User Guide
Release Notes

Notes & Supported Entities

Supported entity types and more information about the Veza-Google connector.

Veza integrates with Google to parse service and resource metadata using native workspace and project APIs, using a service account with read-only permissions.

Veza creates entities in the data catalog to represent the discovered projects, services, resources, and identities.

The identities, resources, and authorization relationships that Veza discovers are limited by the service account role, the project APIs you have enabled, and any limits set on data source extraction.

Cross-Service Connections

Veza discovers authorization relationships for federated Azure AD and Okta users with permissions on Google Cloud Platform resources. These correlations are made based on user and and groups assignment to the Google Cloud and Google Cloud SSO Okta Apps and AzureAD Enterprise Applications.

  • For Okta domains configured to sync to Google Workspace, entities are mapped based on user email address or group name.

  • For Azure RBAC users, mapping can use email address, name, or service principal. Groups are mapped by name.

Supported Entities

Workspace, Group, and Domain Entities

  • Google Domains

  • Google Workspace Account

  • Google Workspace Role

  • Google Groups

  • Google Users

Google Cloud Project Entities

  • Organization

  • Project

  • Folder

  • Service Account

Google Cloud Storage Entities

For projects with the Cloud Storage API enabled:

  • Storage Service

  • Storage Bucket

Google Cloud Compute Entities

For projects with the Compute Engine API enabled:

  • Compute Service

  • Subnet

  • VPC

  • Virtual Machine

  • Network Interface

Key Management Service Entities

For projects with the KMS API enabled:

  • KMS Service

  • KMS Key Ring

  • KMS Key

BigQuery Entities

For projects with the BigQuery API enabled:

  • BigQuery Service

  • BigQuery Dataset

  • BigQuery Table

Cloud Run

  • Google Cloud Run Service

    • parent_id: ID of the parent project, e.g. projects/696313754797

    • google_cloud_organization_name: Organization name, e.g. organizations/475292842812

  • Google Cloud Run Service Instance

    • parent_id: ID of the parent project, e.g. projects/696313754797

    • google_cloud_organization_name: Organization name, e.g. organizations/475292842812

    • allows_unauthenticated_invocation: Boolean indicating if the service allows unauthenticated invocation ( )

    • created_at: Creation time, e.g. 2023-10-11T07:03:04.067573Z

  • Google Cloud Run Policy

  • Google Cloud Run Role Binding

Google Kubernetes Engine

Veza automatically discovers the following Kubernetes entities and attributes. To discover cluster-level permissions, use the dedicated Kubernetes integration.

  • Google Kubernetes Engine Service

    • parent_id: ID of the parent project, e.g. projects/696313754797

    • google_cloud_organization_name: Organization name, e.g. organizations/475292842812

  • Google Kubernetes Engine Cluster

    • parent_id: ID of the parent project, e.g. projects/696313754797

    • google_cloud_organization_name: Organization name, e.g. organizations/475292842812

    • master_global_access_enabled: Boolean indicating whether the GKE API endpoint is globally accessible

    • created_at: Creation time, e.g. 2023-10-11T07:03:04.067573Z

  • Google Kubernetes Engine Policy

  • Google Kubernetes Engine Role Binding

Cloud SQL Entities

Veza discovers the following entities and attributes when provided optional integration permissions:

  • Google Cloud SQL Service

    • parent_id: ID of the parent project, such as projects/696313754797

    • google_cloud_organization_name: Organization name, such as organizations/475292842812

  • Google Cloud SQL Database Instance

    • parent_id: ID of the parent project, such as projects/696313754797

    • google_cloud_organization_name: Organization name, such as organizations/475292842812

    • created_at: Creation time, such as 2023-10-11T07:03:04.067573Z

  • Google Cloud SQL Database

    • parent_id: ID of the parent database instance, such as google_sql_cloud::project:project1::instance:databaseInstance1

    • google_cloud_organization_name: Organization name, such as organizations/475292842812

  • Google Cloud SQL User

    • parent_id: ID of the parent database instance, such as google_sql_cloud::project:project1::instance:databaseInstance1

    • google_cloud_organization_name: Organization name, such as organizations/475292842812

    • user_type (optional): User type can be CLOUD_IAM_USER or CLOUD_IAM_SERVICE_ACCOUNT

Effective Permissions

  • Google Cloud IAM Effective Permission

Effective Permissions represents the C/R/U/D data and non-data actions a principal can take on a resource. Using Search, specify an EP to show only users who can take those actions. Click Explain Effective Permissions on an un-grouped EP node to show the native actions it represents.

PreviousCheck Google Cloud PermissionsNextGoogle Drive

Last updated