Set up a Google Cloud Platform connector
Capabilities
Sync user identities from Google Cloud Platform to ConductorOne
Resources supported:
- Projects
- Roles
Provisioning supported:
- Project membership
The GCP connector does not sync roles that do not have any grants. As each GCP project contains roughly 1,000 roles by default, removing empty roles from the sync significantly improves the performance of the connector and the usability of the entitlement data it pulls into ConductorOne. If you want to include an empty GCP role in your access review, assign a service account to the role before creating the campaign.
Add a new Google Cloud Platform connector
This task requires either the Connector Administrator or Super Administrator role in ConductorOne.
In ConductorOne, click Connectors > Add connector.
Search for Google Cloud Platform and click Add.
Choose how to set up the new Google Cloud Platform connector:
Add the connector to a currently unmanaged app (select from the list of apps that were discovered in your identity, SSO, or federation provider that aren’t yet managed with ConductorOne)
Add the connector to a managed app (select from the list of existing managed apps)
Create a new managed app
Do you SSO into Google Cloud Platform using your identity, SSO, or federation provider? If so, make sure to add the connector to the unmanaged Google Cloud Platform app that was created automatically when you integrated your provider with ConductorOne, rather than creating a new managed app.
Set the owner for this connector. You can manage the connector yourself, or choose someone else from the list of ConductorOne users. Setting multiple owners is allowed.
A Google Cloud Platform connector owner must have the following permissions:
- Connector Administrator or Super Administrator role in ConductorOne
- The permission to make a service account in Google Cloud Platform
- Click Next.
Next steps
If you are the connector owner, proceed to Configure your Google Cloud Platform connector for instructions on integrating Google Cloud Platform with ConductorOne.
If someone else is the connector owner, ConductorOne will notify them by email that their help is needed to complete the setup process.
Configure your Google Cloud Platform connector
A user with the Connector Administrator or Super Administrator role in ConductorOne and the permission to make a service account in Google Cloud Platform must perform this task.
Step 1: Create a new project
In the Google Cloud console, click the project select dropdown, then click NEW PROJECT.
Create a new project for your organization:
- Project Name: Choose a name such as “ConductorOne Integration”
- Organization/Location: Choose any organization and location
After the project is created, make sure the correct project is selected in the dropdown at the top.
Step 2: Enable APIs
In the navigation menu, navigate to > APIs & Services > Library.
Search for and select the following APIs:
- Identity and Access Management (IAM) API
- Cloud Resource Manager API
- Cloud Asset API
- Admin SDK API
Click Enable.
Step 3: Create a service account
In the navigation menu, navigate to > APIs & Services > Credentials.
Select CREATE CREDENTIALS > Service Account.
Under Service account details, fill in the following:
- Service account name: ConductorOne Integration
- Service account description: for example, “Service account for ConductorOne Google Cloud Platform Integration”
- Click CREATE AND CONTINUE
Under Grant this service account access to a project, grant the appropriate permission level:
- Viewer to run access reviews on your Google Cloud Platform users
- Editor to provision access via ConductorOne and run access reviews
Leave Grant users access to this service account blank.
Click DONE.
Before moving on, carefully copy and save the service account ID that Google generated for the service account. We’ll use this in Step 4.
Step 4: Grant your service account access to your organization
Navigate to your organization by selecting your organization from the dropdown.
Navigate to the IAM tab from the left nav and click ADD button located at the top of the page.
For the principal, use the service account ID for the service account you created in Step 3.
Select the appropriate roles:
- Organization Viewer and Viewer to run access reviews on your Google Cloud Platform users
- Organization Administrator and Editor to provision access via ConductorOne and run access reviews
Click Save.
Next, we’ll return to the ConductorOne Integration project you created earlier to generate the necessary credentials.
Step 5: Get credentials
Navigate back to APIs & Services > Credentials and select the service account you just created.
Click the service account’s email address.
On the Service Account Details Page, click KEYS.
Click ADD KEY > Create new key.
Choose JSON and click CREATE.
Keep the downloaded file safe, you’ll use it in the next step.
Step 6: Add your Google Cloud Platform credentials to ConductorOne
In ConductorOne, navigate to the Google Cloud Platform connector by either:
Clicking the Set up connector link in the email you received about configuring the connector.
Navigate to Connectors > Google Cloud Platform (if there is more than one Google Cloud Platform listed, click the one with your name listed as owner and the status Not connected).
Find the Settings area of the page and click Edit.
Select the JSON file you downloaded in Step 5 in the Credentials (JSON) field.
Click Save.
The connector’s label changes to Syncing, followed by Connected. You can view the logs to ensure that information is syncing.
That’s it! Your Google Cloud Platform connector is now pulling access data into ConductorOne.
Configure the Google Cloud Platform integration using Terraform
As an alternative to the integration process described above, you can use Terraform to configure the integration between Google Cloud Platform and ConductorOne.
See the ConductorOne Google Cloud Platform integration resource page in the ConductorOne Terraform registry for example usage and the full list of required and optional parameters.