- 3 minutes to read
- Print
- DarkLight
- PDF
Connect a Google Cloud account
- 3 minutes to read
- Print
- DarkLight
- PDF
This document outlines the steps to integrating the Google Cloud Platform (GCP) with Cloud IAM to provision, manage, and monitor access to the Cloud Service Provider (CSP). You can connect either a GCP project or a GCP organization to Cloud IAM.
Cloud IAM also supports Amazon Web Services (AWS) and Microsoft Azure. If you want to integrate other CSPs, check the documentation Connect an AWS account or Connect an Azure account.
Before you integrate a GCP account with senhasegura, you’ll need a Google Cloud Platform account.
To integrate your GCP organization, you’ll need the Organization Administrator role or a similar role with permission to manage IAM and API resources for the organization. For projects, you’ll need the Project IAM Admin role or a similar role with permission to manage IAM and API resources for the project.
Enable APIs in Google Cloud Console
- As a project in the GCP console, go to the APIs & Services page.
- Click Enable APIs and Services.
- In the search bar, search and enable the following APIs:
- Cloud Resource Manager API by Google Enterprise API.
- Cloud Asset API by Google Enterprise API.
- Identity and Access Management (IAM) API by Google Enterprise API.
- To enable APIs, select the API from the list and click the Enable button.
Create a custom role in Google Cloud Console
- As a project in the GCP console, go to IAM & Admin > Roles.
- Click Create Role.
- Name your custom role.
- Configure optional settings if needed.
- Click Add permissions.
- Select the following permissions:
iam.roles.list
iam.serviceAccountKeys.create
iam.serviceAccountKeys.delete
iam.serviceAccountKeys.get
iam.serviceAccountKeys.list
iam.serviceAccounts.create
iam.serviceAccounts.delete
iam.serviceAccounts.get
iam.serviceAccounts.list
iam.serviceAccounts.update
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.setIamPolicy
- Click Create.
You may skip the following steps if you only want to connect a project.
- To integrate with your GCP organization, switch to the Organization view.
- Repeat the previous steps to create a second role and assign the following organization permissions:
resourcemanager.projects.list
resourcemanager.organizations.get
resourcemanager.organizations.getIamPolicy
resourcemanager.organizations.setIamPolicy
- Click Create.
For more details, check the GCP documentation on how to manage roles and permissions.
Create a service account in Google Cloud Console
- As a project in the GCP console, go to IAM & Admin > Service Accounts.
- Click Create service account.
- Give your service account an easily identifiable name. You’ll be using this account to integrate with senhasegura.
- Give your service account an ID.
- Click Create and continue.
- Choose the custom role you created with the necessary permissions.
- Configure optional settings if needed.
- Click Done.
For more details, check the GCP documentation on how to create a service account.
Only for GCP organizations, you’ll need also to add the service account you created as a principal at the organization level. To do so:
- As a project in the GCP console, navigate to the IAM & Admin > Service Accounts page.
- Copy the Service account email address.
- Switch to the Organization view in the GCP console.
- Navigate to IAM.
- Click Grant access.
- Paste the service account email address in the New principals field.
- In Role, select the custom role with the organization permissions.
- Configure optional settings if needed.
- Click Save.
For more details, check the GCP documentation on how to manage access to organizations.
Create an access key for the Google Cloud Console service account
- As a project in the GCP console, go to IAM & Admin > Service Accounts.
- Click the service account you created in the previous steps from the list.
- Navigate to the Keys tab.
- Click Add key > Create new key.
- Select the option JSON.
- Click Create. This action will download a JSON file into your device. This file must be uploaded to Cloud IAM to finish the integration process.
For more details, check the GCP documentation on how to create service account keys.
Integrate GCP with Cloud IAM
- In the top left corner of the senhasegura platform, click on the Grid Menu, represented by the nine squares, and select Cloud IAM.
- In the side menu, select Settings > Accounts.
- Click the View actions icon, represented by the three vertical dots, and select the option Add account.
- In the pop-up window, give a Name for the account.
- Click Google Cloud.
- Click the Google Cloud tab.
- In File credentials, upload the JSON file, which is the key created for the service account.
- Click the Confirm button.
Once you’re done, the senhasegura Accounts page will refresh with your newly integrated GCP account.