Google Cloud
Configuring the Google Cloud integration
The Veza Integration for Google Cloud Platform enables discovery of Google Cloud Workspace and Google Cloud IAM entities, along with authorization metadata for the organization, projects, and folders. Veza additionally discovers authorization to resources such as Storage, Compute, BigQuery, and KMS, using read-only permissions and native project APIs.
To connect your environment, you will need to:
Configure a Google Cloud service account and role, and generate and download a key
Enable the integration under Veza Cloud Providers > Add New > Google Cloud
See Notes & Supported Entities for more details on the Veza-Google connector and supported services
Prerequisites
You will need Workspace super admin permissions to create and assign the custom admin role, and administrator access in Google Cloud.
Create a Service Account for Veza
Service accounts are the standard method for automated Google Cloud access. They exist within individual google cloud projects, and can be given permissions at the project, folder, or organizational level. The service account you create can be in any project, provided that the required APIs are enabled for the project.
Navigate to the IAM & Admin Cloud Console panel.
Go to the Service Accounts page.
Click on Create Service Account.
Provide a display name, ID, and (optional) description, and click Create and Continue. Take note of the service account email address.
Enable Domain Wide Delegation for the Service Account
Provide the required OAuth scopes to allow your service account to access Google Workspace.
From your Google Workspace domain’s Admin console, choose Main Menu > Security > Access and data control > API controls.
In the Domain wide delegation pane, select Manage Domain Wide Delegation.
Click Add new.
In the Client ID field, enter the client ID from the service account creation steps above.
In the OAuth Scopes field, enter a comma-delimited list of the required scopes:
https://www.googleapis.com/auth/admin.directory.user.readonly
https://www.googleapis.com/auth/admin.directory.domain.readonly
https://www.googleapis.com/auth/admin.directory.rolemanagement.readonly
https://www.googleapis.com/auth/apps.groups.settings
Click Authorize.
For additional information, see Delegate domain-wide authority to your service account.
Create a custom admin role for the service account
You'll need to create a custom Workspace role with the required API permissions, which you will assign to the service account:
Click Create new role.
Enter a name and optional description for the role, and click Continue.
The permissions that are needed for the API are under Admin API Privileges. From the list, check the boxes to select the read-only permissions:\
Users > Read
Groups > Read
Organization Units > Read
Domain Management
Click Continue.
Review the privileges and click Create Role.
For more information, see Create, edit, and delete custom admin roles - Google Workspace Admin Help.
Apply the custom role to the service account
After creating the role, you will have the option to Assign Service Accounts. To allow your service account to access Google Groups using the cloud identity API:
Open Admin roles and choose the Veza role you just created. If you've just completed the previous steps, this screen will already be open.
On the role Admins panel, choose Assign role > Assign service accounts.
Enter the email address of the service account.
You can find the email address of the service account from Google Cloud Console under IAM & Admin > Service Accounts.
For more information, see Assign specific admin roles - Google Workspace Admin Help.
Retrieve your Workspace Customer ID
Each Google Workspace account has a customer ID, which Veza will need to connect. Take note of the customer ID for use in credentials:
From the Admin console Home page, go to Account settings > Profile.
Under Customer ID, find your organization's unique ID.
Save the customer ID, which you will need when configuring the connection in Veza.
For information, seeFind your customer ID - Google Workspace Admin Help.
Enable APIs
For Veza to discover complete authorization metadata for Google Cloud, the project containing your service account must have the required read-only data APIs enabled.
Follow the links below to enable each API. Ensure that the project where you created the service account is selected:
Cloud Resource Manager API (https://console.cloud.google.com/apis/library/cloudresourcemanager.googleapis.com)
Cloud Identity API (https://console.developers.google.com/apis/api/cloudidentity.googleapis.com)
Groups Settings API - (https://console.cloud.google.com/apis/api/groupssettings.googleapis.com/overview)
(Optional) BigQuery - (https://console.cloud.google.com/apis/library/bigquery.googleapis.com)
(Optional) Cloud Key Management (https://console.cloud.google.com/apis/library/cloudkms.googleapis.com)
(Optional) Compute API (https://console.cloud.google.com/apis/library/compute.googleapis.com)
(Optional) Cloud Storage API (https://console.cloud.google.com/apis/library/storage.googleapis.com)
Create a Role in the Google Cloud Organization
From your Google Cloud console, create a role to bind to the Veza service account. You can create this role using the UI, or the Google Cloud CLI:
Go to IAM & Admin, and select Roles from the menu on the left side.
In the top left corner, ensure your Organization is selected, and not an individual project.
Click Create Role, and assign the following permissions to enable basic discovery of Google Cloud IAM and Storage Buckets:
iam.roles.get
iam.roles.list
iam.serviceAccounts.list
resourcemanager.folders.getIamPolicy
resourcemanager.folders.list
resourcemanager.organizations.get
resourcemanager.organizations.getIamPolicy
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list
resourcemanager.projects.get
serviceusage.services.list
resourcemanager.tagValues.list
resourcemanager.tagValues.get
resourcemanager.tagKeys.list
resourcemanager.tagKeys.get
resourcemanager.resourceTagBindings.list
Grant Additional Permissions for Google Cloud Services
To discover Google Services, the service account role will need extra permissions, which you can apply selectively depending on the resources you want Veza to discover:
Service | Required Permissions |
---|---|
Storage Buckets |
|
Compute |
|
Key Management |
|
BigQuery |
|
Cloud Run |
|
Cloud SQL |
|
Kubernetes Engine |
|
Configuring a service account role using Google Cloud Console
You can create this role, and assign all required and optional permissions by using the gcloud CLI. This can be faster and more precise than granting each permission individually.
Bind the Role to the Service Account
From the IAM & Admin page of the Google console, click IAM. Ensure that your Organization, and not an individual Project, is active in the top left corner:
Click + Grant Access to apply the role to the Veza service account.
Enter the service account email in the New Principals field.
Under Select a Role, pick "Custom" and specify the Veza role.
This will grant the service account the required permissions, for the current organization and its children (all Projects and Folders).
Create and download Service Account key
To download a key from Cloud Console:
Go to Service Accounts.
Select the project where the SA is located.
Click the keys tab.
Select create key from the add key dropdown menu.
Choose "JSON" as the Key Type and click Create
NOTE: If you receive a message stating the organization policy constraint iam.disableServiceAccountKeyCreation is enforced, you may have to disable your organization policy iam.disableServiceAccountKeyCreation
under Organization Policies to allow key creation.
You can generate service account keys several other ways. For more information, see the instructions at Creating and managing service account keys | Cloud IAM Documentation.
Add the Google Cloud provider to Veza
As a Veza administrator, navigate to Configuration > Cloud Providers > Add New. Choose Google Cloud Platform from the dropdown, and fill out the fields using the information you gathered during the steps above:
Field | Details |
---|---|
Insight Point | |
Workspace email | Email address of the Workspace user to assume. |
Customer ID | |
Credentials.json | |
Limit Google Cloud Services | |
Identity Mapping Configurations |
Last updated