Google Cloud is a suite of cloud computing services offered by Google. It contains data storage services like Google Cloud Storage (GCS) and BigQuery. The goal of this connector is to provide an overarching data source in case you want to manage multiple data storage service (e.g. multiple BigQuery data sources) in Raito. In this way, the users, groups, etc. are shared among those data sources and we generate visibility in organization level access controls.
The connector is available here and supports
- Import of the GCP Organization structure (Folders, Projects) as Data Objects into Raito Cloud
- Import users, groups and service accounts from all IAM policies in the organization
- Import of GSuite users, groups and group membership into Raito Cloud
- Import of GCP Service Accounts on all projects as users into Raito Cloud
- Import of existing IAM Role grants on all levels (org, folder, project) as Access Providers
- Granting/Revoking IAM Role bindings on resources for users, groups and service accounts based on Access Providers defined in Raito Cloud
Currently, during import of IAM bindings into Raito Cloud, Access Providers will only be created for the following IAM roles:
IAM bindings for roles other than the ones listed will be skipped unless
skip-unmanaged-iam-roles is set to
false in the connector configuration. In this case they will be imported, but as not-internalizable Access Providers, meaning we only report on them, but do not allow managing them within Raito Cloud.
The Google Cloud connector requires a GCP Service Account that has the necessary permissions to retrieve projects, folders, the GCP organization and their respective IAM policies.
The table below describes the IAM permissions needed for the plugin to function. These permissions can be assigned either through a custom IAM role or through existing roles that contain them:
|resourcemanager.organizations.get||Retrieve the organization|
|resourcemanager.organizations.getIamPolicy||Retrieve who has IAM roles on the Organization level|
|resourcemanager.organizations.setIamPolicy||Revoke/Create IAM Role bindings based on Raito Access Providers.|
|resourcemanager.folders.get||To detect folders within the organization and/or a folder|
|resourcemanager.folders.list||To detect folders within the organization and/or a folder|
|resourcemanager.folders.getIamPolicy||Retrieve who has IAM roles at the Folder level|
|resourcemanager.folders.setIamPolicy||Revoke/Create IAM Role bindings based on Raito Access Providers|
|resourcemanager.projects.get||To retrieve projects|
|resourcemanager.projects.list||To retrieve projects|
|resourcemanager.projects.getIamPolicy||Retrieve who has IAM roles at the Project level|
|resourcemanager.projects.setIamPolicy||Revoke/Create IAM Role bindings based on Raito Access Providers|
Depending on where the role containing these permissions is bound to, the scope of that sync will be different:
|IAM Policy||Sync scope|
|Organization||The organization, all (sub-)folders and projects will be exposed and you will see all role assignments in Raito|
|Folder||Only the folder, its subfolders and their projects will be exposed in Raito|
|Project||Only the individual project will be exposed in Raito|
A detailed step-by-step guide on how to create a service account, IAM role and execute the connector can be found within our GCP And BigQuery guide.
As part of the Identity Store Synchronization, the GCP CLI plugin can leverage GSuite to pull in all your users, groups and group memberships. To achieve this, the service account used during the sync needs to have domain-wide delgation set up. A complete guide on how to do that is provided here.
The following oAuth scopes are required
Please take note of your
Customer ID listed under
Account > Account Settings in the admin console as you’ll need this to set up the CLI later on.
To see all parameters, type
$> raito info raito-io/cli-plugin-gcp
in a terminal window.
Currently, the following configuration parameters are available:
- gcp-organization-id (mandatory): The ID of your GCP organization.
- gcp-serviceaccount-json-location (optional): The location of the GCP ServiceAccount Key file (if not set, the
GOOGLE_APPLICATION_CREDENTIALSenvironment variable is used)
- skip-unmanaged-iam-roles (optional): If set to
true), all IAM roles will be imported, even the ones that are
not applicable. They are then imported as not-internalizable and used for observability purposes only.
- gsuite-identity-store-sync (optional): If set to
false), the identity store sync step will also pull information from GSuite.
- gsuite-customer-id (optional): When
gsuite-identity-store-syncis set to
true, use this parameter to set the GSuite Customer ID.
- gsuite-impersonate-subject (optional): When
gsuite-identity-store-syncis set to
true, use this parameter to the email address of the Admin Console User to be used for domain-wide delegation.