Google Cloud Platform Integration Setup
Getting Started
BalkanID recommends creating a separate service account for the purposes of this integration, instead of using personal or employee named accounts.
Requirements:
Key: This refers to the Service Account Key (in JSON format) that you will generate for the dedicated GCP service account. This key is used by BalkanID to securely authenticate and access your GCP resources programmatically.
Delegated: This is the email address of a user within your Google Workspace domain that has been granted domain-wide delegation authority. BalkanID, through the service account, will impersonate this user to access Google Workspace directory data (users and groups).
Domain: This is the primary domain name associated with your Google Workspace organization (e.g.,
yourcompany.com). It's crucial for identifying the correct Google Workspace directory from which BalkanID will retrieve user identities, email addresses, and group access information.Project: This is the name or ID of the Google Cloud Platform project that defines the scope for the GCP resources BalkanID will monitor. It delineates the boundaries for billing, permissions (IAM), enabled APIs, and monitoring,
Who performs this task
An identity administrator responsible for assigning role-based access to individuals or groups within your organisation. This individual needs to be a Super Administrator for Cloud Identity or Workspace.
A domain administrator with access to the company's domain host, to see and edit domain settings such as DNS configurations.
Getting access permissions
You will be required to perform the below steps:
Enable required APIs
Create a custom role and assign permissions
Create a service account
Add domain delegation scopes to the service account
1. Enabling required APIs
Go to Google Cloud → APIs and service → Enabled APIs and services, search for the required APIs and enable it.
Search and enable the following APIs
Compute Engine API Identity and Access Management (IAM) API Cloud Resource Manager API Admin SDK API Cloud Functions API Cloud SQL Admin API App Engine Admin API Cloud Asset API
2. Creating a custom role and assigning permissions
Go to IAM and Admin → Roles.
Click on + CREATE ROLE to proceed with creating a custom role.
Fill in the required fields for creating the role.
Click on Add Permissions to add new permissions to the role.
Search for the following permissions and add them
appengine.applications.get bigquery.datasets.get cloudasset.assets.listResource cloudasset.assets.searchAllIamPolicies cloudsql.instances.list compute.instances.list iam.roles.get iam.roles.list iam.serviceAccounts.get resourcemanager.projects.getClick on CREATE to create the role.
3. Creating a service account
Go to IAM and Admin → Service Accounts.
Click on Create service account button on the top to proceed.
When you are in the second step, select the necessary permissions for its operation, in this case the new Custom Role. For more information - Creating an account.
Click on the service account you just created and select the KEYS tab from the top.
Click on ADD KEY → Create new key.
Select JSON and click on the CREATE button, the wizard will create a JSON file to download with the necessary key for later use.
Go to IAM and Admin → IAM. You can view the service account and permissions granted in the IAM.
4. Add domain delegation scopes to the service account
You need to add domain delegation scopes to the service account, first get the OAuth2 client ID from the Service account.
Go to IAM and Admin → Service Accounts and copy the OAuth 2 Client ID of the service account you just created.
Find the domain-wide delegation section and click on MANAGE.
Enter the copied client ID and add the following OAuth scopes.
https://www.googleapis.com/auth/admin.directory.user, https://www.googleapis.com/auth/admin.directory.group, https://www.googleapis.com/auth/cloud-platform, https://www.googleapis.com/auth/cloudfunctions, https://www.googleapis.com/auth/compute, https://www.googleapis.com/auth/admin.directory.user.readonly
For more info please refer: https://developers.google.com/identity/protocols/OAuth2ServiceAccount#delegatingauthority
Configuring Google Cloud Platform in your BalkanID tenant
Login to the BalkanID application and switch to the tenant you would like to add your integration to.
Head to Integrations > Add Integration, select Google Cloud Platform.
Set up the Primary Application owner (mandatory) and the Description, if any. Set up Secondary Application Owner(s), if any.
Select the Extraction Type. From here, you can configure your application using one of the following methods:
Direct integration - Provide your Service Account Key(in JSON), Email of delegate, Domain and Project ID obtained above to set up a direct connection with BalkanID.
SCIM integration - Provide SCIM server credentials to set up a SCIM connection with BalkanID.
Manual file upload - Upload Entity and Entity Relations through a .CSV file upload. Contact the team for assistance with this.
Automated upload using API - You can upload data using our Bulk APIs with the help of an API key which will be provided to you. Please refer to the entity and entity relation upload docs for specific instructions on uploading your data through the API. Note: Use the KEY JSON downloaded in the 3rd step to fill in the key. Add a user’s email with access to domain-wide delegation in the delegated field. Fill in the domain name and the project’s ID as well.
Click on next to move onto Optional Configuration.
Fill Optional configuration, if required.
Once you filled in the information, click Save. Your integration is now configured and you will see the status of the integration displayed alongside other integrations on the Integrations page. When data is available, the integration Status will read Connected and the integration Message will read Data available.
Last updated
Was this helpful?