Notes & Supported Entities
Supported entity types and more information about the Veza-Google connector.
Veza integrates with Google to parse service and resource metadata using native workspace and project APIs, using a service account with read-only permissions.
Veza creates entities in the data catalog to represent the discovered projects, services, resources, and identities.
The identities, resources, and authorization relationships that Veza discovers are limited by the service account role, the project APIs you have enabled, and any limits set on data source extraction.
Cross-Service Connections
Veza discovers authorization relationships for federated Azure AD and Okta users with permissions on Google Cloud Platform resources. These correlations are made based on user and and groups assignment to the Google Cloud and Google Cloud SSO Okta Apps and AzureAD Enterprise Applications.
For Okta domains configured to sync to Google Workspace, entities are mapped based on user email address or group name.
For Azure RBAC users, mapping can use email address, name, or service principal. Groups are mapped by name.
Supported Entities
Workspace, Group, and Domain Entities
Google Domains
Google Workspace Account
Google Workspace Role
Google Groups
Google Users
Google Cloud Project Entities
Organization
Project
Folder
Service Account
Google Cloud Storage Entities
For projects with the Cloud Storage API enabled:
Storage Service
Storage Bucket
Google Cloud Compute Entities
For projects with the Compute Engine API enabled:
Compute Service
Subnet
VPC
Virtual Machine
Network Interface
Key Management Service Entities
For projects with the KMS API enabled:
KMS Service
KMS Key Ring
KMS Key
BigQuery Entities
For projects with the BigQuery API enabled:
BigQuery Service
BigQuery Dataset
BigQuery Table
Cloud Run
Google Cloud Run Service
parent_id
: ID of the parent project, e.g.projects/696313754797
google_cloud_organization_name
: Organization name, e.g.organizations/475292842812
Google Cloud Run Service Instance
parent_id
: ID of the parent project, e.g.projects/696313754797
google_cloud_organization_name
: Organization name, e.g.organizations/475292842812
allows_unauthenticated_invocation
: Boolean indicating if the service allows unauthenticated invocation ( )created_at
: Creation time, e.g.2023-10-11T07:03:04.067573Z
Google Cloud Run Policy
Google Cloud Run Role Binding
Google Kubernetes Engine
Veza automatically discovers the following Kubernetes entities and attributes. To discover cluster-level permissions, use the dedicated Kubernetes integration.
Google Kubernetes Engine Service
parent_id
: ID of the parent project, e.g. projects/696313754797google_cloud_organization_name
: Organization name, e.g. organizations/475292842812
Google Kubernetes Engine Cluster
parent_id
: ID of the parent project, e.g. projects/696313754797google_cloud_organization_name
: Organization name, e.g. organizations/475292842812master_global_access_enabled
: Boolean indicating whether the GKE API endpoint is globally accessiblecreated_at
: Creation time, e.g. 2023-10-11T07:03:04.067573Z
Google Kubernetes Engine Policy
Google Kubernetes Engine Role Binding
Cloud SQL Entities
Veza discovers the following entities and attributes when provided optional integration permissions:
Google Cloud SQL Service
parent_id
: ID of the parent project, such asprojects/696313754797
google_cloud_organization_name
: Organization name, such asorganizations/475292842812
Google Cloud SQL Database Instance
parent_id
: ID of the parent project, such asprojects/696313754797
google_cloud_organization_name
: Organization name, such asorganizations/475292842812
created_at
: Creation time, such as2023-10-11T07:03:04.067573Z
Google Cloud SQL Database
parent_id
: ID of the parent database instance, such asgoogle_sql_cloud::project:project1::instance:databaseInstance1
google_cloud_organization_name
: Organization name, such asorganizations/475292842812
Google Cloud SQL User
parent_id
: ID of the parent database instance, such asgoogle_sql_cloud::project:project1::instance:databaseInstance1
google_cloud_organization_name
: Organization name, such asorganizations/475292842812
user_type
(optional): User type can beCLOUD_IAM_USER
orCLOUD_IAM_SERVICE_ACCOUNT
Effective Permissions
Google Cloud IAM Effective Permission
Effective Permissions represents the C/R/U/D data and non-data actions a principal can take on a resource. Using Search, specify an EP to show only users who can take those actions. Click Explain Effective Permissions on an un-grouped EP node to show the native actions it represents.
Last updated