Skip to main content

Capabilities

ResourceSyncProvision
Accounts
Groups
Folders
Roles
Projects
Organizations
Workforce Identity pools*
Workforce Identity pool providers*
Secrets - API keys
Secrets - Service account keys
Secrets - Secret Manager secrets
Buckets
*Workforce Identity Federation support is optional and must be configured when you set up the connector. This connector can sync secrets and display them on the Inventory page.

Gather Google Cloud Platform with Google Workspace credentials

Configuring the connector requires credentials from both Google Cloud Platform and the Google Workspace Admin console. You’ll complete the following steps:
  1. Create a dedicated GCP project for the ConductorOne integration
  2. Enable the required APIs
  3. Create a service account and assign it the necessary permissions
  4. Download the service account’s JSON key
  5. Grant the service account domain-wide delegation in the Google Workspace Admin console
  6. Locate your primary domain and Customer ID
A user with the Super Admin role in Google Cloud Platform with Google Workspace must perform this task.

Create a new project

We recommend creating a dedicated GCP project for the ConductorOne integration. This keeps the integration’s permissions and audit logs isolated from your other projects.
1
As a Google Cloud Platform with Google Workspace Super Admin, sign in to https://console.cloud.google.com.
2
In the toolbar, click the project select dropdown, and click NEW PROJECT.
The project select dropdown in the Google Cloud Console toolbar
The NEW PROJECT option in the project select dropdown
3
Create a new project for your organization:
  • Project Name: Choose a name, such as “ConductorOne Integration”
  • Organization/Location: Choose the appropriate Organization/Location
    The new project creation form
4
After the project is created, make sure the correct project is selected in the dropdown at the top.
The project dropdown showing the newly created project selected

Enable the APIs

1
In the navigation menu, navigate to APIs & Services > Library.
2
Search for each of the following APIs and click Enable:
  • Cloud Asset API
  • Cloud Resource Manager API
  • Identity and Access Management API
  • Admin SDK API
    The Enable button on an API page in the Google Cloud Console

Optional: Sync secrets and buckets

Complete this section only if you want the connector to sync secrets (API keys, service account keys, Secret Manager secrets) or Cloud Storage buckets.
Secrets and bucket permissions are configured per project in GCP. If the connector is not filtering by project and the service account doesn’t have permissions across all projects, the sync will fail. We recommend using the Project IDs filter to explicitly specify which projects to sync.
Required organization-level role: Grant the service account the roles/cloudasset.viewer role at the organization level. This allows it to search resources across projects. Additional APIs to enable: Enable these APIs for each project you want to sync (or only for the projects specified in the Project IDs filter):
  • Secrets - API Keys: API Keys API
  • Secrets - Service account keys: IAM API
  • Secrets - Secret Manager secrets: Secret Manager API
  • Buckets: Cloud Storage API

Create a service account

1
In the navigation menu, navigate to APIs & Services > Credentials.
2
Select CREATE CREDENTIALS > Service Account.
3
Under Service account details, fill in the following:
  • Service account name: ConductorOne Integration
  • Service account description: for example, “Service account for ConductorOne Google Cloud Platform with Google Workspace Integration”
Click CREATE AND CONTINUE.
4
Under Grant this service account access to a project, assign the service account a role at the organization level. You can use the predefined Editor role, or create a custom role that includes only the permissions listed below.For READ access (syncing access data only), the role needs these permissions:
cloudasset.assets.analyzeIamPolicy
cloudasset.assets.searchAllIamPolicies
cloudasset.assets.searchAllResources
iam.roles.get
iam.roles.list
resourcemanager.folders.getIamPolicy
resourcemanager.folders.list
resourcemanager.organizations.get
resourcemanager.organizations.getIamPolicy
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list
apikeys.keys.list
iam.serviceAccounts.list
iam.serviceAccountKeys.list
secretmanager.secrets.get
secretmanager.secrets.list
secretmanager.secrets.getIamPolicy
storage.buckets.list
storage.buckets.getIamPolicy
To also provision access (READ/WRITE), add these permissions to the role:
resourcemanager.folders.setIamPolicy
resourcemanager.organizations.setIamPolicy
resourcemanager.projects.setIamPolicy
secretmanager.secrets.setIamPolicy
storage.buckets.setIamPolicy
5
Leave Grant users access to this service account blank.
6
Click DONE.

Get credentials

1
Navigate back to APIs & Services > Credentials. Under Service Accounts, locate and click the service account you just created.
The Credentials page showing the service accounts list
The service account selected from the list
2
Click the service account’s email address. Locate and save the Unique ID — you’ll need it when configuring domain-wide delegation in the next section.
The service account details page showing the Unique ID field
3
On the Service Account Details Page, click KEYS.
The KEYS tab on the service account details page
4
Click ADD KEY > Create new key.
5
Choose JSON and click CREATE. The new key is created and downloaded to your computer.
6
Keep the downloaded file safe — you’ll upload it when configuring the connector in ConductorOne.

Add the service account to Google Workspace

Domain-wide delegation allows the GCP service account to access Google Workspace data — directory users, groups, roles, and audit logs — on behalf of your organization. You configure this in the Google Workspace Admin console at https://admin.google.com, which is separate from the Google Cloud console.
1
Go to https://admin.google.com as a SUPER ADMIN.
2
In the navigation menu, select Security > Access and data control > API Controls.
3
Click MANAGE DOMAIN WIDE DELEGATION.
The Manage Domain Wide Delegation button in the Google Workspace Admin console
4
Click Add new and fill out the form:
  • Client ID: The Unique ID you saved from the service account details page
  • OAuth Scopes: Copy and paste in the relevant scopes
    • Use the following scopes to give ConductorOne READ access (syncing access data): 
      https://www.googleapis.com/auth/admin.directory.user.alias.readonly,https://www.googleapis.com/auth/admin.directory.rolemanagement.readonly,https://www.googleapis.com/auth/admin.directory.group.member.readonly,https://www.googleapis.com/auth/admin.directory.group.readonly,https://www.googleapis.com/auth/admin.directory.user.readonly,https://www.googleapis.com/auth/admin.directory.domain.readonly,https://www.googleapis.com/auth/admin.reports.audit.readonly
    • Use the following scopes to give ConductorOne READ/WRITE access (syncing access data and provisioning access): 
      https://www.googleapis.com/auth/admin.directory.user.alias.readonly,https://www.googleapis.com/auth/admin.directory.rolemanagement,https://www.googleapis.com/auth/admin.directory.group.member,https://www.googleapis.com/auth/admin.directory.group,https://www.googleapis.com/auth/admin.directory.user.readonly,https://www.googleapis.com/auth/admin.directory.domain.readonly,https://www.googleapis.com/auth/admin.reports.audit.readonly
5
Click AUTHORIZE.
The Authorize button on the domain-wide delegation form
6
In the navigation menu, select Account > Account Settings.
7
Copy and save the Customer ID from this page.
The Account Settings page showing the Customer ID field

Locate your primary domain

1
In the navigation panel on the left, click Account > Domains.
2
Click Manage Domains. Locate and copy the domain labeled as the Primary Domain in the Type column.
The Manage Domains page with the Primary Domain highlighted in the Type column
Before moving on, confirm you have the following ready for the connector configuration:
  • Customer ID (from Account Settings)
  • Primary domain (from Manage Domains)
  • Administrator email — the email address of a super admin for your domain
  • JSON credentials file — the service account key downloaded in the Get credentials section

Configure the Google Cloud Platform with Google Workspace connector

To complete this task, you’ll need:
  • The Connector Administrator or Super Administrator role in ConductorOne
  • Access to the set of Google Cloud Platform with Google Workspace credentials generated by following the instructions above
Follow these instructions to use a built-in, no-code connector hosted by ConductorOne.
1
In ConductorOne, navigate to Integrations > Connectors and click Add connector.
2
Search for Google Cloud Platform with Google Workspace and click Add.
3
Choose how to set up the new Google Cloud Platform with Google Workspace connector:
  • Add the connector to a currently unmanaged app (select from the list of apps that were discovered in your identity, SSO, or federation provider that aren’t yet managed with ConductorOne)
  • Add the connector to a managed app (select from the list of existing managed apps)
  • Create a new managed app
4
Set the owner for this connector. You can manage the connector yourself, or choose someone else from the list of ConductorOne users. Setting multiple owners is allowed.If you choose someone else, ConductorOne will notify the new connector owner by email that their help is needed to complete the setup process.
5
Click Next.
6
Find the Settings area of the page and click Edit.
7
In the Customer ID field, enter the customer ID.
8
In the Domain field, enter the primary domain.
9
In the Administrator email field, enter the email address of a super admin for your domain.
10
In the Credentials (JSON) area, click Choose file and upload the JSON key file.
11
Optional. Check the box if you want to skip syncing Google Cloud Platform system accounts.
12
Optional. Uncheck the box (which is checked by default) if you want to sync Google Cloud Platform default projects.
13
Optional. In the Project IDs field, enter a list of project IDs to limit the connector’s sync to only those projects. Be sure to enter project IDs, not project names.
14
Optional. Check the box to Enable Workforce Identity Federation, which allows the connector to sync Workforce Identity pools and pool providers.
  • If you want the connector to provision Workforce Identity pools, enter the relevant Workforce Identity Pool ID and Workforce Identity Pool Provider ID in the relevant fields.
If you enable Workforce Identity Federation, complete the Shared identity source configuration in the next step before finishing.
15
By default, the connector only syncs roles that are assigned to an IAM policy. These settings allow you to configure the connector to sync roles regardless of their IAM policy status.
  1. Optional. Check the box to Always sync custom roles.
  2. Optional. In the List of role IDs to always sync field, enter a list of role IDs that should be synced. Be sure to enter role IDs, not role names.
16
Click Save.
17
If you enabled Workforce Identity Federation, complete this additional configuration:
  1. In the Shared identity source area of the page, click Edit.
  2. Select the connector from which you want to pull identities.
  3. Optional. Limit the identities pulled from the connector you selected to only those with a certain entitlement by setting the entitlement.
  4. Click Save.
18
The connector’s label changes to Syncing, followed by Connected. You can view the logs to ensure that information is syncing.
That’s it! Your Google Cloud Platform with Google Workspace connector is now pulling access data into ConductorOne.