Availability

✅ General availability. The Google Cloud Platform connector is available to all ConductorOne users.

Capabilities

• Sync user identities from Google Cloud Platform to ConductorOne

• Resources supported:

  • Projects
  • Roles

• Provisioning supported:

  • Project membership

The GCP connector does not sync roles that do not have any grants. As each GCP project contains roughly 1,000 roles by default, removing empty roles from the sync significantly improves the performance of the connector and the usability of the entitlement data it pulls into ConductorOne. If you want to include an empty GCP role in your access review, assign a service account to the role before creating the campaign.

Set up the Google Cloud Platform integration

This task requires either the Integration Administrator or Super Administrator role in ConductorOne.

1. In ConductorOne, open Admin and click Integrations > Google Cloud Platform.

2. If this is your first Google Cloud Platform integration, the integration form opens automatically. Otherwise, click Add connector.

3. Choose whether to add the new Google Cloud Platform connector as a data source to an existing application (and select the app of your choice) or to create a new application.

   Do you SSO into Google Cloud Platform using your identity provider (IdP)? If so, make sure to add the connector to the Google Cloud Platform app that was created automatically when you integrated your IdP with ConductorOne, rather than creating a new app.

4. Set the integration owner for this connector. You can manage the integration yourself, or choose someone else from the list of ConductorOne users. Setting multiple integration owners is allowed.

   A Google Cloud Platform integration owner must have the following permissions:

   • Integration Administrator or Super Administrator role in ConductorOne
   • The permission to make a service account in Google Cloud Platform

5. Click Create and add details.

Next steps

• If you are the integration owner, proceed to Integrate your Google Cloud Platform instance for instructions on integrating Google Cloud Platform with ConductorOne.

• If someone else is the integration owner, ConductorOne will notify them by email that their help is needed to complete the integration.

Integrate your Google Cloud Platform instance

A user with the Integration Administrator or Super Administrator role in ConductorOne and the permission to make a service account in Google Cloud Platform must perform this task.

Step 1: Create a new project

1. In Google Cloud Platform the toolbar, click the project select dropdown, then click NEW PROJECT.

   

   

2. Create a new project for your organization:

   • Project Name: Choose a name such as “ConductorOne Integration”
   • Organization/Location: Choose any organization and location

After the project is created, make sure the correct project is selected in the dropdown at the top.

Step 2: Enable APIs

1. In the navigation menu, navigate to > APIs & Services > Library.

   

2. Search for and select the following APIs:

   • Identity and Access Management (IAM) API
   • Cloud Resource Manager API
   • Cloud Asset API
   • Admin SDK API

   

3. Click Enable.

   

Step 3: Create a service account

1. In the navigation menu, navigate to > APIs & Services > Credentials.

   

2. Select CREATE CREDENTIALS > Service Account.

   

3. Under Service account details, fill in the following:

   • Service account name: ConductorOne Integration
   • Service account description: for example, “Service account for ConductorOne Google Cloud Platform Integration”
   • Click CREATE AND CONTINUE

   

4. Under Grant this service account access to a project, grant the appropriate permission level:

   • Viewer to run access reviews on your Google Cloud Platform users
   • Editor to provision access via ConductorOne and run access reviews

   

5. Leave Grant users access to this service account blank.

6. Click DONE.

   

Step 4: Grant your service account access to your organization

1. Navigate to your organization by selecting your organization from the dropdown.

   

2. Navigate to the IAM tab from the left nav and click ADD button located at the top of the page.

   

3. For the principal, use the service accountId for the service account you created in Step 3.

4. Select the appropriate roles:

   • Organization Viewer and Viewer to run access reviews on your Google Cloud Platform users
   • Organization Administrator and Editor to provision access via ConductorOne and run access reviews

5. Click Save.

Step 5: Get credentials

1. Navigate back to APIs & Services > Credentials and select the service account you just created.

2. Click the service account’s email address.

3. On the Service Account Details Page, click KEYS.

   

4. Click ADD KEY > Create new key.

5. Choose JSON and click CREATE.

   

   

6. Keep the downloaded file safe, you’ll use it in the next step.

Step 6: Add your Google Cloud Platform credentials to ConductorOne

1. In ConductorOne, open Admin and click Integrations > Google Cloud Platform.

2. In the list of connectors, locate and click on the name of the connector with the Not connected label.

3. Find the Settings area of the page and click Edit.

4. Select the JSON file you downloaded in Step 5 in the Credentials (JSON) field.

5. Click Save.

6. The connector’s label changes to Syncing, followed by Connected. You can view the logs to ensure that information is syncing.

That’s it! Your Google Cloud Platform instance is now integrated with ConductorOne.

Configure the Google Cloud Platform integration using Terraform

As an alternative to the integration process described above, you can use Terraform to configure the integration between Google Cloud Platform and ConductorOne.

See the ConductorOne Google Cloud Platform integration resource page in the ConductorOne Terraform registry for example usage and the full list of required and optional parameters.