Skip to content

Configuring Google Cloud Platform

To configure Google Cloud Platform (GCP) to work with SailPoint CIEM, you'll need to use an admin role to set up both GCP and Google Workspace with the minimum set of permissions required to display your organization hierarchy.

Configuring GCP

To configure Google Cloud Platform to work with SailPoint CIEM, you will set up the project, APIs, service account, key, and custom roles. You can do this through the Google Cloud Console or using the gcloud command-line interface (CLI).

Creating Project and Service Accounts

You will need a project and attached service accounts to connect to your organization. Ensure you have selected the organization as the scope.

Follow the Google Cloud documentation to:

  1. Use an existing project or create a new project.

  2. Enable and add the following APIs:

    • Identity and Access Management (IAM)
    • Cloud Resource Manager
    • Admin SDK
    • Cloud Asset API

    Additional APIs might be needed to process new types of resources.

  3. Create a GCP service account. The JSON credentials for the service account come from console.cloud.google.com.

  4. Create a service account key. You will enter this when connecting GCP and CIEM.

    Warning

    The service account key allows the code to provide credentials to the API and will generate a JSON file. Any application can access the organization through this JSON file, so save it in a secure place.

You will then create and assign a custom GCP role to grant the service account access to an organization.

Granting Service Account Access to an Organization

Once you have created service accounts for the project, you must grant those accounts a set of read-only access to your Google Cloud Platform organization.

Follow the Google Cloud documentation to:

  1. Create a custom role in your organization with the required permissions.

    Required Permissions
    Permissions Description
    cloudasset.assets.searchAllIamPolicies Retrieve all policies attached to resources using GCP’s Cloud Asset Inventory API
    cloudasset.assets.searchAllResources Retrieve list of resources using GCP’s Cloud Asset Inventory API
    iam.roles.list List roles and relevant metadata
    iam.serviceAccounts.getIamPolicy Get the access control policy for a service account
    iam.serviceAccounts.list List service accounts and relevant metadata
    logging.logEntries.list List logging entries
    resourcemanager.folders.getIamPolicy Get the access control policy for a folder
    resourcemanager.folders.list List folders and relevant metadata
    resourcemanager.organizations.get Get the specified organization resource by ID
    resourcemanager.organizations.getIamPolicy Get the access control policy for an Organization
    resourcemanager.projects.get Get the specified project resource by ID
    resourcemanager.projects.getIamPolicy Get the access control policy for a project
    resourcemanager.projects.list List projects and relevant metadata
  2. Grant access to that role.

Note

You can alternatively use the glcoud CLI to automate these steps. After using the script, you must manually complete the Google Workspace configurations.

Configuring Google Workspace

CIEM must read from both GCP and Google Workspace. To configure Google Workspace, you must grant the service account access to the domain and create a user CIEM can impersonate with sufficient admin role permissions.

Granting Service Account Access to the Domain

You must grant the service account you created in GCP access to your Google admin domain and determine the access and privileges assigned to your service account.

Follow the Google Identity documentation to delegate domain-wide authority to the service account.

  • In the Client ID field, enter the client ID that was generated when you created the service account. This can be found in the Service Accounts details page.
  • In the OAuth scopes (comma-delimited) field, add:
  • https://www.googleapis.com/auth/admin.directory.user.readonly
  • https://www.googleapis.com/auth/admin.directory.group.readonly

Creating and Assigning a Custom Admin Role

SailPoint CIEM must assume a Google Cloud Provider admin role to build the organization hierarchy and read identities (users, roles, groups). You can use the default admin role or configure a custom admin role with more restricted permissions.

To create an admin role with the minimum required permissions to be used by SailPoint CIEM, follow the Google Workspace documentation to:

  1. Use an existing admin user or create a user for CIEM to impersonate.

  2. Create a custom admin role with the following privileges:

    • Organizational Units - Read

    • Users - Read

    • Groups - Select the checkbox.

    • Directory Sync - Manage Directory Sync Settings (which will automatically select Read Directory Sync Settings)

    • Corresponding Admin API privileges will be automatically selected.

  3. Assign the role to the admin user. You will enter their email in the Admin Email field when connecting GCP and SailPoint CIEM.

SailPoint CIEM will be able to assume the role with the set permissions when you connect your GCP organization with SailPoint CIEM.

Automating Setup Using the Command-Line Interface

You can optionally set up your some of your GCP configuration using the command-line interface.

  1. Follow the Google Cloud documentation to install and initialize the gCloud CLI.
  2. Use the provided script to automatically enable APIs, create the service account and JSON key, create the admin role, and assign that role to the service account.

When you've completed those steps, you must manually delegate domain-wide authority to the GCP service account, and create the admin role that you will assign to an admin user.

Documentation Feedback

Feedback is provided as an informational resource only and does not form part of SailPoint’s official product documentation. SailPoint does not warrant or make any guarantees about the feedback (including without limitation as to its accuracy, relevance, or reliability). All feedback is subject to the terms set forth at https://developer.sailpoint.com/discuss/tos.