Description

Validates that the service account used for a Google provider integration has the required permissions. Rather than checking a specific policy, Veza will verify the total permissions granted to the service account used for extraction.

Query parameters:

Example request

curl -X GET 'https://{{BaseURL}}/api/v1/providers/google_cloud/{{ID}}:checkpolicy' \
-H 'authorization: Bearer {{token}}'

Replace the values in brackets with the appropriate values:

• BaseURL = Your Veza Domain

• ID = Can be found from your Veza Integration > Data Sources dashboard.

• Token = your Veza API Key. To call the API, you will need to include an API key in the authorization header of your request.

Example response

The response will indicate when an update is required, and the missing permissions:

• current_permissions: permissions that are currently assigned to the Veza service principal.

• required_permissions: full list of required permissions for discovering supported services and entities in Google Cloud.

• required_actions: permissions required by the integration, but not assigned to the Veza service principal. You should update the integration role to include the missing permissions.

• overprivileged_actions: permissions assigned to the integration that are not required, and can safely be removed.

{
  "requires_update": true,
  "google_cloud_customer_id": "{id}",
  "current_permissions": [],
  "required_permissions": [
    "bigquery.datasets.get",
    "bigquery.datasets.getIamPolicy",
    "bigquery.tables.get",
    "bigquery.tables.getIamPolicy",
    "bigquery.tables.list",
    "cloudkms.cryptoKeyVersions.get",
    "cloudkms.cryptoKeyVersions.list",
    "cloudkms.cryptoKeys.get",
    "cloudkms.cryptoKeys.getIamPolicy",
    "cloudkms.cryptoKeys.list",
    "cloudkms.keyRings.get",
    "cloudkms.keyRings.getIamPolicy",
    "cloudkms.keyRings.list",
    "cloudkms.locations.get",
    "cloudkms.locations.list",
    "compute.instances.list",
    "compute.instances.getIamPolicy",
    "compute.networks.list",
    "compute.regions.list",
    "compute.subnetworks.getIamPolicy",
    "compute.subnetworks.list",
    "compute.zones.list",
    "iam.roles.get",
    "iam.roles.list",
    "iam.serviceAccounts.list",
    "resourcemanager.folders.getIamPolicy",
    "resourcemanager.folders.list",
    "resourcemanager.organizations.get",
    "resourcemanager.organizations.getIamPolicy",
    "resourcemanager.projects.get",
    "resourcemanager.projects.getIamPolicy",
    "resourcemanager.projects.list",
    "resourcemanager.tagKeys.get",
    "resourcemanager.tagKeys.list",
    "resourcemanager.tagValues.get",
    "resourcemanager.tagValues.list",
    "serviceusage.services.list",
    "storage.buckets.getIamPolicy",
    "storage.buckets.list"
  ],
  "required_actions": [
    "bigquery.tables.get",
    "compute.instances.getIamPolicy",
    "resourcemanager.folders.list",
    "resourcemanager.projects.get",
    "resourcemanager.tagValues.get",
    "iam.roles.get",
    "storage.buckets.getIamPolicy",
    "cloudkms.locations.get",
    "cloudkms.locations.list",
    "compute.regions.list",
    "compute.subnetworks.list",
    "resourcemanager.organizations.get",
    "resourcemanager.tagKeys.list",
    "cloudkms.keyRings.getIamPolicy",
    "resourcemanager.organizations.getIamPolicy",
    "storage.buckets.list",
    "resourcemanager.tagKeys.get",
    "resourcemanager.folders.getIamPolicy",
    "resourcemanager.tagValues.list",
    "resourcemanager.projects.list",
    "cloudkms.keyRings.list",
    "compute.networks.list",
    "bigquery.tables.list",
    "cloudkms.cryptoKeys.getIamPolicy",
    "bigquery.datasets.getIamPolicy",
    "resourcemanager.projects.getIamPolicy",
    "serviceusage.services.list",
    "cloudkms.keyRings.get",
    "iam.serviceAccounts.list",
    "bigquery.tables.getIamPolicy",
    "bigquery.datasets.get",
    "iam.roles.list",
    "cloudkms.cryptoKeyVersions.list",
    "compute.zones.list",
    "cloudkms.cryptoKeys.get",
    "cloudkms.cryptoKeys.list",
    "compute.instances.list",
    "cloudkms.cryptoKeyVersions.get",
    "compute.subnetworks.getIamPolicy"
  ],
  "overprivileged_actions": []
}

Overview

The Veza Integration for Google Cloud Platform (GCP) enables discovery of Google Cloud Workspace and Google Cloud IAM entities, along with authorization metadata for the organization, projects, and folders. Veza additionally discovers authorization to resources such as Storage, Compute, BigQuery, and KMS, using read-only permissions and native project APIs.

Prerequisites

Before starting the integration setup:

• You need Workspace super admin permissions to create and assign custom admin roles

• You need administrator access to the Google Cloud Organization

• For Workload Identity Federation: Obtain Veza's AWS Role ARN from: https://<tenant>/api/v1/providers/google_cloud:aws_role_arn

See Notes & Supported Entities for details on the Veza-Google connector and supported services.

Authentication Methods

Veza supports two methods for authenticating with Google Cloud:

1. Workload Identity Federation (Recommended)

   • Eliminates the need to manage service account keys

   • Uses temporary credentials through AWS-Google Cloud trust

   • Follows Google Cloud security best practices

2. Service Account Key Authentication (Alternative)

   • Traditional method using service account key files

   • Use only when Workload Identity Federation cannot be implemented

{
   "universe_domain": "googleapis.com",
   "type": "external_account",
   "audience": "//iam.googleapis.com/projects/<project_id>/locations/global/workloadIdentityPools/<pool_name>/providers/<provider_name>",
   "subject_token_type": "urn:ietf:params:aws:token-type:aws4_request",
   "token_url": "https://sts.googleapis.com/v1/token",
   "credential_source": {
      "environment_id": "aws1",
      "regional_cred_verification_url": "https://sts.{region}.amazonaws.com?Action=GetCallerIdentity&Version=2011-06-15"
   }
}

Required Configuration Steps

Complete these steps regardless of your chosen authentication method.

Enable Google Cloud APIs

To discover complete authorization metadata for Google Cloud, the project containing the integration service account must have the following data APIs enabled.

Click the Enable API links in the following list to enable each API. Ensure that the project where you created the service account is selected before enabling the API.

You can also enable APIs for each project to discover by opening Google Cloud console API Library page, and choosing the Google Cloud project where the service account resides. Use the Search for APIs & Services find and enable APIs for the services to discover.

Mandatory APIs

These APIs must be enabled in your project:

• Cloud Resource Manager API (Enable API)

  • Required for organization, project, and folder discovery

• Cloud Identity API (Enable API)

  • Required for identity management

• Admin SDK API (Enable API)

  • Required for workspace administration

• Groups Settings API (Enable API)

  • Required for group management

• Identity and Access Management (IAM) API (Enable API)

  • Required for identity and access management

  • (Optional) IAM API v2 to discover Deny Policies and use iam.denypolicies.get and iam.denypolicies.list permissions

Optional APIs

Enable these APIs based on the services you want to discover:

• Service Usage API (Enable API)

• Cloud Storage API (Enable API)

• KMS API (Enable API)

• BigQuery API (Enable API)

• Compute Engine API (Enable API)

• Cloud Run Admin API (Enable API)

• Kubernetes Engine API (Enable API)

• Cloud SQL Admin API (Enable API)

• Secret Manager API (Enable API)

Enable Domain-Wide Delegation

1. From your Google Workspace domain's Admin console, choose Security > Access and data control > API controls

2. Under Domain wide delegation, select Manage Domain Wide Delegation

3. Click Add new
4. Enter the service account's client ID

5. Add these OAuth scopes:

   Copy

   https://www.googleapis.com/auth/admin.directory.user.readonly
   https://www.googleapis.com/auth/admin.directory.domain.readonly
   https://www.googleapis.com/auth/admin.directory.rolemanagement.readonly
   https://www.googleapis.com/auth/apps.groups.settings

6. Click Authorize

Create a Custom Admin Role

You'll need to create a custom Workspace role with the required API permissions, and assign the role to the integration service account:

1. In Admin console, go to Admin roles. You may need to click "show more" on the home page for the option to appear:
2. Click Create new role

3. Enter a name and description

4. Under Admin API Privileges, enable:

   • Users > Read

   • Groups > Read

   • Organization Units > Read

After creating the role, assign it to your service account:

1. On the role Admins panel, choose Assign role > Assign service accounts

2. Enter the email address of the service account

For more information, see Assign specific admin roles - Google Workspace Admin Help.

Create an Organization Role

From your Google Cloud console, create a role to bind to the Veza service account. You can create this role using the UI, or the Google Cloud CLI. Go to IAM & Admin, and select Roles from the menu on the left side.

When creating the organization role, ensure your Organization (not an individual project) is selected:

Create a role in Google Cloud Organization with these minimum permissions:

iam.roles.get
iam.roles.list
iam.serviceAccounts.list
iam.denypolicies.get
iam.denypolicies.list
resourcemanager.folders.getIamPolicy
resourcemanager.folders.list
resourcemanager.organizations.get
resourcemanager.organizations.getIamPolicy
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list
resourcemanager.projects.get
serviceusage.services.list
resourcemanager.tagValues.list
resourcemanager.tagValues.get
resourcemanager.tagKeys.list
resourcemanager.tagKeys.get
compute.instances.listTagBindings
storage.buckets.listTagBindings
bigquery.datasets.listTagBindings
bigquery.tables.listTagBindings
cloudkms.keyRings.listTagBindings
cloudkms.cryptoKeys.listTagBindings
run.services.listTagBindings
cloudsql.instances.listTagBindings
secretmanager.secrets.listTagBindings

Note: The permissions list includes resource-specific tag binding permissions (e.g., compute.instances.listTagBindings) which replaced the deprecated resourcemanager.resourceTagBindings.list permission. These resource-specific permissions are required to discover tags attached to GCP resources.

Bind the Role to the Service Account

After creating the role, bind it to the integration service account:

1. From the IAM & Admin page of the Google console, click IAM

2. Ensure that your Organization (not an individual Project) is active in the top left corner

3. Click + Grant Access to apply the role to the Veza service account:

   • Enter the service account email in the New Principals field

   • Under Select a Role, pick "Custom" and specify the Veza role

This will grant the service account the required permissions for the current organization and its children (all Projects and Folders).

Working with the Google Cloud CLI

You can create this role using the Google Cloud CLI:

gcloud iam roles create VEZA_ROLE_NAME --organization=YOUR_ORG_ID --permissions=\
iam.roles.get,\
iam.roles.list,\
iam.serviceAccounts.list,\
iam.denypolicies.get,\
iam.denypolicies.list,\
resourcemanager.folders.getIamPolicy,\
resourcemanager.folders.list,\
resourcemanager.organizations.get,\
resourcemanager.organizations.getIamPolicy,\
resourcemanager.projects.getIamPolicy,\
resourcemanager.projects.list,\
resourcemanager.projects.get,\
serviceusage.services.list,\
resourcemanager.tagValues.list,\
resourcemanager.tagValues.get,\
resourcemanager.tagKeys.list,\
resourcemanager.tagKeys.get,\
compute.instances.listTagBindings,\
storage.buckets.listTagBindings,\
bigquery.datasets.listTagBindings,\
bigquery.tables.listTagBindings,\
cloudkms.keyRings.listTagBindings,\
cloudkms.cryptoKeys.listTagBindings,\
run.services.listTagBindings,\
cloudsql.instances.listTagBindings,\
secretmanager.secrets.listTagBindings,\
storage.buckets.getIamPolicy,\
storage.buckets.list,\
compute.instances.list,\
compute.instances.getIamPolicy,\
compute.networks.list,\
compute.regions.list,\
compute.subnetworks.getIamPolicy,\
compute.subnetworks.list,\
compute.zones.list,\
cloudkms.locations.get,\
cloudkms.locations.list,\
cloudkms.cryptoKeyVersions.get,\
cloudkms.cryptoKeyVersions.list,\
cloudkms.cryptoKeyVersions.viewPublicKey,\
cloudkms.cryptoKeys.getIamPolicy,\
cloudkms.cryptoKeys.get,\
cloudkms.cryptoKeys.list,\
cloudkms.keyRings.get,\
cloudkms.keyRings.list,\
cloudkms.keyRings.getIamPolicy,\
bigquery.datasets.getIamPolicy,\
bigquery.datasets.get,\
bigquery.tables.getIamPolicy,\
bigquery.tables.get,\
bigquery.tables.list,\
run.services.list,\
run.services.getIamPolicy,\
run.locations.list,\
cloudsql.instances.list,\
cloudsql.users.list,\
cloudsql.databases.list,\
container.clusters.list,\
secretmanager.secrets.list,\
secretmanager.secrets.get,\
secretmanager.secrets.getIamPolicy,\
secretmanager.versions.list,\
secretmanager.versions.get,\
secretmanager.locations.get,\
secretmanager.locations.list,\
secretmanager.secrets.listEffectiveTags,\
secretmanager.secrets.listTagBindings,\
logging.logEntries.list

To run gcloud commands, install the SDK, or open the CLI from the web console:

To add additional permissions later (if new functionality is required), use:

gcloud iam roles update <<role_name>> --organization=<<ORG_ID>> --add-permissions=<<PERMISSIONS>>

Additional Service Permissions

• Storage Buckets

  • Required Permissions:

    • storage.buckets.getIamPolicy

    • storage.buckets.list

    • storage.buckets.listTagBindings

  • Required API: Cloud Storage API

• Compute

  • Required Permissions:

    • compute.instances.list

    • compute.instances.getIamPolicy

    • compute.instances.listTagBindings

    • compute.networks.list

    • compute.regions.list

    • compute.subnetworks.getIamPolicy

    • compute.subnetworks.list

    • compute.zones.list

  • Required API: Compute Engine API

• Key Management

  • Required Permissions:

    • cloudkms.cryptoKeyVersions.get

    • cloudkms.cryptoKeyVersions.list

    • cloudkms.cryptoKeyVersions.viewPublicKey

    • cloudkms.cryptoKeys.get

    • cloudkms.cryptoKeys.list

    • cloudkms.cryptoKeys.getIamPolicy

    • cloudkms.cryptoKeys.listTagBindings

    • cloudkms.keyRings.get

    • cloudkms.keyRings.list

    • cloudkms.keyRings.getIamPolicy

    • cloudkms.keyRings.listTagBindings

    • cloudkms.locations.get

    • cloudkms.locations.list

  • Required API: KMS API

• BigQuery

  • Required Permissions:

    • bigquery.datasets.getIamPolicy

    • bigquery.datasets.get

    • bigquery.datasets.listTagBindings

    • bigquery.tables.getIamPolicy

    • bigquery.tables.get

    • bigquery.tables.list

    • bigquery.tables.listTagBindings

  • Required Permissions for Activity Monitoring:

    • logging.logEntries.list

    • logging.privateLogEntries.list

  • Required API: BigQuery API

• Cloud Run

  • Required Permissions:

    • run.services.list

    • run.services.getIamPolicy

    • run.services.listTagBindings

    • run.locations.list

  • Required API: Cloud Run Admin API

• Cloud SQL

  • Required Permissions:

    • cloudsql.instances.list

    • cloudsql.instances.listTagBindings

    • cloudsql.users.list

    • cloudsql.databases.list

  • Required API: Cloud SQL Admin API

• Kubernetes Engine

  • Required Permissions: container.clusters.list

  • Required API: Kubernetes Engine API

• Secret Manager

  • Required Permissions:

    • secretmanager.secrets.list

    • secretmanager.secrets.get

    • secretmanager.secrets.getIamPolicy

    • secretmanager.versions.list

    • secretmanager.versions.get

    • secretmanager.locations.get

    • secretmanager.locations.list

    • secretmanager.secrets.listEffectiveTags

    • secretmanager.secrets.listTagBindings

  • Required API: Secret Manager API

Retrieve your Workspace Customer ID

Each Google Workspace account has a customer ID, which Veza will need to authenticate. Take note of the customer ID for configuring the integration:

1. From the Admin console Home page, go to Account settings > Profile.

2. Under Customer ID, find your organization's unique ID.

Save the customer ID, which you will need when configuring the connection in Veza. Note: the customer ID should start with a C, for example:C06k34uds.

For information, see Find your customer ID - Google Workspace Admin Help.

Adding the Integration to Veza

1. In Veza, go to the Integrations page

2. Click Add Integration

3. Select Google Cloud Platform

4. Configure the integration:

Veza integrates with Google to parse service and resource metadata using native workspace and project APIs, using a service account with read-only permissions.

Veza creates entities in the data catalog to represent the discovered projects, services, resources, and identities.

The identities, resources, and authorization relationships that Veza discovers are limited by the service account role, the project APIs you have enabled, and any limits set on data source extraction.

Cross-Service Connections

Veza discovers authorization relationships for federated Azure AD and Okta users with permissions on Google Cloud Platform resources. These correlations are made based on user and and groups assignment to the Google Cloud and Google Cloud SSO Okta Apps and AzureAD Enterprise Applications.

• For Okta domains configured to sync to Google Workspace, entities are mapped based on user email address or group name.

• For Azure RBAC users, mapping can use email address, name, or service principal. Groups are mapped by name.

Supported Entities

Workspace, Group, and Domain Entities

• Google Domains

• Google Workspace Account

• Google Role

• Google Groups

• Google Users

Google Cloud Project Entities

• Organization

• Project

• Folder

• Service Account

Google Cloud Storage Entities

For projects with the Cloud Storage API enabled:

• Storage Service

• Storage Bucket

Google Cloud Compute Entities

For projects with the Compute Engine API enabled:

• Compute Service

• Subnet

• VPC

• Virtual Machine

• Network Interface

Key Management Service Entities

For projects with the KMS API enabled:

• KMS Service

• KMS Key Ring

• KMS Key

BigQuery Entities

For projects with the BigQuery API enabled:

• BigQuery Service

• BigQuery Dataset

• BigQuery Table

Cloud Run

• Google Cloud Run Service

  • parent_id: ID of the parent project, e.g. projects/696313754797

  • google_cloud_organization_name: Organization name, e.g. organizations/475292842812

• Google Cloud Run Service Instance

  • parent_id: ID of the parent project, e.g. projects/696313754797

  • google_cloud_organization_name: Organization name, e.g. organizations/475292842812

  • allows_unauthenticated_invocation: Boolean indicating if the service allows unauthenticated invocation ( )

  • created_at: Creation time, e.g. 2023-10-11T07:03:04.067573Z

• Google Cloud Run Policy

• Google Cloud Run Role Binding

Google Kubernetes Engine

Veza automatically discovers the following Kubernetes entities and attributes. To discover cluster-level permissions, use the dedicated Kubernetes integration.

• Google Kubernetes Engine Service

  • parent_id: ID of the parent project, e.g. projects/696313754797

  • google_cloud_organization_name: Organization name, e.g. organizations/475292842812

• Google Kubernetes Engine Cluster

  • parent_id: ID of the parent project, e.g. projects/696313754797

  • google_cloud_organization_name: Organization name, e.g. organizations/475292842812

  • master_global_access_enabled: Boolean indicating whether the GKE API endpoint is globally accessible

  • created_at: Creation time, e.g. 2023-10-11T07:03:04.067573Z

• Google Kubernetes Engine Policy

• Google Kubernetes Engine Role Binding

Cloud SQL Entities

Veza discovers the following entities and attributes when provided optional integration permissions:

• Google Cloud SQL Service

  • parent_id: ID of the parent project, such as projects/696313754797

  • google_cloud_organization_name: Organization name, such as organizations/475292842812

• Google Cloud SQL Database Instance

  • parent_id: ID of the parent project, such as projects/696313754797

  • google_cloud_organization_name: Organization name, such as organizations/475292842812

  • created_at: Creation time, such as 2023-10-11T07:03:04.067573Z

• Google Cloud SQL Database

  • parent_id: ID of the parent database instance, such as google_sql_cloud::project:project1::instance:databaseInstance1

  • google_cloud_organization_name: Organization name, such as organizations/475292842812

• Google Cloud SQL User

  • parent_id: ID of the parent database instance, such as google_sql_cloud::project:project1::instance:databaseInstance1

  • google_cloud_organization_name: Organization name, such as organizations/475292842812

  • user_type (optional): User type can be CLOUD_IAM_USER or CLOUD_IAM_SERVICE_ACCOUNT

Effective Permissions

• Google Cloud IAM Effective Permission

Effective Permissions represents the C/R/U/D data and non-data actions a principal can take on a resource. Using Search, specify an EP to show only users who can take those actions. Click Explain Effective Permissions on an un-grouped EP node to show the native actions it represents.