How to connect a Google Cloud account

  • 4 minute(s) read
Prev Next

This document provides information on how to integrate Google Cloud Platform (GCP) with Cloud IAM to provision, manage, and monitor access to the Cloud Service Provider (CSP). You can connect either a GCP or a GCP organization to Cloud IAM.

Requirements

Attention

To integrate a GCP organization, you’ll need the organization Administrator role or a similar role with permission to manage IAM and API resources for the organization. For projects, you’ll need the project IAM Admin role or a similar role with permission to manage IAM and API resources for the project.

Enable APIs in Google Cloud Console

  1. Access the Google Cloud Console and log in.
  2. Locate the service APIs & Services.
  3. Click + Enable APIs and services.
  4. In the search bar, search the following APIs:
    • Cloud Resource Manager API
    • Cloud Asset API
    • Identity and Access Management (IAM) API
  5. Select the APIs from the list and click Enable.

Create a custom role in Google Cloud Console

  1. Access the Google Cloud Console and log in.
  2. Locate the service IAM & Admin.
  3. In the left menu, click Roles.
  4. Click + Create role.
  5. In the Title * field, enter a name for your role.
  6. (Optional): In the Description field, enter a description for your role.
  7. In the ID * field, enter an ID for your role.
  8. (Optional): In the Role launch stage field, select the role launch stage.
  9. Click + Add permission and select the following permissions:
iam.roles.list
iam.serviceAccountKeys.create
iam.serviceAccountKeys.delete
iam.serviceAccountKeys.get
iam.serviceAccountKeys.list
iam.serviceAccounts.create
iam.serviceAccounts.delete
iam.serviceAccounts.get
iam.serviceAccounts.list
iam.serviceAccounts.update
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.setIamPolicy
  1. Click Add.
  2. Click Create.
Info

You may skip the following steps if you only want to connect a project.

  1. To create a custom role for your GCP organization, in the top left corner click Open project picker and select your organization.
  2. Repeat the previous steps to create a second role and assign the following organization permissions:
resourcemanager.projects.list
resourcemanager.organizations.get
resourcemanager.organizations.getIamPolicy
resourcemanager.organizations.setIamPolicy
  1. Click Create.

For more details, see the GCP documentation on how to manage roles and permissions.

Create a service account in Google Cloud Console

  1. Access the Google Cloud Console and log in.
  2. Locate the service IAM & Admin.
  3. In the left menu, click Service Accounts.
  4. Click + Create service account.
  5. In the Service account name, enter a name for your service account. You'll use this account to integrate with Segura.
  6. (Optional): In the Service account description, enter a description for your service account.
  7. Click Create and continue.
  8. In the Permissions section, select the roles created in Create a custom role in Google Cloud Console.
  9. Click Continue.
  10. (Optional): In the Principals with access section, configure users and administrators roles.
  11. Click Done.

For GCP organizations, you’ll need also to add the service account you created as a principal at the organization level. See the following steps:

  1. Access the Google Cloud Console and log in.
  2. Locate the service IAM & Admin.
  3. In the left menu, click Service Accounts.
  4. Copy the service account's e-mail.
  5. In the top left corner, click Open project picker and select your organization.
  6. In the left menu, click IAM.
  7. In the View by principals tab, click Grant access.
  8. In the New principals * field, enter the e-mail copied in step 4.
  9. In the Select a role * field, select the organization's custom role created in step 12 of Create a custom role in Google Cloud Console.
  10. Click Save.

For more details, see the GCP documentation on how to create a service account and how to manage access to organizations.

Create an access key for the Google Cloud Console service account

  1. Access the Google Cloud Console and log in.
  2. Locate the service IAM & Admin.
  3. In the left menu, click Service Accounts.
  4. In the desired service account, click Actions > Manage keys.
  5. In the Keys tab, click Add key > Create new key.
  6. In the Key type field, select the JSON option and click Create.

A .json file will be downloaded in your device. This file is required to integrate the GCP account with Cloud IAM.

For more details, see the GCP documentation on how to create service account keys.

Integrate GCP with Cloud IAM

To integrate a GCP account with Cloud IAM, see the following steps:

  1. On Segura, in the navigation bar, hover over the Products menu and select Cloud IAM.
  2. In the side menu, select Management > Accounts.
  3. In the top right corner, click Add.
  4. In the Settings tab, enter the following information:
    1. In the Name * field, enter a name for the account.
    2. (Optional): In the Description field, enter a description for the account.
    3. (Optional): In the Tags field, enter tags to help identifying the account.
  5. Click Continue.
  6. In the Google Cloud tab, enter the following information about the Google Cloud provider:
    1. In the Certificate file * field, enter the .json file of the accounts' key obtained in Create an access key for the Google Cloud Console service account.
  7. Click Continue.
  8. In the Review tab, verify all the information previously entered in the past tabs, and click Save.

The newly added account will appear in the Accounts report.

Do you still have questions? Reach out to the Segura Community.