sevco.io

Google Cloud Platform IAM Users

Suggest Edits

About

Google Identity and Access Management (Google IAM) provides central management of access and permissions in the Google Cloud Platform (GCP) Cloud. Google IAM allows you to create granular permissions on user attributes such as department, job function, or team name.

Why You Should Integrate

This integration will provide visibility into your GCP IAM users within Sevco.

How Does the Integration Work

This integration pulls all IAM users (principals and service accounts) within a given GCP organization or a specific GCP project.

This data is only used internally; we do not share it with any parties outside of Sevco. Refer to our privacy policy for details.

Configuration

  1. Choose a Schema: A schema is a configuration template that defines a specific way to connect, authenticate, and interact with a source. The following are the available schemas

    • OAuth2: Will retrieve user assets using OAuth2 authentication.
      • Note: OAuth2 will require re-authentication every 90 days, requiring you to edit and re-activate the source.
    • Google Cloud Platform Service Account JSON: Will retrieve user assets using static credentials of a specific GCP service account.

  2. Configure plugin:

OAuth2

There is no configuration to be done for the OAuth2 schema

Google Cloud Platform Service Account JSON Schema

FieldDescriptionExample
Service Account JSON*Contents of the Service Account JSON key file


{

"type": "service_account",

"project_id": "PROJECT_ID",

"private_key_id": "KEY_ID",

"private_key": "-----BEGIN PRIVATE KEY-----\nPRIVATE_KEY\n-----END PRIVATE KEY-----\n",

"client_email": "SERVICE_ACCOUNT_EMAIL",

"client_id": "CLIENT_ID",

"auth_uri": "https://accounts.google.com/o/oauth2/auth",

"token_uri": "https://accounts.google.com/o/oauth2/token",

"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",

"client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/SERVICE_ACCOUNT_EMAIL"

}
Project IDGoogle Cloud Project ID. If empty the plugin will attempt to pull from all projects accessible by the service account.example-project-id

  1. Configure Name: OPTIONAL: You can give the configuration a name to provide an identifiable attribute of the configuration to delineate other similar configurations.

  2. Activate Config: To enable this configuration and begin pulling data select "Activate". If you wish to save the configuration to come back later to finish, select "Save Draft". This will save the configuration, but keep it disabled until Activated.

Source Documentation

Creating Credentials

OAuth2 Schema

No specific credentials are required to be generated for this schema. However, the user used to authenticate with GCP must have the permissions listed below.

Google Cloud Platform Service Account JSON Schema

You will be required to generate a JSON key for a given GCP service account. This is done in the Google Cloud Console's IAM & AdminService Accounts section. For Details refer to this documentation

Please contact Sevco Support for the full details on creating and configuring your GCP service account.

Required Permissions

Your IAM user should use a permission policy with at least the following permissions:

iam.serviceAccounts.get
iam.serviceAccounts.list
resourcemanager.folders.list
resourcemanager.projects.get
resourcemanager.projects.list

Contact Us

If you're having problems integrating a source, or if you've found something wrong in this document, please email us at [email protected].

Tags: cloud, IAM

Updated 7 months ago