DocumentationRelease Notes
Log In
Documentation

Google Cloud Platform

Suggest Edits

Overview

Use the following configuration to set up Password Safe and Google Cloud Platform to auto-manage Google Cloud Platform user accounts.

Set up Google Cloud Platform

Create a service account key in Google Cloud Platform

To set up a project:

  1. Create a project or select an existing project.
  2. The project requires access to the Admin SDK API. Go to APIs & Services > Library > search for “Admin SDK API” > select Admin SDK API, select Enable.
  3. Create an IAM service account in the project. No roles are required.
  4. Create and download a key file for your service account. The key file must be in JSON format.
  5. If an error displays while trying to create keys, you may need to enable key creation in your project or org.

Create a user in Cloud Identity

Create a user to be the functional account user. The user must exist at the root of your directory (not in an organizational unit).

  1. Go to Directory > Users and select Add new user.
  2. Enter the required information. Phone number or secondary email are not required.

Create a role

  1. In your new user page, find Admin roles and privileges and select the dropdown menu.
  2. Select the pencil/edit icon, and then select Create Custom Role.
  3. Select Create new role.
  4. Assign the following required role permissions.

Admin console privileges:

  • Organizational Units

    • Read

  • Users

    • Update (all)

  • Groups

  • Security

    • User security management

Admin API Privileges: (set automatically based on Admin Console Privileges above)

  • User security management

  • Groups (all)

  • Organizational Units

    • Read

  • Users

    • Update (all)
  1. Save role.
  2. Select Assign members.
  3. Find your user using the search bar and select Assign Role.
  4. Assign Domain-wide Delegation to your Google Cloud Platform service account.
  5. The client ID is the client ID of your service account.
  6. Add the following scopes:

Use the email from your new user account as the Impersonated User Email for your functional account.

Create a managed system

ℹ️

Note

For complete step-by-step instructions on creating a managed system, see Add assets to Password Safe.

  1. Select Managed Systems from the main menu.
  2. Select Create New Managed System.
  3. Select Cloud as the entity type.
  4. Select Google as the platform.
  5. Enter other properties for the managed system (name, description, workgroup, etc.)
  6. Create a functional account. The Impersonated User Email is the Primary Email address of the functional account user created in Cloud Identity.
  7. Upload the JSON file that you downloaded from Google Cloud.
  8. Back on the Create New Managed System panel, select the functional account.
  9. Select Create Managed System.

Test the functional account

  1. Select the menu for the new managed system, and then select Advanced Details.
  2. Select Functional Account.
  3. Select Test Functional Account.

Create a managed account

  1. Select the menu for the new managed system, and then select Create New Managed Account.
  2. Add a name. The name must be the Primary Email Address of the Google Cloud account to be managed.
  3. There are no other required fields for the managed account.
  4. Go to the Managed Accounts page, and select the newly created account.
  5. Select Change Password from the menu.
  6. Now, the password is auto-managed.

Updated 6 days ago

©2003-2025 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.