Skip to content

Configuring Google Cloud Platform

To configure Google Cloud Platform to work with Cloud Access Management, you'll need to set up the project, accounts, APIs, and roles with the minimum set of permissions required to display your Organization hierarchy.

Use an administrator role in the Google Cloud Platform Console and follow the directions on this page to register your GCP account with Cloud Access Management.

Creating Project and Service Accounts

You will need a project and attached service accounts to connect to your Organization. Be sure that you have selected the Organization as the scope.

To create a new project:

  1. On the IAM & admin tab on the left, select Service Accounts.

  2. Select CREATE PROJECT on the upper right.

  3. Enter the project name. This will create a Project ID that cannot be changed later.

  4. Select the Organization and Location of the Project.

  5. Select CREATE.

Once you have a project, you can create a service account:

  1. In the IAM & admin tab on the left, select Service Accounts.

  2. Select + CREATE SERVICE ACCOUNT at the top.

  3. Name your service account, add a description, and then select CREATE.

  4. Select DONE to display the Service Accounts page. From the Actions column, select Manage keys to pair your service account with a key.

  5. Create your key, which allows the code to provide credentials to the API and will generate a JSON file.

Caution

Any application can access the Organization through this JSON file, so save it in a secure place.

Granting Service Account Access to an Organization

Once you have created service accounts for the project, you must grant those accounts a set of read-only access to your Google Cloud Platform Organization.

To grant Cloud Access Management the required permissions to your Organization:

  1. Go to IAM & Admin > Roles.

  2. Select + CREATE ROLE.

  3. Enter a title, description, and ID.

  4. Select + ADD PERMISSIONS and add the following permissions:

    Required Permissions
    Permission Description
    bigquery.datasets.get Get the specified dataset resource by ID
    bigquery.datasets.getIamPolicy Get the access control policy for a BigQuery Dataset
    bigquery.tables.get Get the specified table resource by ID
    bigquery.tables.getIamPolicy Get the access control policy for a BigQuery Table
    bigquery.tables.list List tables and relevant metadata
    bigtable.instances.getIamPolicy Get the access control policy for a BigTable Instance
    bigtable.instances.list List instances and relevant metadata
    bigtable.tables.getIamPolicy Get the access control policy for a BigQuery Table
    bigtable.tables.list List tables and relevant metadata
    cloudfunctions.functions.getIamPolicy Get the access control policy for a Cloud Function
    cloudfunctions.functions.list List functions and relevant metadata
    cloudfunctions.locations.list List locations and relevant metadata
    cloudkms.cryptoKeyVersions.list List crypto key versions and relevant metadata
    cloudkms.cryptoKeys.getIamPolicy Get the access control policy for a Cloud KMS crypto key
    cloudkms.cryptoKeys.list List crypto keys and relevant metadata
    cloudkms.keyRings.getIamPolicy Get the access control policy for a Cloud KMS key ring
    cloudkms.keyRings.list List key rings and relevant metadata
    cloudsql.databases.list List databases and relevant metadata
    cloudsql.instances.list List instances and relevant metadata
    compute.disks.getIamPolicy Get the access control policy for a compute disk
    compute.disks.list List disks and relevant metadata
    compute.firewalls.get Get the specified firewall resource by ID
    compute.firewalls.list List firewalls and relevant metadata
    compute.instances.getIamPolicy Get the access control policy for a compute instance
    compute.instances.list List instances and relevant metadata
    compute.networks.list List networks and relevant metadata
    compute.regions.list List regions and relevant metadata
    compute.routes.list List routes and relevant metadata
    compute.subnetworks.getIamPolicy Get the access control policy for a compute subnetwork
    compute.subnetworks.list List subnetworks and relevant metadata
    compute.zones.list List zones and relevant metadata
    iam.roles.list List roles and relevant metadata
    iam.serviceAccounts.getIamPolicy Get the access control policy for a service account
    iam.serviceAccounts.list List service accounts and relevant metadata
    logging.logEntries.list List logging entries
    resourcemanager.folders.getIamPolicy Get the access control policy for a folder
    resourcemanager.folders.list List folders and relevant metadata
    resourcemanager.organizations.get Get the specified organization resource by ID
    resourcemanager.organizations.getIamPolicy Get the access control policy for an Organization
    resourcemanager.projects.get Get the specified project resource by ID
    resourcemanager.projects.getIamPolicy Get the access control policy for a project
    resourcemanager.projects.list List projects and relevant metadata
    storage.buckets.getIamPolicy Get the access control policy for a storage bucket
    storage.buckets.list List storage buckets and relevant metadata
    storage.objects.getIamPolicy Get the access control policy for a storage object
    storage.objects.list List storage objects and relevant metadata
  5. Select CREATE to create the role with these permissions.

  6. Select IAM & Admin > IAM.
  7. Select ADD.
  8. Search for or paste the service account email in New principals.
  9. Select the newly created role in the dropdown menu and select SAVE.

Granting Service Account Access to the Domain

You must grant the service account access to your Google admin domain.

Follow the directions in Delegating domain-wide authority to the service account.

Establishing Privileges and Access for the Service Account

To determine the access and privileges assigned to your service account, sign in to the admin console of the Google admin domain using an account that can make security changes.

  1. In https://admin.google.com, select Security > Access and data control > API Controls > Domain-wide Delegation.

  2. Enter the exact scope of what the service account is allowed to do on the domain:

    • https://www.googleapis.com/auth/admin.directory.user.readonly
    • https://www.googleapis.com/auth/admin.directory.group.readonly
  3. In the Client ID box, enter the Unique ID that was generated when you created the service account. This can be found in the Service Accounts details page.

  4. Select Authorize.

Checking APIs

When using the API with Cloud Access Management for the first time in your project, you might get an error through the SDK. The API access has to be explicitly enabled on the Google Cloud console before Cloud Access Management can call these APIs.

  1. Navigate to the API & Services dashboard to enable APIs and services.

    To reach the API library, the user selects the menu icon, APIs and Services, and Dashboard.

  2. Use the API Library to select and enable the following APIs:

    Compute Engine Cloud Bigtable Admin
    Cloud Functions Cloud SQL Admin
    Cloud Logging Identity and Access Management (IAM)
    Cloud Resource Manager Admin SDK
    Cloud Key Management Service (KMS) BigQuery

Additional APIs may be needed to process new types of resources.

Configuring a Restricted Admin Role

Cloud Access Management must assume a Google Cloud Provider admin role to build the Organization hierarchy and read identities (users, roles, groups). You can use the default admin role or configure a custom admin role with more restricted permissions.

To create an admin role with the minimum required permissions to be used by Cloud Access Management:

  1. Sign in to the GCP admin console.

  2. Select Admin roles and choose Create new role.

  3. In the Admin console privileges panel, set the following permissions:

    • Organizational Units - Read

    • Users - Read

    • Groups - Select the checkbox.

    • Directory Sync - Manage Directory Sync Settings (which will automatically select Read Directory Sync Settings)

    Corresponding Admin API privileges will be automatically selected.

  4. Once the custom role is created, select ASSIGN ROLE > Assign users and search for the user receiving the admin role. Their email will be the administrator email used when registering GCP with SailPoint.

    You can also create a new user in Directory > Users and return to the Admin roles page to assign the role to them. Refer to the GCP documentation for more information on creating custom roles and assigning users to those roles.

Users with this admin role will be restricted to the above permissions when working with Cloud Access Management.

Registering Your Google Cloud Platform Organization

Once you have the necessary roles and permissions in your Organization, you must register it with Cloud Access Management.

  1. Select the dropdown menu in the Google Cloud Platform console and copy the Organization ID.

  2. In Cloud Access Management, name the source or paste the Organization ID.

  3. Enter your administrator email. This email must have admin access to Google Admin. The domain must be the same as the Organization name. For example, if the Organization name is "testorg.com", then the admin email will need to be formatted like "smith@testorg.com".

  4. Upload or paste the JSON file you received when creating the key for the service account.

  5. If you have a correlated source in IdentityNow, the IdentityNow source dropdown menu will display. Refer to Correlating IdentityNow Identities for more information.

Using the Command-Line Interface

You can optionally choose to set up the Google Cloud command-line interface. To do so, refer to the instructions in the Google documentation.

Once you've installed the gcloud CLI, open the terminal, run glcoud init, and sign in using a browser.