Google Cloud Platform (GCP)

Overview

GCP is a suite of cloud computing services that runs on the same infrastructure that Google uses internally for its end-user products. It provides a series of modular cloud services alongside a set of management tools.

Entitle can manage the following resource types in GCP:

• Organizations
• Folders
• Projects
• Buckets
• BigQuery Datasets
• BigQuery Tables
• Cloud Functions
• GCE Instances (hosted virtual machine (VM))
• Secrets
• Service Accounts
• SQL instances
• Groups (These can be managed also via Google Workspace integration)

This page will provide you with instructions on how to integrate Entitle and GCP.

General guidelines

To integrate your Google Cloud Platform in Entitle, you must run the entitle_google_integratorset up you have downloaded and unzipped on the Google Integrations page and configure a Domain-Wide Delegation.

Set up GCP to work with Entitle

Stage 1: Running the setup script

The setup will consist of the following actions:

• Create an Entitle service account in the chosen project
• Create an organization-level role with the required permissions or add permissions to it if it already exists (stated in the .yaml file)

resourcemanager.projects.get
resourcemanager.projects.list

// Manages tables and datasets
bigquery.datasets.get
bigquery.datasets.getIamPolicy
bigquery.datasets.update
bigquery.tables.get
bigquery.tables.getIamPolicy
bigquery.tables.list
bigquery.tables.setIamPolicy

resourcemanager.organizations.get
resourcemanager.organizations.getIamPolicy
resourcemanager.organizations.setIamPolicy

resourcemanager.folders.get
resourcemanager.folders.getIamPolicy
resourcemanager.folders.list
resourcemanager.folders.setIamPolicy

resourcemanager.projects.get
resourcemanager.projects.list
resourcemanager.projects.getIamPolicy
resourcemanager.projects.setIamPolicy

compute.instances.get
compute.instances.getIamPolicy
compute.instances.list
compute.instances.setIamPolicy
compute.zones.get
compute.zones.list

cloudsql.instances.get
cloudsql.instances.list

resourcemanager.projects.get
resourcemanager.projects.list
resourcemanager.projects.getIamPolicy
resourcemanager.projects.setIamPolicy

secretmanager.secrets.get
secretmanager.secrets.list

resourcemanager.projects.get
resourcemanager.projects.list
resourcemanager.projects.getIamPolicy
resourcemanager.projects.setIamPolicy

cloudfunctions.functions.get
cloudfunctions.functions.getIamPolicy
cloudfunctions.functions.list
cloudfunctions.functions.setIamPolicy

storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.list
storage.buckets.setIamPolicy

iam.serviceAccounts.get
iam.serviceAccounts.list
iam.serviceAccounts.getIamPolicy
iam.serviceAccounts.setIamPolicy

• Bind the role to the service account at the chosen project
• Enable the required API services for the integration:
  • Admin SDK page
  • Cloud Resource Manager API
  • SQL Admin API
  • Identity and Access Management API
• Generate a key for the service account and download it to your local machine

1. Go to your GCP web console.
2. Choose the project that you chose to create Entitle's service account at the top left corner.
3. Click on the shell icon at the top right corner.

4. Navigate to the path of the unzipped folder entitle_google_integrator, and run the following commands:

# For a basic configuration, create a service account in the current project and assign the role to it at the project-level
bash run.sh -i gcp -k

# You may also assign the role in the parent folder or organization-level
bash run.sh -i gcp -b folder -k
bash run.sh -i gcp -b organization -k

# For more options use the -h flag
bash run.sh -h

5. Download the created JSON file on setup completion. you will use it later in this guide.

Stage 2: Configure domain-wide delegation

Note: this step is required only if you wish to manage Google Groups in your GCP integration, otherwise you may skip it.

👉🏼 To manage users in groups, your service account needs to have domain-wide delegation on certain scopes.

1. Go to the Manage Domain-Wide Delegation page.
2. Click Add new:

3. In the Client ID field, enter the 21-digit number obtained from the key JSON file under the client_id field.
4. In the OAuth scopes field, enter the following values (comma-delimited):

https://www.googleapis.com/auth/admin.directory.group,
https://www.googleapis.com/auth/admin.directory.group.readonly, 
https://www.googleapis.com/auth/admin.directory.user,
https://www.googleapis.com/auth/admin.directory.user.readonly

Note: You may enter only the .readonly scopes if you wish to only read the permissions. In that case, you must set the"read_only": true in the options field (later in this guide).

5. Click Authorize.

Creating the integration in Entitle

All that is left to do is to create an integration on the Entitle application.

1. Log into Entitle and navigate to the Integrations page.
2. After clicking the Add Integration button, type Google Cloud Platform in the Application field.
3. Don’t forget to set Save on correctly for your agent or on Entitle’s cloud.
4. In the Connection drop-down choose Explicit Service Account if you created a service account for the integration.
   (Choose Pod-based identity if you’re using the pre-configured service account of your cluster).

5. Under the “service_account_key” field, paste the downloaded key JSON of your service account.
6. If you wish to manage groups in your GCP integrations, under "credential_subject" enter an email of an admin in your organization who has permission to view all users and groups in your organization. Otherwise - you may leave it empty.
7. If you wish to narrow down the resource types managed by Entitle, select the resource types and add them to the "resource_types_constraints" field, otherwise keep that value empty ("resource_types_constraints": []"). Note: A non-existent field or empty list value means all Entitle-supported resource types except tables and instances.

projects
folders
datasets
tables
instances
buckets
sql_instances
organizations
secrets
GKE clusters
GKE namespaces
groups
functions
service_accounts

8. If the Domain-Wide-Delegation for managing groups was set as .readonly for this integration, please add "read_only": true under the "options" field.

9. Optional: Add IAM policy auditing in GCP

   1. This allows auditing the time and request number of permissions given by Entitle inside the GCP IAM policy.

   2. In the Connection JSON under options field, add "iam_policy_auditing": True.

   3. Limitations of the GCP IAM policy given by Google:

      • The policy can’t be larger than approximately 100kb

        ℹ️

        Note

        Auditing greatly increases the policy size, meaning that in a large amount of usage Entitle will reach the maximum size and won’t be able to grant access anymore.

      • Total of 250 assignments in a binding (binding means mapping between a role to users)

      • Total 1500 assignments in a policy.

        

10. Example Configuration JSON:

{
  "service_account_key": {
			// A dictionary from tthe downloaded JSON file
  },
  "credential_subject": "an email of an admin in your organization which has permission to view all users",
  "options": {
    "resource_types_constraints": [],
    "read_only": false,
    "iam_policy_auditing": false
  }
}

Below is an example of how the options section should look like. Make sure to add double quotations and commas in the appropriate places.

11. Click Save.

ℹ️

Note

After granting access, the user will receive a message via Slack/Entitle web app stating that a user has been created. This message indicates that the user has been added to the Google Cloud Platform (GCP) Identity and Access Management (IAM) policy for the first time, not that the user was created.