Skip to content

Connecting GCP and CIEM

Once you have configured your GCP account, you can connect it to display the total effective access users have to your Google Cloud Platform. To display this data, you must use the VA-based or SaaS-based Google Workspace connector with the CIEM GCP connector.
Google Workspace VA-based or SaaS connector Allows you to manage your GCP accounts, groups, and roles in Identity Security Cloud on virtual appliance (VA) or SaaS systems.

If your organization has licensed a SailPoint cloud management solution, it will also gather data on the cloud resources users are granted through your GCP organization, projects, accounts, and role assignments.
SailPoint CIEM GCP connector Works with your GCP identity governance connector to collect cloud resource data and display the total access an identity has to your cloud systems.

FedRamp Limitations

SailPoint CIEM FedRamp customers can register a maximum of 650 GCP projects.

You may connect your Google Workspace identity governance and SailPoint CIEM GCP sources in any order.

After you've connected and aggregated your accounts and entitlements, you will mark the entitlements related to cloud access. This will allow you to view an identity's cloud access granted through entitlements and include those entitlements in certification campaigns.

Connecting GCP Identity Governance

You can use SailPoint CIEM GCP in conjunction with a SaaS or VA-based connector.

To install the identity governance connector:

  1. Follow the SailPoint Google Workspace SaaS connector guide to configure or edit the Google Workspace SaaS connector (recommended).

    If you are using a VA, you can alternatively configure or edit the direct source Google Workspace connector.

  2. In the Connection Settings tab, select the Manage Cloud Resources toggle and enter your organization ID in the Cloud Resource Management Settings configuration to enable it to gather cloud data.

Cloud Resource settings with a toggle to manage cloud resources for the provided Organization ID.

You must then use the SailPoint CIEM GCP connector to display all access users have to your cloud resources.

Connecting SailPoint CIEM GCP

The SailPoint CIEM GCP source pulls data daily about the cloud resources your GCP IaaS users can access.

To register SailPoint CIEM GCP:

  1. Go to Admin > Connections > Sources > Create New.
  2. Find the CIEM GCP source type and select Configure.
  3. Enter a source name.
  4. Enter a description for your source.
  5. In the Source Owner field, begin typing the name of an owner. Matches appear after you type two letters.
  6. (Optional) Select a governance group for source management.
  7. Select Save.

  8. Select Connection Settings in the left panel.

    The C.I.E.M. G.C.P. connection settings are displayed with the org ID, admin email, and service account JSON credential fields.

  9. In the Organization ID field, enter the 10-digit organization ID. You can find this in the Google Cloud Platform console by selecting the dropdown menu with your project or organization name. Select the All tab and copy the organization ID.

    The G.C.P. admin console with the Organization ID displayed on the All tab.

  10. Enter an email with admin access to the Google Admin Console.

    Note

    The domain must be the same as the organization name. For example, if the organization name is "testorg.com", then the admin email will need to be formatted like "smith@testorg.com".

  11. Paste the JSON you received when creating the key for the service account.

  12. Select Save.
  13. Select Review and Test.

  14. Review the configuration details and select Test Connection. A successful test is required for SailPoint CIEM to gather data for this source.

    Notes

    • If the test connection fails, you can use the Search query name:“Test_connection Source Failed” for more information.

    • Some GCP asset types are excluded from SailPoint CIEM.

After a successful test connection, you can set the source scope or move on to marking the entitlement types that grant cloud access.

Setting Source Scope

By default, SailPoint CIEM reads and automatically discovers changes to your cloud infrastructure, which are displayed in the Cloud Scopes section of your SailPoint CIEM source configuration. You can choose to exclude scopes to prevent SailPoint CIEM from including data for those accounts.

To change the scope of your included source data:

  1. In the CIEM GCP source, select Cloud Scopes under Aggregation and Provisioning.
  2. Use the checkboxes to change which accounts are included. Removing a scope disables Auto-Include Scopes.
  3. Select Save.

SailPoint CIEM will now only read and include data from your selected scopes. When Auto-Include Scopes is disabled, new and deleted accounts in your cloud system will be detected, but they will not be automatically included in your SailPoint CIEM data until you select them individually or reenable Auto-Include Scopes.

Notes

  • You can search for scopes as well as filter by selected and unselected scopes.
  • The Last Refreshed time is when changes to your source inventory were last detected by SailPoint CIEM. This is separate from aggregation.

Documentation Feedback

Feedback is provided as an informational resource only and does not form part of SailPoint’s official product documentation. SailPoint does not warrant or make any guarantees about the feedback (including without limitation as to its accuracy, relevance, or reliability). All feedback is subject to the terms set forth at https://developer.sailpoint.com/discuss/tos.