboard an AWS organization. This allows you to onboard all the AWS accounts in the AWS organization.
- Account: Select this option if you want to onboard a single AWS account.
Click NEXT.

**Figure 6: Configure AWS cloud account in Fortanix Key Insight**

5.6 Select AWS Accounts

Perform the following steps to select AWS accounts:

On the Select AWS Accounts step:
- If you selected Organization scope in the previous step, choose Select All to onboard all AWS accounts in the AWS organization or manually select the accounts you want to onboard.
- If you selected Account scope, select the single AWS account to scan and onboard that account.
Click NEXT.
NOTE
Fortanix Key Insight scans only the AWS metadata and does not access any AWS key material.
Figure 7: Select AWS accounts

5.7 Select Fortanix Key Insight Policy

The System Defined Policy is selected by default on the Key Insight Policy step. This policy is designed to facilitate the scanning of keys and services based on predefined key sizes and permitted operations, ensuring compliance with standard security configurations.

Click NEXT to proceed.

Additionally,

Click ADD POLICY to add a new user-defined policy to the policy center.
Click to copy and modify a system-defined policy, converting it into a user-defined policy.

For more information on Fortanix Key Insight policies and features, refer to Cryptographic Policy Management.

NOTE
If you change or update the policy instead of the System Defined Policy, you must Rescan the AWS connection to apply the new policy.

5.8 Select External Key Source

On the Select External Key Source step, you can integrate Fortanix Key Insight with an external key source such as Fortanix DSM to enable key correlation and improve key management.

Perform the following steps:

Select any of the following options:
- Yes, connect now: This option allows you to add an external key source for your AWS cloud connection and correlate keys using the ADD EXTERNAL KEY SOURCE feature. For more information, refer to Getting Started With External Key Source Connection. After adding the Fortanix DSM connection, select it from the list.
  Figure 9: Add external key source
- No, I’ll connect later: This option allows you to onboard the AWS connection without adding an external key source. You can add it later if needed.
  Figure 10: Onboard AWS connection without an external key source
Click FINISH to complete the AWS connection onboarding.
NOTE
After onboarding the AWS connection:
- View the AWS connection user interface (UI) (Overview, Assessment, Keys, and so on). You can also switch the region at any time using the region switcher drop down located on the top navigation bar. When the region is changed, the UI updates automatically to show the data, connections, and scan results for that region.
  For more information about the AWS connection UI, refer to AWS Connection - User Interface Components.
- Users with the Account Administrator and Group Administrator roles can manage (edit, delete, rescan) the connection from the Connections page under the CLOUD tab.
  - Deleting the AWS connection cannot be undone.
- A group with the same name will be created on the Fortanix IAM Groups page. For more information on Groups, refer to Fortanix Armor Identity and Access Management-IAM.

6.0 Configure an Azure Connection

After accessing the Fortanix Key Insight solution from Fortanix Armor, if you want to onboard Azure subscriptions, then you need to configure the Azure cloud connection to scan your keys and services.

6.1 Prerequisites

The following are the prerequisites before configuring an Azure cloud connection on Fortanix Key Insight:

6.1.1 Set Up Azure Permissions

Before onboarding the Azure cloud,

Follow the steps described in Azure Connection Scanning Configuration Using Custom Roles to set up your Azure permissions using custom roles.
Follow the steps described in Azure Connection Scanning Configuration Using Built-In Roles to set up your Azure permissions using built-in roles.

6.1.2 IP Whitelisting Requirements in Azure

To enable secure and reliable communication between Fortanix Key Insight and your Azure cloud environment, certain network connections may need to be allowed.

If your Azure subscriptions enforce inbound restrictions, the following Internet Protocol (IP) addresses must be whitelisted in your firewall to allow Fortanix Key Insight to initiate scanning connections into your Azure resources:

149.14.69.36/32
149.14.123.28/32
184.104.204.100/32

IP whitelisting is not mandatory. It is required only if there are network restrictions on your Azure accounts for inbound traffic.

6.2 Azure Authentication Methods

Azure supports the following authentication mechanisms to control how users and applications obtain credentials for accessing Azure services.

Secret-based authentication: An authentication method in which an application stores long-lived Azure credentials (Client ID, Client Secret, and Tenant ID) and uses them directly to sign Azure API requests.
Federated authentication: An authentication method where users or applications access Azure resources using existing credentials from an external identity provider (IdP), such as PingOne or Microsoft Entra ID. This eliminates the need to store long-lived secrets.
Azure commonly uses the following OAuth flow in federated authentication scenarios:
- Authorization code flow: Used when a user is involved. The user authenticates with the IdP, the application receives an authorization code, and the code is exchanged for tokens (ID, access, and/or refresh tokens).

6.3 Select Connection Type

Perform the following steps to select the Azure connection type:

On the Select Connection Type step, select Cloud Connections type and the Azure cloud provider.
Click NEXT.
Figure 11: Select Azure cloud provider

NOTE
You can also add an Azure connection by clicking ADD CLOUD CONNECTION in the top-right corner of the CLOUD tab on the Connections page.

6.4 Select Authentication

Azure supports the secret based and federated authentication methods to control how users and applications obtain credentials to access Azure services. For more information on the definitions of the Azure authentication methods, refer to Section 6.2: Azure Authentication Methods.

6.4.1 Secret-based Authentication

Perform the following steps to add a secret-based Azure authentication:

On the Select Authentication step, select the Secret based authentication.
1. Client ID: Enter the Client ID of your IdP.
2. Client secret: Enter the Client secret of your IdP.
3. Tenant ID: Enter the Tenant ID of your IdP.
For detailed steps on obtaining the secret-based authentication credentials, refer to Azure Connection Scanning Configuration Using Custom Roles.
Click NEXT.

**Figure 12: Select Azure secret-based authentication**

6.4.2 Federated Authentication - Authorization Code Flow

Fortanix Key Insight supports configuring Azure connections using the Authorization code flow with PingOne and Microsoft Entra ID as the identity providers (IdPs).

For more information on how to configure the IdPs and obtain the credentials (Client ID, Well-known URL, and Scopes), refer to the following:

NOTE
Fortanix Key Insight recommends creating a dedicated user account in the respective IdP for Azure federated authentication. This account is used to authenticate with the IdP or authorization server and to grant the necessary authorization consent during the connection setup.
The dedicated user account must remain active, and any modifications to the account will require re-authorization to update and refresh the authentication configuration.

Perform the following steps to add an IdP configuration using the Authorized Code flow:

On the Select Authentication step, select Federated authentication.
Azure application client ID: Enter the Azure application ID.
Tenant ID: Enter the Azure Tenant ID.
In the Select configuration section, click ADD CONFIGURATION to add a new IdP configuration.
In the Add New Configuration dialog box, the Authorization code flow option is selected by default.
1. Name of configuration: Enter a name for the configuration.
2. Client ID: Enter the Client ID of your IdP.
3. Well-known URL: Enter the Well-known URL of your IdP.
4. Scope: Add the required scope(s). The default scopes are available to select. You can also add custom scopes if they are already configured.
  NOTE
  Ensure to include the offline_access scope when configuring a Microsoft Entra ID IdP.
5. Click AUTHORIZE to add a new IdP. A new browser window opens for authorization, depending on the IdP. After you complete the required steps, the new IdP is added to the Select configuration list.
  1. Figure 13: Add an Azure IdP
After adding and selecting the IdP configuration, click NEXT.

NOTE
You can also add an IdP using the Authorization code flow by clicking ADD CONFIGURATION in the top-right corner of the Authentication page.For more information on managing the Federated Authentication IdP configurations, refer to Federated Authentication Identity Provider Configurations.
Currently, Azure does not support configuring Federated authentication using the Client credentials flow.

6.5 Set Up Cloud Connections

Perform the following steps on the Set Up Cloud Connections step:

Azure cloud connection name: Enter the name of your Azure connection. For example, Azure Cloud.
On the Select scope section:
- Management Groups: Select this option to onboard all the Azure subscriptions.
- Subscription: Select this option if you want to onboard a single subscription.
Based on the selected scope,
1. Management group ID: Enter the Management group ID.
  or
2. Subscription ID: Enter the subscription ID.
For detailed steps on obtaining these IDs, refer to Azure Connection Scanning Configuration Using Custom Roles.
Click NEXT.
Figure 14: Configure Azure cloud subscription in Fortanix Key Insight

6.6 Select Azure Subscriptions

Perform the following steps to select the Azure subscriptions:

On the Select Azure Subscriptions step:
- If you selected the Management Groups scope in the previous step, choose Select All Subscriptions to onboard all subscriptions in the management group, or manually select the subscriptions you want to onboard.
- If you selected Subscription scope, select the single Azure subscription to scan and onboard that subscription.
Click NEXT.
NOTE
Fortanix Key Insight scans only the Azure metadata and does not access any Azure key material.
Figure 15: Select Azure subscriptions

6.7 Select Fortanix Key Insight Policy

Click NEXT to proceed.

Additionally,

Click ADD POLICY to add a new user-defined policy to the policy center.
Click to copy and modify a system-defined policy, converting it into a user-defined policy.

For more information on Fortanix Key Insight policies and features, refer to Cryptographic Policy Management.

NOTE
If you change or update the policy instead of the System Defined Policy, you must Rescan the Azure connection to apply the new policy.

6.8 Select External Key Source

On the Select External Key Source step, you can integrate Fortanix Key Insight with an external key source such as Fortanix DSM to enable key correlation and improve key management.

Select any of the following options:
- Yes, connect now: This option allows you to add the external key source for your Azure cloud connection to correlate keys using the ADD EXTERNAL KEY SOURCE feature. For more information, refer to Getting Started With External Key Source Connection. After adding the Fortanix DSM connection, select it from the list.
  Figure 17: Add external key source
- No, I’ll connect later: This option allows you to onboard the Azure connection without adding an external key source. You can add it later if needed.
  Figure 18: Onboard AWS connection without an external key source
Click FINISH to complete the Azure connection onboarding.
NOTE
After onboarding the Azure connection:
- View the Azure connection UI (Overview, Assessment, Keys, and so on). You can also switch the region using the region switcher drop down located on the top navigation bar. When the region is changed, the UI updates automatically to show the data, connections, and scan results for that region.
  For more information about the Azure connection UI, refer to Azure Connection - User Interface Components.
- Users with the Account Administrator and Group Administrator roles can manage (edit, delete, rescan) the connection from the Connections page under the CLOUD tab.
  - Deleting the Azure connection cannot be undone.
- A group with the same name will be created on the Fortanix IAM Groups page. For more information, refer to Fortanix Armor Identity and Access Management-IAM.

7.0 Configure a GCP Connection

After accessing the Fortanix Key Insight solution from Fortanix Armor, you can configure and onboard a GCP connection to scan your cryptographic elements (keys and services).

7.1 Prerequisites

The following are the prerequisites before configuring a GCP connection on Fortanix Key Insight:

7.1.1 Set Up a GCP Role in the GCP Organization

Before onboarding a GCP connection, perform the steps described in GCP Connection Scanning Configuration to set up the required GCP role in your GCP organization.

7.1.2 IP Whitelisting Requirements in GCP

To enable secure and reliable communication between Fortanix Key Insight and your GCP cloud environment, certain network connections may need to be allowed.

If your GCP projects enforce inbound restrictions, the following Internet Protocol (IP) addresses must be whitelisted in your firewall to allow Fortanix Key Insight to initiate scanning connections into your GCP resources:

149.14.69.36/32
149.14.123.28/32
184.104.204.100/32

IP whitelisting is not mandatory. It is required only if there are network restrictions on your GCP projects for inbound traffic.

7.2 GCP Authentication Methods

GCP supports the following authentication mechanisms to control how users and applications obtain credentials for accessing GCP services:

Secret-based authentication: This method uses a Google Cloud service account to securely authenticate Fortanix Key Insight with your GCP environment. You must provide the service account email and a private key to securely access GCP resources for scanning.
Federated authentication: An authentication method where users or workloads access GCP resources using existing credentials from an external identity provider (IdP), such as Ping Identity and PingFederate. This eliminates the need to store long-lived service account keys by using Workload Identity Federation and short-lived credentials.
GCP commonly uses the following OAuth flows in federated authentication scenarios:
- Client credentials flow: Used for machine-to-machine communication. The application authenticates directly with the IdP using its client ID and secret to obtain tokens, with no user interaction required.

7.3 Select Connection Type

Perform the following steps to select the GCP connection type:

On the Select Connection Type step, select Cloud Connections type and the Google Cloud Platform cloud provider.
Click NEXT.
Figure 19: Select the GCP cloud provider

NOTE
You can also add a GCP connection by clicking ADD CLOUD CONNECTION in the top-right corner of the CLOUD tab on the Connections page.

7.4 Set Up Authentication

GCP supports the secret-based and federated authentication methods to control how users and applications obtain credentials to access GCP services. For more information on the definitions of the GCP authentication methods, refer to Section 7.2: GCP Authentication Methods.

7.4.1 Secret-Based Authentication

Perform the following steps to add a secret-based GCP authentication:

On the Select Authentication step, the Secret based authentication option is selected by default.
1. Service Account Email: Enter your service account email address.
2. Private Key: Enter the private key associated with the service account.
For more information on how to fetch these credentials, refer to GCP Connection Scanning Configuration.
Click NEXT.

**Figure 20: Configure authentication in GCP**

7.4.2 Federated Authentication - Client Credentials Flow

Fortanix Key Insight supports configuring GCP connections using the Client credentials flow with Ping Identity and PingFederate as the identity providers.

For information on configuring the IdP and obtaining the required credentials (Client ID, Client Secret, Well-known URL, and GCP Audience), refer to the following:

Perform the following steps to add an IdP configuration using the Client credentials flow:

On the Select Authentication step, select Federated authentication.
Service account email: Enter the service account email address. For more information on how to obtain this value, refer to GCP Connection Scanning Configuration.
GCP Audience: Enter the GCP Audience value. This value must match the Default Audience configured in your GCP environment.
In the Select Configuration section, click ADD CONFIGURATION to add a new IdP configuration.
In the Add New Authentication Configuration dialog box:
1. Client credentials flow: Select this option to authenticate to GCP services using client credentials.
2. Name: Enter a name for the configuration.
3. Client ID: Enter the Client ID of your IdP.
4. Client Secret: Enter the Client Secret of your IdP.
5. Well-known URL: Enter the Well-known URL of your IdP.
6. Scope(optional): Add custom scopes if required.
7. Add API Gateway URL (Required for AWS connections): Select this check box to enter the API gateway URL. This is the public URL of the API Gateway deployed in your environment. You can obtain this value from your API Gateway deployment or from the administrator managing the gateway.
8. Click AUTHORIZE to complete the authorization.
Figure 21: Add a configuration using Client Credentials flow
After adding and selecting the IdP configuration, click NEXT.

NOTE
When adding or editing the configuration, an Authorization Failed error message may appear if authorization cannot be completed due to incorrect credentials, invalid scope, or other configuration issues.
You can also add an IdP using the Client credentials flow by clicking ADD CONFIGURATION in the top-right corner of the Authentication page. For more information on managing the Federated Authentication IdP configurations, refer to Federated Authentication Identity Provider Configurations.
Currently, GCP does not support configuring Federated authentication using the Authorization code flow.

7.5 Set Up Cloud Connections

Perform the following steps on the Set Up Cloud Connections step:

Enter a GCP connection name. For example, GCP connection.
On the Select scope section:
- Organization: Select this option if you want to onboard all GCP projects.
  1. Organization ID: Enter your Organization ID. For more information on how to obtain the Organization ID, refer to GCP Connection Scanning Configuration.
    Figure 22: Set up GCP connection
- Project: Select this option if you want to onboard a single GCP project.
Click NEXT.

7.6 Select GCP Projects

Perform the following steps to select your GCP project(s):

On the Select GCP Project step:
- If you selected Organization scope in the previous step, choose Select All Projects in Your Organization to onboard all projects in the organization, or manually select the projects you want to onboard.
- If you selected Project scope, enter the Project ID. For more information on how to fetch the Project ID, refer to GCP Connection Scanning Configuration.
Click NEXT.
NOTE
Fortanix Key Insight scans only the GCP metadata and does not access any GCP key material.
Figure 23: Select GCP projects

7.7 Select Fortanix Key Insight Policy

Click NEXT to proceed.

Additionally,

Click ADD POLICY to add a new user-defined policy to the policy center.
Click to copy and modify a system-defined policy, converting it into a user-defined policy.

For more information on Fortanix Key Insight policies and features, refer to Cryptographic Policy Management.

NOTE
If you change or update the policy instead of the System Defined Policy, you must Rescan the GCP connection to apply the new policy.

7.8 Select External Key Source

On the Select External Key Source step, you can integrate Fortanix Key Insight with an external key source such as Fortanix DSM to enable key correlation and improve key management.

Select any of the following options:
- Yes, connect now: This option allows you to add the external key source for your GCP cloud connection to correlate keys using the ADD EXTERNAL KEY SOURCE feature. For more information, refer to Getting Started With External Key Source Connection. After adding the Fortanix DSM connection, select it from the list.
  NOTE
  You can currently configure an external key source (Fortanix DSM) connection. However, no correlated data from the external key source will be visible on the GCP connection UI.
  Figure 25: Add external key source
- No, I’ll connect later: This option allows you to onboard the GCP connection without adding an external key source. You can add it later if needed.
  Figure 26: Onboard AWS connection without an external key source
Click FINISH to complete the GCP connection onboarding.
NOTE
After onboarding the GCP connection:
- View the GCP connection UI (Overview, Assessment, Keys, and so on). You can also switch the region at any time using the region switcher drop down located on the top navigation bar. When the region is changed, the UI updates automatically to show the data, connections, and scan results for that region.
  For more information about the GCP connection UI, refer to GCP Connection User Interface Components.
- Users with the Account Administrator and Group Administrator roles can manage (edit, delete, rescan) the connection from the Connections page under the CLOUD tab.
  - Deleting the GCP connection cannot be undone.
- A group with the same name will be created on the Fortanix IAM Groups page. For more information, refer to Fortanix Armor Identity and Access Management-IAM.

8.0 Troubleshooting

For information about common issues and troubleshooting steps when configuring Fortanix Key Insight in cloud environments, refer to Cloud Connection Troubleshooting.