Set up a Google Cloud Platform with Google Workspace connector
ConductorOne provides identity governance and just-in-time provisioning for Google Cloud Platform with Google Workspace. Integrate your Google Cloud Platform with Google Workspace instance with ConductorOne to run user access reviews (UARs) and enable just-in-time access requests.
*Workforce Identity Federation support is optional and must be configured when you set up the connector.This connector can sync secrets and display them on the Inventory page.
Gather Google Cloud Platform with Google Workspace credentials
Configuring the connector requires you to pass in credentials generated in Google Cloud Platform with Google Workspace. Gather these credentials before you move on.
A user with the Super Admin role in Google Cloud Platform with Google
Workspace must perform this task.
To sync secrets and buckets, you must grant the required permissions at the organization level and enable APIs for each project that the connector syncs.
Secrets and buckets permissions are configured per project in GCP. If the connector is not filtering by project and the service account doesn’t have permissions across all projects, the sync will fail. We recommend using the Project IDs filter to explicitly specify which projects to sync.
Required organization-level role:The service account needs the roles/cloudasset.viewer role at the organization level to search resources across projects.Required APIs:Enable these APIs for each project you want to sync (or only for specified projects if using the Project IDs filter):
Secrets - API Keys: API Keys API
Secrets - Service account keys: IAM API
Secrets - Secret Manager secrets: Secret Manager API
In the navigation menu, navigate to > APIs & Services > Credentials.
2
Select CREATE CREDENTIALS > Service Account.
3
Under Service account details, fill in the following:
Service account name: ConductorOne Integration
Service account description: for example, “Service account for ConductorOne Google Cloud Platform with Google Workspace Integration”
Click CREATE AND CONTINUE.
4
Under Grant this service account access to a project, grant the following permissions to either the Editor role or a custom role on the org level, and assign that role to the service account:
5
You’ll need these permissions to give ConductorOne READ access (syncing access data):
Configure the Google Cloud Platform with Google Workspace connector
To complete this task, you’ll need:
The Connector Administrator or Super Administrator role in ConductorOne
Access to the set of Google Cloud Platform with Google Workspace credentials generated by following the instructions above
Cloud-hosted
Self-hosted
Follow these instructions to use a built-in, no-code connector hosted by ConductorOne.
1
In ConductorOne, navigate to Integrations > Connectors and click Add connector.
2
Search for Google Cloud Platform with Google Workspace and click Add.
3
Choose how to set up the new Google Cloud Platform with Google Workspace connector:
Add the connector to a currently unmanaged app (select from the list of apps that were discovered in your identity, SSO, or federation provider that aren’t yet managed with ConductorOne)
Add the connector to a managed app (select from the list of existing managed apps)
Create a new managed app
4
Set the owner for this connector. You can manage the connector yourself, or choose someone else from the list of ConductorOne users. Setting multiple owners is allowed.If you choose someone else, ConductorOne will notify the new connector owner by email that their help is needed to complete the setup process.
5
Click Next.
6
Find the Settings area of the page and click Edit.
7
In the Customer ID field, enter the customer ID.
8
In the Domain field, enter the primary domain.
9
In the Administrator email field, enter the email address associated with your domain or a super admin.
10
In the Credentials (JSON) area, click Choose file and upload the file.
11
Optional. Check the box if you want to skip syncing Google Cloud Platform system accounts.
12
Optional. Uncheck the box (which is checked by default) if you want to sync Google Cloud Platform default projects.
13
Optional. In the Project IDs field, enter a list of project IDs to limit the connector’s sync to only those projects. Be sure to enter project IDs, not project names.
14
Optional. Check the box to Enable Workforce Identity Federation, which allows the connector to sync Workforce Identity pools and pool providers.
If you want the connector to provision Workforce Identity pools, enter the relevant Workforce Identity Pool ID and Workforce Identity Pool Provider ID in the relevant fields.
15
By default, the connector only syncs roles that are assigned to an IAM policy. These settings allow you to configure the connector to sync roles regardless of their IAM policy status.
Optional. Check the box to Always sync custom roles.
Optional. In the List of role IDs to always sync field, enter a list of role IDs that should be synced. Be sure to enter role IDs, not role names.
16
Click Save.
17
If enabling Workforce Identity Federation, complete these additional steps:
In the Shared identity source area of the page, click Edit.
Select the connector from which you want to pull identities.
Optional. Limit the identities pulled from the connector you selected to only those with a certain entitlement by setting the entitlement.
Click Save.
18
The connector’s label changes to Syncing, followed by Connected. You can view the logs to ensure that information is syncing.
That’s it! Your Google Cloud Platform with Google Workspace connector is now pulling access data into ConductorOne.
Follow these instructions to use the Google Cloud Platform with Google Workspace connector, hosted and run in your own environment.When running in service mode on Kubernetes, a self-hosted connector maintains an ongoing connection with ConductorOne, automatically syncing and uploading data at regular intervals. This data is immediately available in the ConductorOne UI for access reviews and access requests.
Step 1: Set up a new Google Cloud Platform with Google Workspace connector
1
In ConductorOne, navigate to Integrations > Connectors > Add connector.
2
Search for Baton and click Add.
3
Choose how to set up the new Google Cloud Platform with Google Workspace connector:
Add the connector to a currently unmanaged app (select from the list of apps that were discovered in your identity, SSO, or federation provider that aren’t yet managed with ConductorOne)
Add the connector to a managed app (select from the list of existing managed apps)
Create a new managed app
4
Set the owner for this connector. You can manage the connector yourself, or choose someone else from the list of ConductorOne users. Setting multiple owners is allowed.If you choose someone else, ConductorOne will notify the new connector owner by email that their help is needed to complete the setup process.
5
Click Next.
6
In the Settings area of the page, click Edit.
7
Click Rotate to generate a new Client ID and Secret.Carefully copy and save these credentials. We’ll use them in Step 2.
# baton-google-cloud-platform-secrets.yamlapiVersion: v1kind: Secretmetadata: name: baton-google-cloud-platform-secretstype: OpaquestringData: # ConductorOne credentials BATON_CLIENT_ID: <ConductorOne client ID> BATON_CLIENT_SECRET: <ConductorOne client secret> # Google Cloud Platform with Google Workspace credentials BATON_CUSTOMER_ID: <customer ID> BATON_DOMAIN: <domain> BATON_ADMIN_EMAIL: <admin email> BATON_CREDENTIALS_JSON: <service account credentials JSON> # Optional: include if you want ConductorOne to provision access using this connector BATON_PROVISIONING: true # Optional: include to skip Google-managed system accounts BATON_SKIP_SYSTEM_ACCOUNTS: true # Optional: include to sync Cloud Storage buckets (requires the storage.buckets.list permission) BATON_SYNC_BUCKETS: true # Optional: include to sync API keys and service account keys BATON_SYNC_SECRETS: true # Optional: include to sync Secret Manager secrets (requires the Secret Manager API) BATON_SYNC_SECRET_MANAGER_SECRETS: true # Optional: include to alway sync custom roles, even without assignments BATON_ALWAYS_SYNC_CUSTOM_ROLES: true # Optional: include to enable workforce identity federation support BATON_ENABLE_WORKFORCE_IDENTITY_FEDERATION: true BATON_WORKFORCE_IDENTITY_POOL_ID: <workforce identity pool ID> BATON_WORKFORCE_IDENTITY_POOL_PROVIDER_ID: <workforce identity pool provider ID> # Optional: include to limit sync to specific projects (enter project IDs, not names) BATON_PROJECT_FILTER: <comma-separated list of project IDs> # Optional: Include to always sync specific roles (enter role IDs, not names) BATON_ALWAYS_SYNC_ROLES_FILTER: <comma-separated list of role IDs>
See the connector’s README or run --help to see all available configuration flags and environment variables.
Create a namespace in which to run ConductorOne connectors (if desired), then apply the secret config and deployment config files.
2
Check that the connector data uploaded correctly. In ConductorOne, click Apps. On the Managed apps tab, locate and click the name of the application you added the google-cloud-platform connector to. google-cloud-platform data should be found on the Entitlements and Accounts tabs.
That’s it! Your Google Cloud Platform with Google Workspace connector is now pulling access data into ConductorOne.
