# Notes & Supported Entities Veza [integrates with Google](/4yItIzMvkpAvMVFAamTf/integrations/integrations/google.md) to parse service and resource metadata using native workspace and project APIs, using a service account with read-only permissions. Veza creates entities in the [data catalog](/4yItIzMvkpAvMVFAamTf/features/insights/entities-overview.md) to represent the discovered projects, services, resources, and identities. The identities, resources, and authorization relationships that Veza discovers are limited by the service account role, the project APIs you have enabled, and any [limits](/4yItIzMvkpAvMVFAamTf/integrations/configuration/limits.md) set on data source extraction. ## Cross-Service Connections Veza discovers authorization relationships for federated Azure AD and Okta users with permissions on Google Cloud Platform resources. These correlations are made based on user and and groups assignment to the *Google Cloud* and *Google Cloud SSO* Okta Apps and AzureAD Enterprise Applications. * For Okta domains configured to sync to Google Workspace, entities are mapped based on user email address or group name. * For Azure RBAC users, mapping can use email address, name, or service principal. Groups are mapped by name. ## Supported Entities ### Workspace, Group, and Domain Entities The Google integration supports the following entities are part of the IAM and Workspace services which are enabled by default: * Google Domains * Google Organization Unit * Google User * Google Workspace Account * Google Workspace Groups * Google Workspace Role ### Google Cloud Project Entities * Organization * Project * Folder * Service Account ### Google Cloud Storage Entities For projects with the Cloud Storage API enabled: * Storage Service * Storage Bucket ### Google Cloud Compute Entities For projects with the Compute Engine API enabled: * Compute Service * Subnet * VPC * Virtual Machine * Network Interface ### Key Management Service Entities For projects with the KMS API enabled: * KMS Service * KMS Key Ring * KMS Key ### BigQuery Entities For projects with the BigQuery API enabled: * BigQuery Service * BigQuery Dataset * BigQuery Table ### Cloud Run * Google Cloud Run Service * `parent_id`: ID of the parent project, e.g. `projects/696313754797` * `google_cloud_organization_name`: Organization name, e.g. `organizations/475292842812` * Google Cloud Run Service Instance * `parent_id`: ID of the parent project, e.g. `projects/696313754797` * `google_cloud_organization_name`: Organization name, e.g. `organizations/475292842812` * `allows_unauthenticated_invocation`: Boolean indicating if the service allows unauthenticated invocation ( ) * `created_at`: Creation time, e.g. `2023-10-11T07:03:04.067573Z` * Google Cloud Run Policy * Google Cloud Run Role Binding ### Google Kubernetes Engine Veza automatically discovers the following Kubernetes entities and attributes. To discover cluster-level permissions, use the dedicated [Kubernetes](/4yItIzMvkpAvMVFAamTf/integrations/integrations/kubernetes.md) integration. * Google Kubernetes Engine Service * `parent_id`: ID of the parent project, e.g. projects/696313754797 * `google_cloud_organization_name`: Organization name, e.g. organizations/475292842812 * Google Kubernetes Engine Cluster * `parent_id`: ID of the parent project, e.g. projects/696313754797 * `google_cloud_organization_name`: Organization name, e.g. organizations/475292842812 * `master_global_access_enabled`: Boolean indicating whether the GKE API endpoint is globally accessible * `created_at`: Creation time, e.g. 2023-10-11T07:03:04.067573Z * Google Kubernetes Engine Policy * Google Kubernetes Engine Role Binding ### Cloud SQL Entities Veza discovers the following entities and attributes when provided optional [integration permissions](/4yItIzMvkpAvMVFAamTf/integrations/integrations/google.md#additional-service-permissions): * Google Cloud SQL Service * `parent_id`: ID of the parent project, such as `projects/696313754797` * `google_cloud_organization_name`: Organization name, such as `organizations/475292842812` * Google Cloud SQL Database Instance * `parent_id`: ID of the parent project, such as `projects/696313754797` * `google_cloud_organization_name`: Organization name, such as `organizations/475292842812` * `created_at`: Creation time, such as `2023-10-11T07:03:04.067573Z` * Google Cloud SQL Database * `parent_id`: ID of the parent database instance, such as `google_sql_cloud::project:project1::instance:databaseInstance1` * `google_cloud_organization_name`: Organization name, such as `organizations/475292842812` * Google Cloud SQL User * `parent_id`: ID of the parent database instance, such as `google_sql_cloud::project:project1::instance:databaseInstance1` * `google_cloud_organization_name`: Organization name, such as `organizations/475292842812` * `user_type` (optional): User type can be `CLOUD_IAM_USER` or `CLOUD_IAM_SERVICE_ACCOUNT` ### Vertex AI Entities Veza discovers the following entities and attributes for projects with the Vertex AI API enabled and when provided optional [integration permissions](/4yItIzMvkpAvMVFAamTf/integrations/integrations/google.md#additional-service-permissions): * Vertex AI Service * `parent_id`: ID of the parent project, such as `projects/696313754797` * `google_cloud_organization_name`: Organization name, such as `organizations/475292842812` * Vertex AI Reasoning Engine * `display_name`: Display name of the reasoning engine * `description`: Description of the reasoning engine * `location`: GCP region where the reasoning engine is deployed, such as `us-central1` * `project_id`: Project ID where the reasoning engine resides * `service_account`: Service account email used by the reasoning engine (either explicitly configured or default Vertex AI service account) * `created_at`: Creation timestamp, such as `2023-10-11T07:03:04.067573Z` * `updated_at`: Last update timestamp, such as `2023-10-11T07:03:04.067573Z` * `parent_id`: ID of the parent project, such as `projects/696313754797` * `google_cloud_organization_name`: Organization name, such as `organizations/475292842812` * `identity_type`: Non-human * `identity_subtypes`: `["ai_agent"]` * `is_active`: Boolean (true) * Vertex AI Model * `display_name`: Display name of the model * `description`: Description of the model * `location`: GCP region where the model is stored, such as `us-central1` * `project_id`: Project ID where the model resides * `version_id`: Model version identifier * `created_at`: Creation timestamp, such as `2023-10-11T07:03:04.067573Z` * `updated_at`: Last update timestamp, such as `2023-10-11T07:03:04.067573Z` * `parent_id`: ID of the parent project, such as `projects/696313754797` * `google_cloud_organization_name`: Organization name, such as `organizations/475292842812` * Vertex AI Endpoint * `display_name`: Display name of the endpoint * `description`: Description of the endpoint * `location`: GCP region where the endpoint is deployed, such as `us-central1` * `project_id`: Project ID where the endpoint resides * `network`: VPC network connection for the endpoint * `created_at`: Creation timestamp, such as `2023-10-11T07:03:04.067573Z` * `updated_at`: Last update timestamp, such as `2023-10-11T07:03:04.067573Z` * `parent_id`: ID of the parent project, such as `projects/696313754797` * `google_cloud_organization_name`: Organization name, such as `organizations/475292842812` * Vertex AI Policy * Vertex AI Role Binding {% hint style="info" %} Veza does not currently show Vertex AI Models in the authorization graph. {% endhint %} Vertex AI Reasoning Engines represent AI agents that execute custom code and tools. They are classified as non-human identities and have connections to Google Cloud IAM Service Accounts. Vertex AI Endpoints use Vertex AI Models for serving predictions and support resource-level IAM policies. The integration supports effective permission analysis across Vertex AI-specific permissions. ### Google Artifact Registry Entities Veza discovers the following entities and attributes for projects with the Artifact Registry API enabled and when provided the [required service permissions](/4yItIzMvkpAvMVFAamTf/integrations/integrations/google.md#additional-service-permissions): * Google Artifact Registry Service * `parent_id`: ID of the parent project, such as `projects/696313754797` * `google_cloud_organization_name`: Organization name, such as `organizations/475292842812` * Google Artifact Registry Repository * `parent_id`: ID of the parent project, such as `projects/my-project` * `google_cloud_organization_name`: Organization name, such as `organizations/475292842812` * `format`: Repository format, such as `DOCKER`, `MAVEN`, `NPM`, `PYTHON` * `location`: GCP region where the repository resides, such as `us-central1` * `mode`: Repository mode, such as `STANDARD_REPOSITORY` or `VIRTUAL_REPOSITORY` * `kms_key_name` (optional): Customer-managed encryption key name, if configured * `vulnerability_scanning_enabled` (optional): Boolean indicating whether vulnerability scanning is enabled * `size_bytes` (optional): Repository size in bytes * `created_at`: Repository creation timestamp, such as `2023-10-11T07:03:04.067573Z` * `updated_at`: Last update timestamp, such as `2023-10-11T07:03:04.067573Z` * `is_active`: Boolean (always true) * Google Artifact Registry Repository Package * `parent_id`: Full resource name of the parent repository * `google_cloud_organization_name`: Organization name, such as `organizations/475292842812` * `display_name` (optional): Display name of the package; falls back to the resource name when not set * `created_at`: Package creation timestamp, such as `2023-10-11T07:03:04.067573Z` * `updated_at`: Last update timestamp, such as `2023-10-11T07:03:04.067573Z` * `is_active`: Boolean (always true) * Google Artifact Registry Policy * Google Artifact Registry Role Binding ### Secret Manager Entities Veza discovers the following entities and attributes for projects with the Secret Manager API enabled and when provided the [required service permissions](/4yItIzMvkpAvMVFAamTf/integrations/integrations/google.md#additional-service-permissions): * Google Cloud Secret Manager Service * Google Cloud Secret Manager Secret * Google Cloud Secret Manager Policy * Google Cloud Secret Manager Role Binding ### Workload Identity Federation Entities Veza discovers Workload Identity Federation resources when the Workload Identity Federation API is enabled: * Google Cloud Workload Identity Federation Service * Google Cloud Workload Identity Pool Provider ### GCP Databricks Entities Veza discovers Databricks workspaces running on Google Cloud: * Databricks Workspace * Databricks Account * Databricks Schema ## Effective Permissions * Google Cloud IAM Effective Permission Effective Permissions represents the C/R/U/D data and non-data actions a principal can take on a resource. Using [Search](/4yItIzMvkpAvMVFAamTf/features/search.md), specify an EP to show only users who can take those actions. Click *Explain Effective Permissions* on an un-grouped EP node to show the native actions it represents. ### Google Workspace User Active Status The `Is Active` property for a Google Workspace user is determined by their `suspended` and `archived` status. A user is considered `Is Active`: **true** unless their account is either suspended or archived. If a user's `suspended` property is `true` or their `archived` property is `true`, their `Is Active` status will be `false`. The `Is Suspended` and `Is Archived` attributes can be used for more granular filtering. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.veza.com/4yItIzMvkpAvMVFAamTf/integrations/integrations/google/google-info.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.