Availability

✅ General availability. The Google Cloud Platform connector is available to all ConductorOne users.

Capabilities

• Sync user identities from Google Cloud Platform to ConductorOne

• Resources supported:

  • Projects
  • Roles

• Provisioning supported:

  • Project membership

The GCP connector does not sync roles that do not have any grants. As each GCP project contains roughly 1,000 roles by default, removing empty roles from the sync significantly improves the performance of the connector and the usability of the entitlement data it pulls into ConductorOne. If you want to include an empty GCP role in your access review, assign a service account to the role before creating the campaign.

Add a new Google Cloud Platform connector

This task requires either the Connector Administrator or Super Administrator role in ConductorOne.

1. In ConductorOne, open Admin and click Connectors > Add connector.

2. Search for Google Cloud Platform and click Add.

3. Choose whether to add the new Google Cloud Platform connector as a data source to an existing application (and select the app of your choice) or to create a new application.

   Do you SSO into Google Cloud Platform using your identity provider (IdP)? If so, make sure to add the connector to the Google Cloud Platform app that was created automatically when you integrated your IdP with ConductorOne, rather than creating a new app.

4. Set the owner for this connector. You can manage the connector yourself, or choose someone else from the list of ConductorOne users. Setting multiple owners is allowed.

   A Google Cloud Platform connector owner must have the following permissions:

   • Connector Administrator or Super Administrator role in ConductorOne
   • The permission to make a service account in Google Cloud Platform

5. Click Next.

Next steps

• If you are the connector owner, proceed to Configure your Google Cloud Platform connector for instructions on integrating Google Cloud Platform with ConductorOne.

• If someone else is the connector owner, ConductorOne will notify them by email that their help is needed to complete the setup process.

Configure your Google Cloud Platform connector

A user with the Connector Administrator or Super Administrator role in ConductorOne and the permission to make a service account in Google Cloud Platform must perform this task.

Step 1: Create a new project

1. In Google Cloud Platform the toolbar, click the project select dropdown, then click NEW PROJECT.

   

   

2. Create a new project for your organization:

   • Project Name: Choose a name such as “ConductorOne Integration”
   • Organization/Location: Choose any organization and location

After the project is created, make sure the correct project is selected in the dropdown at the top.

Step 2: Enable APIs

1. In the navigation menu, navigate to > APIs & Services > Library.

   

2. Search for and select the following APIs:

   • Identity and Access Management (IAM) API
   • Cloud Resource Manager API
   • Cloud Asset API
   • Admin SDK API

   

3. Click Enable.

   

Step 3: Create a service account

1. In the navigation menu, navigate to > APIs & Services > Credentials.

   

2. Select CREATE CREDENTIALS > Service Account.

   

3. Under Service account details, fill in the following:

   • Service account name: ConductorOne Integration
   • Service account description: for example, “Service account for ConductorOne Google Cloud Platform Integration”
   • Click CREATE AND CONTINUE

   

4. Under Grant this service account access to a project, grant the appropriate permission level:

   • Viewer to run access reviews on your Google Cloud Platform users
   • Editor to provision access via ConductorOne and run access reviews

   

5. Leave Grant users access to this service account blank.

6. Click DONE.

   

Step 4: Grant your service account access to your organization

1. Navigate to your organization by selecting your organization from the dropdown.

   

2. Navigate to the IAM tab from the left nav and click ADD button located at the top of the page.

   

3. For the principal, use the service accountId for the service account you created in Step 3.

4. Select the appropriate roles:

   • Organization Viewer and Viewer to run access reviews on your Google Cloud Platform users
   • Organization Administrator and Editor to provision access via ConductorOne and run access reviews

5. Click Save.

Step 5: Get credentials

1. Navigate back to APIs & Services > Credentials and select the service account you just created.

2. Click the service account’s email address.

3. On the Service Account Details Page, click KEYS.

   

4. Click ADD KEY > Create new key.

5. Choose JSON and click CREATE.

   

   

6. Keep the downloaded file safe, you’ll use it in the next step.

Step 6: Add your Google Cloud Platform credentials to ConductorOne

1. In ConductorOne, navigate to the Google Cloud Platform connector by either:

   • Clicking the Set up connector link in the email you received about configuring the connector.

   • Navigate to Admin > Connectors > Google Cloud Platform (if there is more than one Google Cloud Platform listed, click the one with your name listed as owner and the status Not connected).

2. Find the Settings area of the page and click Edit.

3. Select the JSON file you downloaded in Step 5 in the Credentials (JSON) field.

4. Click Save.

5. The connector’s label changes to Syncing, followed by Connected. You can view the logs to ensure that information is syncing.

That’s it! Your Google Cloud Platform connector is now pulling access data into ConductorOne.

Configure the Google Cloud Platform integration using Terraform

As an alternative to the integration process described above, you can use Terraform to configure the integration between Google Cloud Platform and ConductorOne.

See the ConductorOne Google Cloud Platform integration resource page in the ConductorOne Terraform registry for example usage and the full list of required and optional parameters.