Set up a Google Cloud Platform connector
Capabilities
| Resource | Sync | Provision |
|---|---|---|
| Accounts | ✅ | |
| Projects | ✅ | ✅ |
| Roles | ✅ |
The GCP connector does not sync roles that do not have any grants. As each GCP project contains roughly 1,000 roles by default, removing empty roles from the sync significantly improves the performance of the connector and the usability of the entitlement data it pulls into ConductorOne. If you want to include an empty GCP role in your access review, assign a service account to the role before creating the campaign.
Available hosting methods
Choose the hosting method that best suits your needs:
| Method | Availability | Notes |
|---|---|---|
| Cloud hosted | ✅ | A built-in, no-code connector hosted by ConductorOne. |
| Self-hosted | A connector hosted and run in your own environment. |
Gather Google Cloud Platform credentials
Each setup method requires you to pass in credentials generated in Google Cloud Platform. Gather these credentials before you move on.
A user with the permission to make a service account in Google Cloud Platform must perform this task.
Create a new project
In the Google Cloud console, click the project select dropdown, then click NEW PROJECT.
Create a new project for your organization:
- Project Name: Choose a name such as “ConductorOne Integration”
- Organization/Location: Choose any organization and location
After the project is created, make sure the correct project is selected in the dropdown at the top.
Enable APIs
In the navigation menu, navigate to > APIs & Services > Library.
Search for and select the following APIs:
- Identity and Access Management (IAM) API
- Cloud Resource Manager API
- Cloud Asset API
- Admin SDK API
Click Enable.
Create a service account
In the navigation menu, navigate to > APIs & Services > Credentials.
Select CREATE CREDENTIALS > Service Account.
Under Service account details, fill in the following:
- Service account name: ConductorOne Integration
- Service account description: for example, “Service account for ConductorOne Google Cloud Platform Integration”
Click CREATE AND CONTINUE.
Under Grant this service account access to a project, grant the appropriate permission level:
- Viewer to run access reviews on your Google Cloud Platform users
- Editor to provision access via ConductorOne and run access reviews
Alternatively, you can create and assign a custom role:
You’ll need these permissions if you are NOT using the Google Cloud Platform (with Google Workspace) integration for provisioning:
cloudasset.assets.analyzeIamPolicy cloudasset.assets.searchAllIamPolicies cloudasset.assets.searchAllResources iam.roles.get resourcemanager.folders.getIamPolicy resourcemanager.folders.list resourcemanager.organizations.get resourcemanager.organizations.getIamPolicy resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.listYou’ll need these permissions if you are using the Google Cloud Platform (with Google Workspace) integration for provisioning Groups and Roles:
cloudasset.assets.analyzeIamPolicy cloudasset.assets.searchAllIamPolicies cloudasset.assets.searchAllResources iam.roles.get resourcemanager.folders.getIamPolicy resourcemanager.folders.list resourcemanager.folders.setIamPolicy resourcemanager.organizations.get resourcemanager.organizations.getIamPolicy resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list resourcemanager.projects.setIamPolicyLeave Grant users access to this service account blank.
Click DONE.
Before moving on, carefully copy and save the service account ID that Google generated for the service account.
Grant your service account access to your organization
Navigate to your organization by selecting your organization from the dropdown.
Navigate to the IAM tab from the left nav and click ADD button located at the top of the page.
For the principal, use the service account ID for the service account you created earlier.
Select the appropriate roles:
- Organization Viewer and Viewer to run access reviews on your Google Cloud Platform users
- Organization Administrator and Editor to provision access via ConductorOne and run access reviews
Click Save.
Next, we’ll return to the ConductorOne Integration project you created earlier to generate the necessary credentials.
Get credentials
Navigate back to APIs & Services > Credentials and select the service account you just created.
Click the service account’s email address.
On the Service Account Details Page, click KEYS.
Click ADD KEY > Create new key.
Choose JSON and click CREATE. The new key is created and downloaded to your computer.
Keep the downloaded file safe, you’ll use it to set up the connector.
That’s it! Next, move on to the instructions for your chosen setup method.
Set up a Google Cloud Platform cloud-hosted connector
To complete this task, you’ll need:
- The Connector Administrator or Super Administrator role in ConductorOne
- Access to the set of Google Cloud Platform credentials generated by following the instructions above
In ConductorOne, click Connectors > Add connector.
Search for Google Cloud Platform and click Add.
Choose how to set up the new Google Cloud Platform connector:
Add the connector to a currently unmanaged app (select from the list of apps that were discovered in your identity, SSO, or federation provider that aren’t yet managed with ConductorOne)
Add the connector to a managed app (select from the list of existing managed apps)
Create a new managed app
Set the owner for this connector. You can manage the connector yourself, or choose someone else from the list of ConductorOne users. Setting multiple owners is allowed.
If you choose someone else, ConductorOne will notify the new connector owner by email that their help is needed to complete the setup process.
Click Next.
Find the Settings area of the page and click Edit.
Upload the JSON file in the Credentials (JSON) field.
Click Save.
The connector’s label changes to Syncing, followed by Connected. You can view the logs to ensure that information is syncing.
That’s it! Your Google Cloud Platform connector is now pulling access data into ConductorOne.
Set up a Google Cloud Platform cloud-hosted connector using Terraform
As an alternative to the cloud-hosted setup process described above, you can use Terraform to configure the integration between Google Cloud Platform and ConductorOne.
See the ConductorOne Google Cloud Platform integration resource page in the ConductorOne Terraform registry for example usage and the full list of required and optional parameters.