Google Cloud

The Veza Integration for Google Cloud Platform enables discovery of Google Cloud Workspace and Google Cloud IAM entities, along with authorization metadata for the organization, projects, and folders. Veza additionally discovers authorization to resources such as Storage, Compute, BigQuery, and KMS, using read-only permissions and native project APIs.

To connect your environment, you will need to:

• Configure a Google Cloud service account and role, and generate and download a key

• Create and assign an Organization-wide role for the service account

• Create and assign a custom workspace role and enable domain-wide delegation

• Enable the required APIs for the project containing the service account

• Retrieve the Workspace customer ID

• Enable the integration under Veza Cloud Providers > Add New > Google Cloud

See Notes & Supported Entities for more details on the Veza-Google connector and supported services

Prerequisites

• You will need Workspace super admin permissions to create and assign the custom admin role, and administrator access in Google Cloud.

Create a Service Account for Veza

Service accounts are the standard method for automated Google Cloud access. They exist within individual google cloud projects, and can be given permissions at the project, folder, or organizational level. The service account you create can be in any project, provided that the required APIs are enabled for the project.

1. Navigate to the IAM & Admin Cloud Console panel.

2. Go to the Service Accounts page.

3. Click on Create Service Account.

4. Provide a display name, ID, and (optional) description, and click Create and Continue. Take note of the service account email address.

Enable Domain Wide Delegation for the Service Account

Provide the required OAuth scopes to allow your service account to access Google Workspace.

1. From your Google Workspace domain’s Admin console, choose Main Menu > Security > Access and data control > API controls.

2. In the Domain wide delegation pane, select Manage Domain Wide Delegation.

3. Click Add new.

4. In the Client ID field, enter the client ID from the service account creation steps above.

5. In the OAuth Scopes field, enter a comma-delimited list of the required scopes:

   1. https://www.googleapis.com/auth/admin.directory.user.readonly

   2. https://www.googleapis.com/auth/admin.directory.domain.readonly

   3. https://www.googleapis.com/auth/admin.directory.rolemanagement.readonly

   4. https://www.googleapis.com/auth/apps.groups.settings

6. Click Authorize.

For additional information, see Delegate domain-wide authority to your service account.

Create a custom admin role for the service account

You'll need to create a custom Workspace role with the required API permissions, which you will assign to the service account:

2. Click Create new role.

3. Enter a name and optional description for the role, and click Continue.

4. The permissions that are needed for the API are under Admin API Privileges. From the list, check the boxes to select the read-only permissions:\

   1. Users > Read

   2. Groups > Read

   3. Organization Units > Read

   4. Domain Management

5. Click Continue.

6. Review the privileges and click Create Role.

For more information, see Create, edit, and delete custom admin roles - Google Workspace Admin Help.

Apply the custom role to the service account

After creating the role, you will have the option to Assign Service Accounts. To allow your service account to access Google Groups using the cloud identity API:

1. Open Admin roles and choose the Veza role you just created. If you've just completed the previous steps, this screen will already be open.

2. On the role Admins panel, choose Assign role > Assign service accounts.

3. Enter the email address of the service account.

   You can find the email address of the service account from Google Cloud Console under IAM & Admin > Service Accounts.

For more information, see Assign specific admin roles - Google Workspace Admin Help.

Retrieve your Workspace Customer ID

Each Google Workspace account has a customer ID, which Veza will need to connect. Take note of the customer ID for use in credentials:

1. From the Admin console Home page, go to Account settings > Profile.

2. Under Customer ID, find your organization's unique ID.

Save the customer ID, which you will need when configuring the connection in Veza.

For information, seeFind your customer ID - Google Workspace Admin Help.

Enable APIs

For Veza to discover complete authorization metadata for Google Cloud, the project containing your service account must have the required read-only data APIs enabled.

Follow the links below to enable each API. Ensure that the project where you created the service account is selected:

• Cloud Resource Manager API (https://console.cloud.google.com/apis/library/cloudresourcemanager.googleapis.com)

• Cloud Identity API (https://console.developers.google.com/apis/api/cloudidentity.googleapis.com)

• Admin SDK - (https://console.developers.google.com/apis/api/admin.googleapis.com/overview)

• IAM API - (https://console.developers.google.com/apis/api/iam.googleapis.com)

• Groups Settings API - (https://console.cloud.google.com/apis/api/groupssettings.googleapis.com/overview)

• (Optional) BigQuery - (https://console.cloud.google.com/apis/library/bigquery.googleapis.com)

• (Optional) Cloud Key Management (https://console.cloud.google.com/apis/library/cloudkms.googleapis.com)

• (Optional) Compute API (https://console.cloud.google.com/apis/library/compute.googleapis.com)

• (Optional) Cloud Storage API (https://console.cloud.google.com/apis/library/storage.googleapis.com)

Create a Role in the Google Cloud Organization

From your Google Cloud console, create a role to bind to the Veza service account. You can create this role using the UI, or the Google Cloud CLI:

Go to IAM & Admin, and select Roles from the menu on the left side.

Click Create Role, and assign the following permissions to enable basic discovery of Google Cloud IAM and Storage Buckets:

• iam.roles.get

• iam.roles.list

• iam.serviceAccounts.list

• resourcemanager.folders.getIamPolicy

• resourcemanager.folders.list

• resourcemanager.organizations.get

• resourcemanager.organizations.getIamPolicy

• resourcemanager.projects.getIamPolicy

• resourcemanager.projects.list

• resourcemanager.projects.get

• serviceusage.services.list

• resourcemanager.tagValues.list

• resourcemanager.tagValues.get

• resourcemanager.tagKeys.list

• resourcemanager.tagKeys.get

• resourcemanager.resourceTagBindings.list

Grant Additional Permissions for Google Cloud Services

To discover Google Services, the service account role will need extra permissions, which you can apply selectively depending on the resources you want Veza to discover:

Configuring a service account role using Google Cloud Console

You can create this role, and assign all required and optional permissions by using the gcloud CLI. This can be faster and more precise than granting each permission individually.

gcloud iam roles create VEZA_ROLE_NAME --organization=010101010101 --permissions=iam.roles.get,iam.roles.list,iam.serviceAccounts.list,resourcemanager.folders.getIamPolicy,resourcemanager.folders.list,resourcemanager.organizations.get,resourcemanager.organizations.getIamPolicy,resourcemanager.projects.getIamPolicy,resourcemanager.projects.list,resourcemanager.projects.get,storage.buckets.getIamPolicy,storage.buckets.list,compute.networks.list,compute.instances.list,compute.subnetworks.list,compute.zones.list,compute.regions.list,compute.instances.getIamPolicy,compute.subnetworks.getIamPolicy,compute.networks.list,compute.instances.list,compute.subnetworks.list,compute.zones.list,compute.regions.list,compute.instances.getIamPolicy,compute.subnetworks.getIamPolicy,cloudkms.cryptoKeyVersions.viewPublicKey,cloudkms.locations.get,cloudkms.locations.list,cloudkms.cryptoKeyVersions.get,cloudkms.cryptoKeyVersions.list,cloudkms.cryptoKeys.get,cloudkms.cryptoKeys.list,cloudkms.keyRings.get,cloudkms.keyRings.list,bigquery.datasets.getIamPolicy,bigquery.datasets.get,bigquery.tables.getIamPolicy,bigquery.tables.get,bigquery.tables.list

gcloud iam roles update <<role_name>> --organization=<<ORG_ID>> --add-permissions=<<PERMISSIONS>>

Bind the Role to the Service Account

From the IAM & Admin page of the Google console, click IAM. Ensure that your Organization, and not an individual Project, is active in the top left corner:

Click + Grant Access to apply the role to the Veza service account.

1. Enter the service account email in the New Principals field.

2. Under Select a Role, pick "Custom" and specify the Veza role.

This will grant the service account the required permissions, for the current organization and its children (all Projects and Folders).

Create and download Service Account key

To download a key from Cloud Console:

1. Go to Service Accounts.

2. Select the project where the SA is located.

3. Click the keys tab.

4. Select create key from the add key dropdown menu.

5. Choose "JSON" as the Key Type and click Create

NOTE: If you receive a message stating the organization policy constraint iam.disableServiceAccountKeyCreation is enforced, you may have to disable your organization policy iam.disableServiceAccountKeyCreation under Organization Policies to allow key creation.

You can generate service account keys several other ways. For more information, see the instructions at Creating and managing service account keys | Cloud IAM Documentation.

Add the Google Cloud provider to Veza

As a Veza administrator, navigate to Configuration > Cloud Providers > Add New. Choose Google Cloud Platform from the dropdown, and fill out the fields using the information you gathered during the steps above: