For GCP customers that want to set up Wiz sensors on the Glean compute workloads (Compute Engine instances and GKE nodes), please review the following:

General Setup Details

Wiz sensor installation is conducted via the standard Glean deploy process. The customer need not worry about having to perform the installation, nor does the customer need to make any changes to the Glean deployment. The customer will need to provide Glean with some details to have Wiz deployed properly. Please see the requirements section.

Requirements and Instructions

Glean requires that the customer perform the following steps:
  1. In Wiz, create a Service Account for a Wiz sensor. Consult with the Wiz documentation for instructions on how to do this. When you do this, you will receive a Client ID and a Client Secret (used later as WIZ_API_CLIENT_SECRET). Please keep note of these as these will be needed.
  2. You will also need to collect the runtime sensor image pull key from your Wiz tenant. This can be obtained by going to your tenant info by clicking on this link: (https://app.wiz.io/tenant-info/general). You will be presented with a screen that looks like this: Wiz screenshot
    • You will need to obtain the Domain - You can select this via the drop-down. It is recommended that you select registry.wiz.io
    • You will need the Username (Used later as WIZ_REGISTRY_USERNAME)
    • You will need the Password (Used later as WIZ_REGISTRY_PASSWORD)
  3. Next, you are going to create a Google Secret Manager Secret in the same project as the Glean deployment. See the Google Secret Manager Requirements section below on how to create the secret and what to place in there. Once you have provisioned the secret, come back here.
  4. You will send over to your Glean representative the following information:
    • The Wiz Client ID
    • The Wiz registry Domain
    • The name of the Secret Manager secret
  5. Once the information is sent over to your Glean representative, Glean will perform a deployment to get the Wiz sensors installed.

Google Secret Manager Requirements

You will need to create a secret in the same project as the Glean deployment. We recommend that you create a secret that is encrypted with the Google-managed encryption keys (default).

The Secret Contents

The secret that is created needs to be a JSON string that looks like this: 
{
    "WIZ_API_CLIENT_SECRET": "ADD-ME",
    "WIZ_REGISTRY_USERNAME": "ADD-ME",
    "WIZ_REGISTRY_PASSWORD": "ADD-ME"
}
You need to embed:
  1. The Wiz Client Secret for WIZ_API_CLIENT_SECRET
  2. The image pull registry username for WIZ_REGISTRY_USERNAME
  3. The password for the image as WIZ_REGISTRY_PASSWORD
Once you create the secret, you will need to keep note of the name of the secret.

Pricing

Because this is reporting back to the customer’s Wiz tenant, the customer is responsible for billing and capacity requirements. Generally, this will require a billable unit for each Compute Engine instance and GKE node instance. Please work with your Glean representative to discuss sizing.