Set up a Google Cloud Platform connector

ConductorOne provides identity governance and just-in-time provisioning for Google Cloud Platform. Integrate your Google Cloud Platform instance with ConductorOne to run user access reviews (UARs), enable just-in-time access requests, and automatically provision and deprovision access.

Which Google connector should I use? Each of the Google connectors offered by ConductorOne varies in what it can sync and what it can provision. Selecting the right connector for you will depend on which Google services your organization uses, and how you want to manage Google resources within ConductorOne.
Google Cloud Platform can sync accounts, projects, roles, and orgs. It can provision projects.
Google Workspace can sync accounts, groups, and roles. It can provision groups and roles.
Google Cloud Platform with Google Workspace can do all of the above, and it combines all of the resources and entitlements of the two connectors into a single app within ConductorOne.
Running separate connectors can simplify management and make the apps easier to understand and work with, while the combined app unifies resource management and allows Google Cloud to leverage existing Google Workspace groups for authorization.

Capabilities

Resource	Sync	Provision
Accounts	✅
Projects	✅	✅
Roles	✅
Organizations	✅
Secrets	✅

The GCP connector does not sync roles that do not have any grants. As each GCP project contains roughly 1,000 roles by default, removing empty roles from the sync significantly improves the performance of the connector and the usability of the entitlement data it pulls into ConductorOne. If you want to include an empty GCP role in your access review, assign a service account to the role before creating the campaign.

Gather Google Cloud Platform credentials

Configuring the connector requires you to pass in credentials generated in Google Cloud Platform. Gather these credentials before you move on.

A user with the permission to make a service account in Google Cloud Platform must perform this task.

Create a new project

In the Google Cloud console, click the project select dropdown, then click NEW PROJECT.
Create a new project for your organization:
- Project Name: Choose a name such as “ConductorOne Integration”
- Organization/Location: Choose any organization and location

After the project is created, make sure the correct project is selected in the dropdown at the top.

Enable APIs

In the navigation menu, navigate to > APIs & Services > Library.
Search for and select the following APIs:
- Identity and Access Management (IAM) API
- Cloud Resource Manager API
- Cloud Asset API
- Admin SDK API
Click Enable.

Create a service account

In the navigation menu, navigate to > APIs & Services > Credentials.
Select CREATE CREDENTIALS > Service Account.
Under Service account details, fill in the following:
- Service account name: ConductorOne Integration
- Service account description: for example, “Service account for ConductorOne Google Cloud Platform Integration”
Click CREATE AND CONTINUE.

Under Grant this service account access to a project, grant the appropriate permission level:

Viewer to run access reviews on your Google Cloud Platform users
Editor to provision access via ConductorOne and run access reviews

Alternatively, you can create and assign a custom role on the org level:

You’ll need these permissions to give ConductorOne READ access (for syncing access data):

cloudasset.assets.analyzeIamPolicy
cloudasset.assets.searchAllIamPolicies
cloudasset.assets.searchAllResources
iam.roles.get
resourcemanager.folders.getIamPolicy
resourcemanager.folders.list
resourcemanager.organizations.get
resourcemanager.organizations.getIamPolicy
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list

You’ll need these permissions to give ConductorOne READ/WRITE access (for syncing access data and provisioning access):

cloudasset.assets.analyzeIamPolicy
cloudasset.assets.searchAllIamPolicies
cloudasset.assets.searchAllResources
iam.roles.get
resourcemanager.folders.getIamPolicy
resourcemanager.folders.list
resourcemanager.folders.setIamPolicy
resourcemanager.organizations.get
resourcemanager.organizations.getIamPolicy
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list
resourcemanager.projects.setIamPolicy

Leave Grant users access to this service account blank.
Click DONE.

Before moving on, carefully copy and save the service account ID that Google generated for the service account.

Grant your service account access to your organization

Navigate to your organization by selecting your organization from the dropdown.
Navigate to the IAM tab from the left nav and click ADD button located at the top of the page.
For the principal, use the service account ID for the service account you created earlier.
Select the appropriate roles:
- Organization Viewer and Viewer to give ConductorOne READ access
- Organization Administrator and Editor to give ConductorOne READ/WRITE access
Click Save.

Optional: Enable API token information syncing

If you want to sync information about the API tokens and service account keys created in your Google Cloud Platform instance, follow the instructions below. Otherwise, skip ahead to the Get credentials section.

In the ConductorOne project, search for “API keys” and enable it.
Next, grant the API Keys Viewer Role to the service account you created for ConductorOne. Navigate to IAM & Admin > IAM.
On the IAM page, find your Service Account in the list on the Principals tab.
Click the icon to edit the Service Account, then click Add another role.
Search for and select API Keys Viewer.
Click Save.

Next, we’ll return to the ConductorOne integration project you created earlier to generate the necessary credentials.

Get credentials

Navigate back to APIs & Services > Credentials and select the service account you just created.
Click the service account’s email address.
On the Service Account Details Page, click KEYS.
Click ADD KEY > Create new key.
Choose JSON and click CREATE. The new key is created and downloaded to your computer.
Keep the downloaded file safe, you’ll use it to set up the connector.

That’s it! Next, move on to the instructions for your chosen setup method.

Configure the Google Cloud Platform connector

To complete this task, you’ll need:
The Connector Administrator or Super Administrator role in ConductorOne
Access to the set of Google Cloud Platform credentials generated by following the instructions above

Follow these instructions to use a built-in, no-code connector hosted by ConductorOne.

In ConductorOne, navigate to Admin > Connectors and click Add connector.
Search for Google Cloud Platform and click Add.
Choose how to set up the new Google Cloud Platform connector:
- Add the connector to a currently unmanaged app (select from the list of apps that were discovered in your identity, SSO, or federation provider that aren’t yet managed with ConductorOne)
- Add the connector to a managed app (select from the list of existing managed apps)
- Create a new managed app
Set the owner for this connector. You can manage the connector yourself, or choose someone else from the list of ConductorOne users. Setting multiple owners is allowed.
If you choose someone else, ConductorOne will notify the new connector owner by email that their help is needed to complete the setup process.
Click Next.
Find the Settings area of the page and click Edit.
Upload the JSON file in the Credentials (JSON) field.
Click Save.
The connector’s label changes to Syncing, followed by Connected. You can view the logs to ensure that information is syncing.

That’s it! Your Google Cloud Platform connector is now pulling access data into ConductorOne.

Follow these instructions to use a connector, hosted and run in your own environment.

Self-hosted connector not currently available.