Release Notes

Google Cloud

Configuring the Veza integration for Google Cloud

Overview

The Veza Integration for Google Cloud Platform (GCP) enables discovery of Google Cloud Workspace and Google Cloud IAM entities, along with authorization metadata for the organization, projects, and folders. Veza additionally discovers authorization to resources such as Storage, Compute, BigQuery, and KMS, using read-only permissions and native project APIs.

Prerequisites

Before starting the integration setup:

  • You need Workspace super admin permissions to create and assign custom admin roles

  • You need administrator access to the Google Cloud Organization

  • For Workload Identity Federation: Obtain Veza's AWS Role ARN from: https://<tenant>/api/v1/providers/google_cloud:aws_role_arn

See Notes & Supported Entities for details on the Veza-Google connector and supported services.

Authentication Methods

Veza supports two methods for authenticating with Google Cloud:

  1. Workload Identity Federation (Recommended)

    • Eliminates the need to manage service account keys

    • Uses temporary credentials through AWS-Google Cloud trust

    • Follows Google Cloud security best practices

  2. Service Account Key Authentication (Alternative)

    • Traditional method using service account key files

    • Use only when Workload Identity Federation cannot be implemented

Option 1: Workload Identity Federation (Recommended)

Workload Identity Federation allows Veza to access Google Cloud resources securely without storing long-lived credentials. It uses a trust relationship between Veza's AWS role and your Google Cloud service account.

Integration Flow:

  1. Veza's AWS role requests access to Google Cloud resources.

  2. AWS generates a signed token proving Veza's identity.

  3. Google Cloud validates the token via the established trust relationship.

  4. Google Cloud issues temporary credentials for the service account.

  5. Veza uses these temporary credentials to access authorized resources.

To enable Workload Identity Federation, enable the required APIs for your Google Cloud project, then create a Workload Identity Pool and configure AWS as the identity provider. After configuring service account impersonation to grant access to Veza's AWS role, you can download the credential configuration file for integration setup.

Prerequisites

  1. Retrieve Veza's AWS Role ARN:

    • Contact your Veza support representative to obtain the AWS Role ARN for your tenant. This ARN is required to configure the trust relationship between Google Cloud and Veza.

    • You will need the account ID and role name from this ARN to configure the integration in Google Cloud.

    • Example ARN format: arn:aws:iam::123456789012:role/veza-integration-role

  2. Complete the common Google Cloud setup steps (excluding service account key creation):

    • Enable domain-wide delegation.

    • Create and assign a custom admin role.

    • Create and bind an organizational role.

    • Enable required APIs.

Step 1: Create Service Account

  1. Navigate to IAM & Admin > Service Accounts

  2. Click Create Service Account

  3. Provide a name, ID, and description

  4. Note the service account email address

Step 2: Enable Required APIs

Enable the following APIs for your Google Cloud project:

  • IAM API

  • Cloud Resource Manager API

  • IAM Service Account Credentials API

  • Security Token Service API

Step 3: Create Workload Identity Pool

To create a pool, choose IAM & Admin > Workload Identity Pools from the Google Cloud Console. Follow these steps to add a pool for the Veza integration:

  1. In the Google Cloud console, go to New workload provider and pool

  2. Provide a pool name (e.g., veza-federation-pool)

  3. Add a description

  4. Click Continue

Step 4: Add AWS as Identity Provider

  1. Select AWS as the provider

  2. Configure the provider details:

    • Provider name: e.g., Veza AWS Provider

    • Provider ID: Add a unique identifier, e.g. veza-aws-prod

    • AWS Account ID: Enter the AWS account ID from the role ARN provided by your Veza support representative, e.g., 012345678901

  3. Click Continue

  4. Configure the attribute mapping to extract the role name from Veza's AWS ARN:

    • For Google field: enter attribute.aws_role

    • For AWS field: enter assertion.arn.extract('assumed-role/{role}/')

  5. Under 'Attribute Conditions', add:

    attribute.aws_role == 'ROLE_NAME'

    Replace ROLE_NAME with your Veza integration role name.

    Note: The attribute mappings transform AWS role information into a format Google Cloud can use, while the condition acts as a security control by only allowing the specific Veza integration role to use this federation. This prevents any other AWS roles from accessing your Google Cloud resources.

  6. Click Save

Step 5: Configure Service Account Impersonation

  1. Go to the pool details page

  2. Select Grant Access

  3. In the dialog, select Grant access using Service Account impersonation

  4. Choose the service account created for the Veza integration from the Select service account dropdown

  5. Under Select Principals:

    1. Choose "AWS Role" as the attribute name

    2. Enter your Veza AWS Role ARN as the attribute value.

  6. Click Save and Dismiss

Step 6: Download Configuration

  1. On the provider details page, select Connected service accounts

  2. Find the integration service account and click Download

  3. Select the AWS provider and click Download config

The configuration file will look similar to:

{
   "universe_domain": "googleapis.com",
   "type": "external_account",
   "audience": "//iam.googleapis.com/projects/<project_id>/locations/global/workloadIdentityPools/<pool_name>/providers/<provider_name>",
   "subject_token_type": "urn:ietf:params:aws:token-type:aws4_request",
   "token_url": "https://sts.googleapis.com/v1/token",
   "credential_source": {
      "environment_id": "aws1",
      "regional_cred_verification_url": "https://sts.{region}.amazonaws.com?Action=GetCallerIdentity&Version=2011-06-15"
   }
}

Save this file for use in the Veza integration setup.

See Google's Workload Identity Federation Documentation for detailed instructions.

Troubleshooting

If you encounter the error Permission 'iam.serviceAccounts.getAccessToken' denied on resource (or it may not exist), follow these steps:

  1. Enable audit logging for Workload Identity Federation:

    • Go to IAM & Admin --> Audit Logs in the Google Cloud Console

    • Find the project where you configured Workload Identity Federation

    • Enable audit logging for "Identity and Access Management (IAM) API"

  2. Check STS token exchange logs in Log Explorer:

    • Open Observability-->Logging

    • Set the resource to audited_resource

    • Filter for resource.labels.service="sts.googleapis.com"

    • Look for principalSubject in the logs to verify the AWS role ARN attempting federation

      Example log entry:

      principalSubject: "arn:aws:sts::123456789012:assumed-role/veza-integration-role/veza-gcp-federation"

The log explorer will show whether the correct AWS role is attempting access and help identify any misconfigurations in the identity pool settings. For more details about Workload Identity Federation audit logging, see Google's Audit Logging Documentation.

Option 2: Service Account Key Authentication (Alternative)

This traditional method uses a service account key for authentication. While supported, it should only be used when Workload Identity Federation cannot be implemented.

Step 1: Create Service Account

  1. Navigate to IAM & Admin > Service Accounts

  2. Click Create Service Account

  3. Provide a name, ID, and description

  4. Note the service account email address

Step 2: Generate Service Account Key

  1. Go to Service Accounts

  2. Select your project

  3. Click the Keys tab

  4. Select Create New Key

  5. Choose JSON format

  6. Download and securely store the key file

Note: If you receive a message about iam.disableServiceAccountKeyCreation being enforced, you may need to modify your organization policy to allow key creation.

Required Configuration Steps

Complete these steps regardless of your chosen authentication method.

Enable Google Cloud APIs

To discover complete authorization metadata for Google Cloud, the project containing the integration service account must have the following data APIs enabled.

Click the Enable API links in the following list to enable each API. Ensure that the project where you created the service account is selected before enabling the API.

You can also enable APIs for each project to discover by opening Google Cloud console API Library page, and choosing the Google Cloud project where the service account resides. Use the Search for APIs & Services find and enable APIs for the services to discover.

Mandatory APIs

These APIs must be enabled in your project:

  • Cloud Resource Manager API (Enable API)

    • Required for organization, project, and folder discovery

  • Cloud Identity API (Enable API)

    • Required for identity management

  • Admin SDK API (Enable API)

    • Required for workspace administration

  • Groups Settings API (Enable API)

    • Required for group management

  • Identity and Access Management (IAM) API (Enable API)

    • Required for identity and access management

    • (Optional) IAM API v2 to discover Deny Policies and use iam.denypolicies.get and iam.denypolicies.list permissions

Optional APIs

Enable these APIs based on the services you want to discover:

Enable Domain-Wide Delegation

  1. From your Google Workspace domain's Admin console, choose Security > Access and data control > API controls

  2. Under Domain wide delegation, select Manage Domain Wide Delegation

  3. Click Add new

    Enabling domain wide delegation

  4. Enter the service account's client ID

  5. Add these OAuth scopes:

    https://www.googleapis.com/auth/admin.directory.user.readonly
https://www.googleapis.com/auth/admin.directory.domain.readonly
https://www.googleapis.com/auth/admin.directory.rolemanagement.readonly
https://www.googleapis.com/auth/apps.groups.settings

  6. Click Authorize

Create a Custom Admin Role

You'll need to create a custom Workspace role with the required API permissions, and assign the role to the integration service account:

  1. In Admin console, go to Admin roles. You may need to click "show more" on the home page for the option to appear:

    Creating a custom admin role

  2. Click Create new role

  3. Enter a name and description

  4. Under Admin API Privileges, enable:

    • Users > Read

    • Groups > Read

    • Organization Units > Read

Assigning custom role permissions

After creating the role, assign it to your service account:

  1. On the role Admins panel, choose Assign role > Assign service accounts

  2. Enter the email address of the service account

    Assign workspace role

For more information, see Assign specific admin roles - Google Workspace Admin Help.

Create an Organization Role

From your Google Cloud console, create a role to bind to the Veza service account. You can create this role using the UI, or the Google Cloud CLI. Go to IAM & Admin, and select Roles from the menu on the left side.

When creating the organization role, ensure your Organization (not an individual project) is selected:

Confirm that the organization is active, and change if needed.

Create a role in Google Cloud Organization with these minimum permissions:

iam.roles.get
iam.roles.list
iam.serviceAccounts.list
iam.denypolicies.get
iam.denypolicies.list
resourcemanager.folders.getIamPolicy
resourcemanager.folders.list
resourcemanager.organizations.get
resourcemanager.organizations.getIamPolicy
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list
resourcemanager.projects.get
serviceusage.services.list
resourcemanager.tagValues.list
resourcemanager.tagValues.get
resourcemanager.tagKeys.list
resourcemanager.tagKeys.get
compute.instances.listTagBindings
storage.buckets.listTagBindings
bigquery.datasets.listTagBindings
bigquery.tables.listTagBindings
cloudkms.keyRings.listTagBindings
cloudkms.cryptoKeys.listTagBindings
run.services.listTagBindings
cloudsql.instances.listTagBindings
secretmanager.secrets.listTagBindings

Note: The permissions list includes resource-specific tag binding permissions (e.g., compute.instances.listTagBindings) which replaced the deprecated resourcemanager.resourceTagBindings.list permission. These resource-specific permissions are required to discover tags attached to GCP resources.

Bind the Role to the Service Account

After creating the role, bind it to the integration service account:

  1. From the IAM & Admin page of the Google console, click IAM

  2. Ensure that your Organization (not an individual Project) is active in the top left corner

  3. Click + Grant Access to apply the role to the Veza service account:

    • Enter the service account email in the New Principals field

    • Under Select a Role, pick "Custom" and specify the Veza role

This will grant the service account the required permissions for the current organization and its children (all Projects and Folders).

Working with the Google Cloud CLI

You can create this role using the Google Cloud CLI:

gcloud iam roles create VEZA_ROLE_NAME --organization=YOUR_ORG_ID --permissions=\
iam.roles.get,\
iam.roles.list,\
iam.serviceAccounts.list,\
iam.denypolicies.get,\
iam.denypolicies.list,\
resourcemanager.folders.getIamPolicy,\
resourcemanager.folders.list,\
resourcemanager.organizations.get,\
resourcemanager.organizations.getIamPolicy,\
resourcemanager.projects.getIamPolicy,\
resourcemanager.projects.list,\
resourcemanager.projects.get,\
serviceusage.services.list,\
resourcemanager.tagValues.list,\
resourcemanager.tagValues.get,\
resourcemanager.tagKeys.list,\
resourcemanager.tagKeys.get,\
compute.instances.listTagBindings,\
storage.buckets.listTagBindings,\
bigquery.datasets.listTagBindings,\
bigquery.tables.listTagBindings,\
cloudkms.keyRings.listTagBindings,\
cloudkms.cryptoKeys.listTagBindings,\
run.services.listTagBindings,\
cloudsql.instances.listTagBindings,\
secretmanager.secrets.listTagBindings,\
storage.buckets.getIamPolicy,\
storage.buckets.list,\
compute.instances.list,\
compute.instances.getIamPolicy,\
compute.networks.list,\
compute.regions.list,\
compute.subnetworks.getIamPolicy,\
compute.subnetworks.list,\
compute.zones.list,\
cloudkms.locations.get,\
cloudkms.locations.list,\
cloudkms.cryptoKeyVersions.get,\
cloudkms.cryptoKeyVersions.list,\
cloudkms.cryptoKeyVersions.viewPublicKey,\
cloudkms.cryptoKeys.getIamPolicy,\
cloudkms.cryptoKeys.get,\
cloudkms.cryptoKeys.list,\
cloudkms.keyRings.get,\
cloudkms.keyRings.list,\
cloudkms.keyRings.getIamPolicy,\
bigquery.datasets.getIamPolicy,\
bigquery.datasets.get,\
bigquery.tables.getIamPolicy,\
bigquery.tables.get,\
bigquery.tables.list,\
run.services.list,\
run.services.getIamPolicy,\
run.locations.list,\
cloudsql.instances.list,\
cloudsql.users.list,\
cloudsql.databases.list,\
container.clusters.list,\
secretmanager.secrets.list,\
secretmanager.secrets.get,\
secretmanager.secrets.getIamPolicy,\
secretmanager.versions.list,\
secretmanager.versions.get,\
secretmanager.locations.get,\
secretmanager.locations.list,\
secretmanager.secrets.listEffectiveTags,\
secretmanager.secrets.listTagBindings,\
logging.logEntries.list

To run gcloud commands, install the SDK, or open the CLI from the web console:

Opening the gcloud console

To add additional permissions later (if new functionality is required), use:

gcloud iam roles update <<role_name>> --organization=<<ORG_ID>> --add-permissions=<<PERMISSIONS>>

Additional Service Permissions

  • Storage Buckets

    • Required Permissions:

      • storage.buckets.getIamPolicy

      • storage.buckets.list

      • storage.buckets.listTagBindings

    • Required API: Cloud Storage API

  • Compute

    • Required Permissions:

      • compute.instances.list

      • compute.instances.getIamPolicy

      • compute.instances.listTagBindings

      • compute.networks.list

      • compute.regions.list

      • compute.subnetworks.getIamPolicy

      • compute.subnetworks.list

      • compute.zones.list

    • Required API: Compute Engine API

  • Key Management

    • Required Permissions:

      • cloudkms.cryptoKeyVersions.get

      • cloudkms.cryptoKeyVersions.list

      • cloudkms.cryptoKeyVersions.viewPublicKey

      • cloudkms.cryptoKeys.get

      • cloudkms.cryptoKeys.list

      • cloudkms.cryptoKeys.getIamPolicy

      • cloudkms.cryptoKeys.listTagBindings

      • cloudkms.keyRings.get

      • cloudkms.keyRings.list

      • cloudkms.keyRings.getIamPolicy

      • cloudkms.keyRings.listTagBindings

      • cloudkms.locations.get

      • cloudkms.locations.list

    • Required API: KMS API

  • BigQuery

    • Required Permissions:

      • bigquery.datasets.getIamPolicy

      • bigquery.datasets.get

      • bigquery.datasets.listTagBindings

      • bigquery.tables.getIamPolicy

      • bigquery.tables.get

      • bigquery.tables.list

      • bigquery.tables.listTagBindings

    • Required Permissions for Activity Monitoring:

      • logging.logEntries.list

      • logging.privateLogEntries.list

    • Required API: BigQuery API

  • Cloud Run

    • Required Permissions:

      • run.services.list

      • run.services.getIamPolicy

      • run.services.listTagBindings

      • run.locations.list

    • Required API: Cloud Run Admin API

  • Cloud SQL

    • Required Permissions:

      • cloudsql.instances.list

      • cloudsql.instances.listTagBindings

      • cloudsql.users.list

      • cloudsql.databases.list

    • Required API: Cloud SQL Admin API

  • Kubernetes Engine

  • Secret Manager

    • Required Permissions:

      • secretmanager.secrets.list

      • secretmanager.secrets.get

      • secretmanager.secrets.getIamPolicy

      • secretmanager.versions.list

      • secretmanager.versions.get

      • secretmanager.locations.get

      • secretmanager.locations.list

      • secretmanager.secrets.listEffectiveTags

      • secretmanager.secrets.listTagBindings

    • Required API: Secret Manager API

Retrieve your Workspace Customer ID

Each Google Workspace account has a customer ID, which Veza will need to authenticate. Take note of the customer ID for configuring the integration:

  1. From the Admin console Home page, go to Account settings > Profile.

  2. Under Customer ID, find your organization's unique ID.

Save the customer ID, which you will need when configuring the connection in Veza. Note: the customer ID should start with a C, for example:C06k34uds.

For information, see Find your customer ID - Google Workspace Admin Help.

Adding the Integration to Veza

  1. In Veza, go to the Integrations page

  2. Click Add Integration

  3. Select Google Cloud Platform

  4. Configure the integration:

Field
Details

Insight Point

The Insight Point for discovery

Name

A friendly name to identify this integration

Workspace email

Email address of the Workspace user to assume

Customer ID

Workspace Customer ID from Admin console (e.g., C06k34uds)

Credentials.json

WIF configuration file or service account key file

Limit Google Cloud Services

Optional extraction limits

Identity Mapping Configurations

Configure Identity Mappings

PreviousFastlyNextCheck Google Cloud Permissions

Last updated

Was this helpful?