All Collections
Integrations
GCP Connection Details
GCP Connection Details

This article walks through the details of configuring GCP to connect to Drata.

Ashley Hyman avatar
Written by Ashley Hyman
Updated yesterday

HERE'S WHY

Connecting Google Cloud Platform (GCP) to Drata allows for the automated, continuous monitoring and evidence collection of the dozens of infrastructure security controls required for compliance. This article describes technical insights pertaining to the setup and functionality of the integration.

BEFORE DIVING IN

  • You can connect each GCP project individually or connect the GCP organization.

    • When connecting each GCP project individually, ensure that each project belongs to an organization. For more information on migrating projects to an organization, go to Moving a project.

    • It is recommended to connect the GCP organization.

  • Ensure the user account that is connecting the GCP connection has the following roles/privileges:

  • Ensure that the Google Workspace Super Admin account email matches the GCP Organization Administrator email.

    • If this account does not exist, then Drata cannot retrieve MFA on your GCP IAM users (Test 88 - MFA on Infrastructure Console).

  • For the purposes of syncing IAM users, Drata supports puling individual emails as listed from the IAM entries in your GCP organization and the single project in which the service account was created. If you want IAM users from all projects to be synced, please reach out to our Technical Support team.

  • Drata does not support pulling members within groups (i.e. we will sync the group's email as if it were an individual IAM entry).

Overview of what we're going to setup

NOTE: It is critical to follow these instructions exactly as described and in order. Skipping ahead can result with incomplete connection that will force you to delete your roles and service account and start over.

  • Ensure specific APIs are enabled in the Project.

  • Create a custom Project Role for Drata.

  • Create an IAM Service Account and apply the Project Role.

  • Create a custom Organization Role for Drata.

  • Apply the Organization Role to that service account.

    • This steps determines if you will monitor all projects in the GCP organization or only one project per connection.

  • Provision a Domain-wide delegation client in Google Workspace.

Ensure specific APIs are enabled in the Project

These are the GCP APIs that Drata will use for evidence collection automation. These APIs only need to be enabled on the project where the service account is created.

  1. Go to the API & Services Dashboard and verify that the project you want to connect to Drata is selected (in the top menu bar next to the GCP logo).

  2. Verify that the APIs are enabled and already in the list of available APIs & Services. If not, go to the API Library, search and enable them.

If you do not enable these APIs, this does not prevent connection, but various monitoring tests are unable to source relevant data causing the tests to error.

Compute Engine API
Cloud Resource Manager API
Admin SDK API
Cloud SQL Admin API
Cloud Monitoring API (or "Stackdriver Monitoring API")

Troubleshoot

  • If the VPC Firewall Rules Enabled setting is enabled in the GCP environment, this might prohibit Drata’s API calls. To learn how to ensure you have created an allow list entry for Drata’s IP address, go to Dratabot.

  • Ensure all projects you would like to monitor in Drata belong to a GCP organization. Follow the instructions on Moving Projects to migrate any standalone projects to a connected organization.

  • When a GCP organization is created, a companion Google Workspace account is automatically provisioned by Google. You must grant the GCP service account access to your connected Google Workspace account through domain-wide delegation. This Google Workspace account does not need to be connected to Drata as your IdP.

Create a custom Project Role for Drata

Create a custom project role to allow Drata to read metadata on your buckets that are scoped outside the general project.

  1. Under the project/organization dropdown in the header, select your main GCP project.

  2. In the main navigation menu (in the left sidebar), go to the Roles page through "IAM & Admin → Roles", to create a custom project role.

  3. Select the CREATE ROLE button on the top of the page, copy/paste the fields below into the form on the page, and set the Role launch stage to "General Availability".

Title:

Drata Read-Only Project Role

Description:

Service Account for Drata Autopilot to get read access to all project resources

ID:

DrataReadOnlyProjectRole

4. Select the Add Permissions button to open the permissions modal to select the required permissions:

storage.buckets.get
storage.buckets.getIamPolicy

Note: Do not use the Filter permissions by role search bar. Use the filter field on the table.

Create a Service Account and apply the Project Role

This is the mechanism that Drata utilizes to gain read-only access to your GCP account.

  1. Within the same project, under the main navigation menu (in the left sidebar), go to the Service Accounts page through "IAM & Admin → Service Accounts", to create a new service account.

  2. Select the CREATE SERVICE ACCOUNT button on the top of the page, and copy/paste the fields below onto the form from the first step and then select Create.

Service Account Name:

Drata Service Account

(Note: the service account ID will auto-fill)

Service Account Description

Service Account with read-only access for Drata Autopilot

3. On Step 2, select the Select a role select box, hover over Basic and in the Quick access sub-section, select Viewer in the fly-out menu.

  • The Project Viewer role allows listing Cloud Storage buckets, but does not allow listing or downloading bucket contents.

4. To add a custom Read-Only Project Role, select ADD ANOTHER ROLE button. Then, select Select a role, and filter for "drata" to select the "Drata Read-Only Project Role" Role. Once added, select the CONTINUE and DONE to finish the creation of the service account.

5. Copy and save the email that is shown in the row for the newly created Service Account. The email will be used in the Apply the Organization Role to an IAM account section.

6. Select the ellipse button in the right column and select Manage Key then Add Key. In the modal, make sure JSON is selected as the Key type and then create. This will download a JSON file to your machine (you will need it to complete the connection).

7. Select the name of the Service Account to go to its detail page, then select the Details tab on the top.

8. Copy and save the Unique ID that was generated. The ID is used in the Provision a Domain wide delegation client in Google Workspace section.

Create a custom Organization Role for Drata

Most IAM accounts are scoped at the organizational level, though the Project-level service account will not have access to those IAM accounts. Thus, we need to create this organizational role to allow access so Drata can auto-sync your infrastructure accounts.

  1. Under the project/organization dropdown in the header, switch back to your organization.

  2. In the main navigation menu (in the left sidebar), go to the Roles page via "IAM & Admin → Roles", to create the custom Organizational Role.

  3. Click on the CREATE ROLE button on the top of the page, and copy/paste the fields below into the form on the page.

    1. Make sure to set the Role launch stage to "General Availability".

Title:

Drata Read-Only Organizational Role

Description:

Service Account with read-only access for Drata Autopilot to get organizational IAM data.

ID:

DrataReadOnlyOrganizationalRole


Note: For the following steps, do not use the Filter permissions by role search bar. Use the filter field on the table.

4. Select the Add Permissions button to open the permissions modal where you will filter the table down to the needed permission. Please find and select the following permission.

resourcemanager.organizations.getIamPolicy

5. If you wish to connect multiple projects to Drata (including any new projects created in the future), select the following permission.

storage.buckets.get
storage.buckets.getIamPolicy

6. Select the CREATE button to create the role.

Apply the Organization Role to an IAM account

Now we are going to grant your new service account access to your organization with the custom organizational role you just created!

NOTE: It will not be possible to assign this role to the IAM account if the user who is creating the account does not have the 'Owner' role (mentioned in 'BEFORE DIVING IN' section at top of article).

  1. Ensure you are still in your organization from the project selector in the header.

  2. In the main navigation menu (in the left sidebar), go to the IAM page via "IAM & Admin → IAM", so we can create the IAM account.

  3. Click on the GRANT ACCESS button towards the top of the page and in the New members text field, enter the email of the project-level service account (which you saved from a step above).

  4. Select the Select a role select box, and use the value below to copy/paste the custom role name we created above.

    Drata Read-Only Organizational Role

  5. If you wish to connect multiple projects to Drata (including any new projects), you will need to add one more role to the service account. Select the Select a role select box, hover over Basic and in the Quick access sub-section, select the Viewer in the fly-out menu.

  6. Select the Save button.

Provision a Domain wide delegation client in Google Workspace

Finally, we need to grant the GCP service account access to your connected Google Workspace account.

  1. Please login to your Google Admin console with an account that has Super Admin privileges, then go to "Security Access and data control API controls." Scroll to the bottom to get to "Domain wide delegation."

  2. In the Domain wide delegation section, click on Manage Domain Wide Delegation button.

    1. Note: If you are using Google Workspace as your IdP and you have already connected it to Drata, you will see another entry in the Domain Wide Delegation list. It's OAuth scope will be https://www.googleapis.com/auth/admin.directory.user.readonly. Ensure this entry remains intact so as not to break your IdP connection.

  3. Click on the Add new button, and put in the numeric client ID (unique ID - not the service account email address) (which you saved from a step above), leave the Overwrite existing client ID checkbox un-checked, and copy/paste the below Cloud Platform Scope into the OAuth scopes (comma-delimited) text field. Once done, click on the AUTHORIZE button.

Scope:

https://www.googleapis.com/auth/admin.directory.user.readonly

🎉 You have just successfully set up proper read-only access for Drata! 🎉

Additional Resources

Did this answer your question?