Forseti Visualizer — must-have.

Emil Dabrowski
8 min readJun 19, 2020


This story describes how to install Forseti Visualizer. The Forseti Visualizer is the application that delivers the graphical interface to Forseti findings. More information about it you will find at:

Here is a guide on how to install Forseti Visualizer securely. Before you start this instruction, you should perform prerequisites steps, and Forseti Installation:

OK. Let’s start if you are ready. What do we need:

  • The service account for the connection to Google CloudSQL and run a virtual machine.
  • Debian server for the application (NodeJs 10).
  • A certificate with associated DNS records.
  • Google HTTPS LoadBalancer.
  • Google IAP Proxy.
  1. The first step — let’s create a service account. You can use Google Web Console or Google Cloud SDK. I am showing how to do that using SDK:
gcloud iam service-accounts create forseti-visualiser --project [PROJECT_ID]

In my example:

2. Add proper rights (CloudSQL User) to forseti-visualiser account, and generate key.json for sql-proxy authentication:

gcloud projects add-iam-policy-binding [PROJECT_ID] -- member serviceAccount:forseti-visualiser@[PROJECT_ID] --role roles/cloudsql.clientgcloud iam service-accounts keys create key.json

In my example:

3. Let’s create Linux server for application hosting:

gcloud beta compute --project=[PROJECT_ID] \
instances create forseti-visualiser \
--zone=[ZONE] --machine-type=n1-standard-1 \
--service-account=forseti-visualiser@[PROJECT_ID] \
--image-project=debian-cloud \
--no-address \
--image=debian-9-stretch-v20200618 \


[ZONE] — a zone where the Forseti Server is installed (in my example: europe-west1-c)

[SUBNET] — subnet where Forseti Security is installed (in my example: forseti-subnet)

4. Before login to the new machine, you have to get a connection name to CloudSQL. First of all, you have to get CloudSQL Server name:

gcloud sql instances list

In my example:

5. Find an instance called forseti-server-db-xxx [DB_SERVER]and call:

gcloud sql instances describe [DB_SERVER] |grep connectionName

In my example:

Remember this value (used as [DB_CONNECTION])

6. Login to the new machine from Cloud Shell using:

gcloud beta compute ssh --zone [ZONE] forseti-visualiser --tunnel-through-iap --project [PROJECT_ID]

In my example:

7. Elevate privileges to root and create the folder named cloudsqlproxy using:

sudo su
mkdir /cloudsqlproxy
cd /cloudsqlproxy

8. Copy key.json file, which was created in point 2. You can use any tool to do it; here is my example using Cloud Shell:

gcloud beta compute scp key.json \ 
[YOUR_LOGIN]@forseti-visualiser:key.json \
--tunnel-through-iap --project [PROJECT_ID] \
--zone [ZONE]

in my example:

Next, go to the forseti-visualiser machine and move key.json to /cloudsqlproxy folder:

mv /home/[YOUR_LOGIN]/key.json /cloudsqlproxy/

9. Download CloudSQL Proxy app (source:

wget -O cloud_sql_proxychmod +x cloud_sql_proxy

10. Create cloudsqlproxy service:

cat > /lib/systemd/system/cloud-sql-proxy.service << EOF
Description=Google Cloud Compute Engine SQL Proxy
ExecStart=/cloudsqlproxy/cloud_sql_proxy -dir=/cloudsqlproxy/cloud-sql-proxy -instances=[DB_CONNECTION]=tcp:3306

11. Register and run service:

systemctl daemon-reload
systemctl enable cloud-sql-proxy.service
systemctl start cloud-sql-proxy

12. Now, you have to install the nodeJS framework and libraries:

curl -sL | bash -
apt-get install -y nodejs
npm install -g @vue/cli
npm install d3
cd /

13. You need Forseti Visualizer binaries:

apt install git
git clone
cd forseti-visualizer/forseti-visualizer-ui/

14. Now, you need to install Forsetii Visualizer:

npm install
npm audit fix
npm update yargs-parser
npm audit

You should see the following:

15. Run build:

npm run build

You should see:

16. No, you will configure backend. You need MySQL user and password. You can create a new one and grant access to databases, or you might use current forseti MySQL user named forseti_security_user. How to get the password? Login to Forseti Security Server — open new Cloud Shell window and using SSH -> View cloud command copy and paste into new Cloud Shell window

In my example:

17. Use the following command after login:

sudo more /lib/systemd/system/forseti.service |grep forseti_security_user

in my example:

18. Copy the string after forseti_security_user:[DB_PASSWORD]

19. Go back to forseti-visualiser and continue installation, replace [DB_PASSWORD] and [PROJECT_ID]:

cd ../forseti-api/cat > source.env << EOF
export API_HOST=""
export API_PORT="80"
export CLOUDSQL_USERNAME="forseti_security_user"
export CLOUDSQL_SCHEMA="forseti_security"
sudo npm install
sudo npm audit fix
source source.env
npm start

20. Now you have to create Unmanaged Instance Group and add forseti-visualiser server tot this group:

gcloud compute --project=[PROJECT_ID] instance-groups unmanaged create forseti-visualiser-ig --zone=[ZONE]gcloud compute --project=[PROJECT_ID] instance-groups unmanaged add-instances forseti-visualiser-ig --zone=[ZONE] --instances=forseti-visualiser

in my example:

21. The Forseti Visualizer is running now, but you haven’t access to it. I will show you how to build a secured channel using Google IAP and LB. Open Google Cloud Shell and create a static IP:

gcloud compute addresses create forseti-visualiser --global --project [PROJECT_ID]
gcloud compute addresses list

In my example:

21. Register the address in your DNS provider as A record [FQDN]

22. Now create a certificate:

gcloud beta compute ssl-certificates create forseti-visualiser --domains=[FQDN] --global --project=[PROJECT_ID]

Where [FQDN] is the fully qualified domain name, registered in point 21

in my example:

23. You need firewall rule, which allows LB to connect the server on port 80.

gcloud compute --project=[PROJECT_ID] \
firewall-rules create lb-to-forseti-visualiser \
--direction=INGRESS --priority=100 --network=[NETWORK] \
--action=ALLOW --rules=tcp:80 \
--source-ranges=, \

in my example:

24. It is time to create a Load Balancer. Execute these instructions:

gcloud compute health-checks create http forseti-visualiser-hc --port 80 --project [PROJECT_ID]gcloud compute backend-services create forseti-visualiser-backend \
--protocol HTTP \
--health-checks forseti-visualiser-hc \
--global \
--project [PROJECT_ID]

in my example:

gcloud compute backend-services add-backend forseti-visualiser-backend \
--instance-group=forseti-visualiser-ig \
--instance-group-zone=[ZONE] \
--global \
--project [PROJECT_ID]
gcloud compute url-maps create forseti-https \
--default-service forseti-visualiser-backend \
--project [PROJECT_ID]
gcloud compute target-https-proxies create \
forseti-visualiser-proxy --url-map forseti-https \
--ssl-certificates forseti-visualiser \
--project [PROJECT_ID]

in my example:

gcloud compute addresses listgcloud compute forwarding-rules create forseti-frontend \
--address=lb-ipv4-1 \
--global \
--target-https-proxy=forseti-visualiser-proxy \
--ports=443 \
--address=[IP_ADDRESS] \

in my example:

25. Now you can open a web browser and connect to your Forseti Visualiser. DO not be confused if you will see CIPHER_ERROR — check your certificate using:

gcloud compute ssl-certificates list

Wait approximately 10 minutes if you see that your certificate is active.

26. Now you have to secure access to Forseti Visualizer using Google Identity Aware Proxy. First of all, enable IAP API:

gcloud services enable --project [PROJECT_ID]

27. Open Google Web Console and click Security -> Identity Aware Proxy

28. Click the radio button in the line where is forseti-visualiser-backend

29. Mark checkbox and click CONFIGURE

30. Check the screen — if all is correct mark checkbox.

31. Click TURN ON

32. Select forseti-visualiser-backend and click ADD MEMBER

33. Type google group with people who should have access to Forsetii Visualizer and grand role IAP-secured Web App User.

34. Well done! You have installed and secured Forseti Visualizer.