Configuring Google Cloud Platform
To configure Google Cloud Platform to work with Cloud Access Management, you'll need to set up the project, accounts, APIs, and roles with the minimum set of permissions required to display your Organization hierarchy.
Use an administrator role in the Google Cloud Platform Console and follow the directions on this page to register your GCP account with Cloud Access Management.
Creating Project and Service Accounts
You will need a project and attached service accounts to connect to your Organization. Be sure that you have selected the Organization as the scope.
To create a new project:
-
On the IAM & admin tab on the left, select Service Accounts.
-
Select CREATE PROJECT on the upper right.
-
Enter the project name. This will create a Project ID that cannot be changed later.
-
Select the Organization and Location of the Project.
-
Select CREATE.
Once you have a project, you can create a service account:
-
In the IAM & admin tab on the left, select Service Accounts.
-
Select + CREATE SERVICE ACCOUNT at the top.
-
Name your service account, add a description, and then select CREATE.
-
Select DONE to display the Service Accounts page. From the Actions column, select Manage keys to pair your service account with a key.
- Create your key, which allows the code to provide credentials to the API and will generate a JSON file.
Caution
Any application can access the Organization through this JSON file, so save it in a secure place.
Granting Service Account Access to an Organization
Once you have created service accounts for the project, you must grant those accounts a set of read-only access to your Google Cloud Platform Organization.
To grant Cloud Access Management the required permissions to your Organization:
-
Go to IAM & Admin > Roles.
-
Select + CREATE ROLE.
-
Enter a title, description, and ID.
-
Select + ADD PERMISSIONS and add the following permissions:
Required Permissions
Permission Description bigquery.datasets.get Get the specified dataset resource by ID bigquery.datasets.getIamPolicy Get the access control policy for a BigQuery Dataset bigquery.tables.get Get the specified table resource by ID bigquery.tables.getIamPolicy Get the access control policy for a BigQuery Table bigquery.tables.list List tables and relevant metadata bigtable.instances.getIamPolicy Get the access control policy for a BigTable Instance bigtable.instances.list List instances and relevant metadata bigtable.tables.getIamPolicy Get the access control policy for a BigQuery Table bigtable.tables.list List tables and relevant metadata cloudfunctions.functions.getIamPolicy Get the access control policy for a Cloud Function cloudfunctions.functions.list List functions and relevant metadata cloudfunctions.locations.list List locations and relevant metadata cloudkms.cryptoKeyVersions.list List crypto key versions and relevant metadata cloudkms.cryptoKeys.getIamPolicy Get the access control policy for a Cloud KMS crypto key cloudkms.cryptoKeys.list List crypto keys and relevant metadata cloudkms.keyRings.getIamPolicy Get the access control policy for a Cloud KMS key ring cloudkms.keyRings.list List key rings and relevant metadata cloudsql.databases.list List databases and relevant metadata cloudsql.instances.list List instances and relevant metadata compute.disks.getIamPolicy Get the access control policy for a compute disk compute.disks.list List disks and relevant metadata compute.firewalls.get Get the specified firewall resource by ID compute.firewalls.list List firewalls and relevant metadata compute.instances.getIamPolicy Get the access control policy for a compute instance compute.instances.list List instances and relevant metadata compute.networks.list List networks and relevant metadata compute.regions.list List regions and relevant metadata compute.routes.list List routes and relevant metadata compute.subnetworks.getIamPolicy Get the access control policy for a compute subnetwork compute.subnetworks.list List subnetworks and relevant metadata compute.zones.list List zones and relevant metadata iam.roles.list List roles and relevant metadata iam.serviceAccounts.getIamPolicy Get the access control policy for a service account iam.serviceAccounts.list List service accounts and relevant metadata logging.logEntries.list List logging entries resourcemanager.folders.getIamPolicy Get the access control policy for a folder resourcemanager.folders.list List folders and relevant metadata resourcemanager.organizations.get Get the specified organization resource by ID resourcemanager.organizations.getIamPolicy Get the access control policy for an Organization resourcemanager.projects.get Get the specified project resource by ID resourcemanager.projects.getIamPolicy Get the access control policy for a project resourcemanager.projects.list List projects and relevant metadata storage.buckets.getIamPolicy Get the access control policy for a storage bucket storage.buckets.list List storage buckets and relevant metadata storage.objects.getIamPolicy Get the access control policy for a storage object storage.objects.list List storage objects and relevant metadata -
Select CREATE to create the role with these permissions.
- Select IAM & Admin > IAM.
- Select ADD.
- Search for or paste the service account email in New principals.
- Select the newly created role in the dropdown menu and select SAVE.
Granting Service Account Access to the Domain
You must grant the service account access to your Google admin domain.
Follow the directions in Delegating domain-wide authority to the service account.
Establishing Privileges and Access for the Service Account
To determine the access and privileges assigned to your service account, sign in to the admin console of the Google admin domain using an account that can make security changes.
-
In https://admin.google.com, select Security > Access and data control > API Controls > Domain-wide Delegation.
-
Enter the exact scope of what the service account is allowed to do on the domain:
https://www.googleapis.com/auth/admin.directory.user.readonly
https://www.googleapis.com/auth/admin.directory.group.readonly
-
In the Client ID box, enter the Unique ID that was generated when you created the service account. This can be found in the Service Accounts details page.
-
Select Authorize.
Checking APIs
When using the API with Cloud Access Management for the first time in your project, you might get an error through the SDK. The API access has to be explicitly enabled on the Google Cloud console before Cloud Access Management can call these APIs.
-
Navigate to the API & Services dashboard to enable APIs and services.
-
Use the API Library to select and enable the following APIs:
Compute Engine Cloud Bigtable Admin Cloud Functions Cloud SQL Admin Cloud Logging Identity and Access Management (IAM) Cloud Resource Manager Admin SDK Cloud Key Management Service (KMS) BigQuery
Additional APIs may be needed to process new types of resources.
Configuring a Restricted Admin Role
Cloud Access Management must assume a Google Cloud Provider admin role to build the Organization hierarchy and read identities (users, roles, groups). You can use the default admin role or configure a custom admin role with more restricted permissions.
To create an admin role with the minimum required permissions to be used by Cloud Access Management:
-
Sign in to the GCP admin console.
-
Select Admin roles and choose Create new role.
-
In the Admin console privileges panel, set the following permissions:
-
Organizational Units - Read
-
Users - Read
-
Groups - Select the checkbox.
-
Directory Sync - Manage Directory Sync Settings (which will automatically select Read Directory Sync Settings)
Corresponding Admin API privileges will be automatically selected.
-
-
Once the custom role is created, select ASSIGN ROLE > Assign users and search for the user receiving the admin role. Their email will be the administrator email used when registering GCP with SailPoint.
You can also create a new user in Directory > Users and return to the Admin roles page to assign the role to them. Refer to the GCP documentation for more information on creating custom roles and assigning users to those roles.
Users with this admin role will be restricted to the above permissions when working with Cloud Access Management.
Registering Your Google Cloud Platform Organization
Once you have the necessary roles and permissions in your Organization, you must register it with Cloud Access Management.
-
Select the dropdown menu in the Google Cloud Platform console and copy the Organization ID.
-
In Cloud Access Management, name the source or paste the Organization ID.
-
Enter your administrator email. This email must have admin access to Google Admin. The domain must be the same as the Organization name. For example, if the Organization name is "testorg.com", then the admin email will need to be formatted like "smith@testorg.com".
-
Upload or paste the JSON file you received when creating the key for the service account.
-
If you have a correlated source in IdentityNow, the IdentityNow source dropdown menu will display. Refer to Correlating IdentityNow Identities for more information.
Using the Command-Line Interface
You can optionally choose to set up the Google Cloud command-line interface. To do so, refer to the instructions in the Google documentation.
Once you've installed the gcloud CLI, open the terminal, run glcoud init
, and sign in using a browser.