Connecting Google Cloud Platform (GCP) to Drata allows automated, continuous monitoring and evidence collection of dozens of infrastructure security controls required for compliance. This article describes technical insights pertaining to the set up and functionality of the integration.
There are two ways to connect your GCP to Drata. You can either connect using a script or connect manually. It is recommended to connect using a script. To learn how to connect through a script, go to Connect (GCP) Google Cloud Platform to Drata.
Prerequisites
You can connect each GCP project individually or connect the GCP organization.
When connecting each GCP project individually, ensure that each project belongs to an organization. For more information on migrating projects to an organization, go to Moving a project.
It is recommended to connect a GCP organization over an individual project, if possible.
Ensure the user account that is performing the setup for this GCP connection has the following roles/privileges:
GCP Owner role (Basic -> Owner) at the project and organization levels.
GCP Organization Administrator (resourcemanager.organizationAdmin).
If the VPC Firewall Rules Enabled setting is enabled in the GCP environment, this might prohibit Drata’s API calls. To learn how to ensure you have created an allow list entry for Drata’s IP address, go to Dratabot.
Permissions Required to Sync GCP Users & MFA
When a GCP organization is created, a companion Google Workspace account is automatically provisioned by Google. The IAM users you provision in GCP will source their MFA from this Google Workspace account. Drata will use the Organization Administrator role to make calls to the Google Workspace Admin SDK API to read the MFA status of these IAM users' matching emails in Google Workspace. Three things must be in place for this to work:
You must grant the GCP service account access to your connected Google Workspace account through domain-wide delegation.
Further, ensure that the Google Workspace Super Admin account email matches the GCP Organization Administrator email.
These users must set up MFA in Google Workspace.
This Google Workspace account does not need to be connected to Drata as your IdP. Regardless of your connected IdP, Drata needs all three steps above to be completed; otherwise, Drata cannot retrieve MFA on your GCP IAM users. This will cause Test 88 - MFA on Infrastructure Console to fail.
For the purposes of syncing IAM users, Drata supports pulling individual emails as listed from the IAM entries in your GCP organization and the single project in which the service account was created. If you want IAM users from all projects to be synced, please reach out to our Technical Support team.
Drata does not support pulling members within groups (i.e. we will sync the group's email as if it were an individual IAM entry).
Overview of what we're going to set up
NOTE: It is critical to follow these instructions exactly as described and in order. Skipping ahead can result in an incomplete connection that will force you to delete your roles and service account and start over.
Single Project Connections:
Ensure specific APIs are enabled in the project.
Create the Service Account and apply the permissions.
Provision a Domain-wide delegation client in Google Workspace.
Organization-Wide Connection to Sync All Projects:
Ensure specific APIs are enabled in the project.
Create the Service Account and apply the permissions.
Apply the Organization Role to the same Service Account.
Provision a Domain-wide delegation client in Google Workspace.
Ensure specific APIs are enabled in the project
These are the GCP APIs that Drata will use for evidence collection automation. These APIs only need to be enabled on the project where the service account is created.
Go to the API & Services Dashboard and verify that the project you want to connect to Drata is selected (in the top menu bar next to the GCP logo).
Verify that the APIs are enabled and already in the list of available APIs & Services. If not, go to the API Library, search and enable them.
If you do not enable these APIs, this does not prevent connection, but various monitoring tests are unable to source relevant data causing the tests to fail.
Compute Engine API
Cloud Resource Manager API
Admin SDK API
Cloud SQL Admin API
Cloud Monitoring API (or "Stackdriver Monitoring API")
Cloud Asset API (used to pull GCP Assets)
Create a Service Account & Apply Permissions
Please select one of the following options to apply the recommended permission set or a reduced permission set.
Option 1: Apply the Recommended Permissions
Create the Drata Service Account
This is the mechanism that Drata utilizes to gain read-only access to your GCP account.
Open your Google Cloud console.
Within the same project, under the main navigation menu (in the left sidebar), go to the Service Accounts page through "IAM & Admin → Service Accounts", to create a new service account.
Select the CREATE SERVICE ACCOUNT button on the top of the page, and copy and paste the fields below onto the form from the first step and then select Create.
Service Account Name: Drata Service Account
(Note: the service account ID will auto-fill)
Service Account Description: Service Account with read-only access for Drata Autopilot
Select and Apply Permissions
Select the Select a role select box, hover over Basic and in the Quick access sub-section, select the following in the fly-out menu:
Add the following roles to the service account:
Monitoring Viewer
Compute Viewer
Cloud Asset Viewer
Browser
Complete Service Account Creation
Click Continue, and then Done to complete the creation of the service account.
If you are connecting all Projects in the Organization, copy and save the email that is shown in the row for the newly created Service Account. The email will be used in the Apply the Organization Role to an IAM account section.
Option 2: Apply Reduced Permissions
These are the minimum viable permissions to make an active connection. Create a custom project role and assign these ‘non-excess’ permissions required to complete the connection. Note that some tests may be in an errored state due to an inability to complete API requests as a result of the reduced permissions.
Create a custom Project Role for Drata
Create a custom project role to allow Drata to read metadata on your buckets that are scoped outside the general project.
Under the project or organization dropdown in the header, select your main GCP project.
In the main navigation menu (in the left sidebar), go to the Roles page through "IAM & Admin → Roles", to create a custom project role.
Select the CREATE ROLE button on the top of the page, copy and paste the fields below into the form on the page, and set the Role launch stage to "General Availability".
Title: Drata Read-Only Project Role
Description: Service Account for Drata Autopilot to get read access to all project resources
ID: DrataReadOnlyProjectRole
Add Permissions to the Custom Role
Select the Add Permissions button to open the permissions modal to select the required permissions:
cloudsql.instances.list
compute.firewalls.list
compute.forwardingRules.list
compute.instances.list
compute.securityPolicies.list
compute.urlMaps.list
container.clusters.list
datastore.entities.get
datastore.entities.list
datastore.statistics.get
datastore.statistics.list
memcache.instances.list
monitoring.alertPolicies.list
monitoring.notificationChannels.get
pubsub.topics.list
redis.instances.list
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.organizations.getIamPolicy
storage.buckets.list
storage.buckets.get
storage.buckets.getIamPolicy
iam.roles.get
iam.serviceAccounts.get
iam.serviceAccounts.list
iam.users.get
Create the Drata Service Account
This is the mechanism that Drata utilizes to gain read-only access to your GCP account.
Open your Google Cloud console.
Within the same project, under the main navigation menu (in the left sidebar), go to the Service Accounts page through "IAM & Admin → Service Accounts", to create a new service account.
Select the CREATE SERVICE ACCOUNT button on the top of the page, and copy and paste the fields below onto the form from the first step and then select Create.
Service Account Name: Drata Service Account
(Note: the service account ID will auto-fill)
Service Account Description: Service Account with read-only access for Drata Autopilot
Add the Custom Role to the Service Account
To add a custom Read-Only Project Role, select the ADD ROLE button.
Select a role, and filter for "drata" to select the "Drata Read-Only Project Role" Role.
Complete Service Account Creation
Click Continue, and then Done to complete the creation of the service account.
If you are connecting all Projects in the Organization, copy and save the email that is shown in the row for the newly created Service Account. The email will be used in the Apply the Organization Role to an IAM account section.
Create the JSON Key for the Connection Creation in Drata
The key and details generated in this process will be required to complete the connection detail in the Drata GCP connections tab to finalize the connection creation.
Select the ellipse button in the right column and select Manage Key then Add Key. In the modal, make sure JSON is selected as the Key type and then create. This will download a JSON file to your machine (you will need it to complete the connection).
Select the name of the Service Account to go to its detail page, then select the Details tab on the top.
Copy and save the Unique ID that was generated. The ID is used in the Provision a Domain wide delegation client in Google Workspace section.
Step Required for the Organization-Wide Connection: Apply the Organization Role to an IAM account
Now we can also grant your new service account access to your organization with automatic project discovery. Please note, it will not be possible to assign this role to the IAM account if the user who is creating the account does not have the 'Owner' role (mentioned in the prerequisites section at top of article).
Ensure you are still in your organization from the project selector in the header.
In the main navigation menu (in the left sidebar), go to the IAM page via "IAM & Admin → IAM", so we can create the IAM account.
Click on the GRANT ACCESS button towards the top of the page and in the New members text field, enter the email of the project-level service account (which you saved from a step above).
Assign the following roles:
Monitoring Viewer
Cloud Asset Viewer
Organization Viewer
Note: The Browser role is only required in the default project of the service account.
Select the Save button.
Provision a Domain wide delegation client in Google Workspace
We need to grant the GCP service account access to your connected Google Workspace account. This permission set enables Drata to access user directory data, groups within the directory and MFA configuration details. This step is recommended, however if this is not completed, monitors in Drata related to GCP user tacking and MFA will not function. Many of the infrastructure monitors will be functional without this advanced permission set, however the GCP managed accounts page will remain blank.
Please login to your Google Admin console with an account that has Super Admin privileges, then go to "Security → Access and data control → API controls." Scroll to the bottom to get to Domain wide delegation.
In the Domain wide delegation section, click on Manage Domain Wide Delegation button.
Note: If you are using Google Workspace as your IdP and you have already connected it to Drata, you will see another entry in the Domain Wide Delegation list. It's OAuth scope will be:
Ensure this entry remains intact so as not to break your IdP connection.
Click on the Add new button.
Enter the numeric client ID (unique ID - not the service account email address) (which you saved from a step above)
Leave the Overwrite existing client ID checkbox un-checked.
Copy and paste the below Cloud Platform Scope into the OAuth scopes (comma-delimited) text field.
Comma-delimited Scopes:
https://www.googleapis.com/auth/admin.directory.user.readonly,https://www.googleapis.com/auth/admin.directory.group.readonly,https://www.googleapis.com/auth/admin.directory.group.member.readonlyOnce done, click on the AUTHORIZE button.
For improved readability, the previously displayed scopes are listed without commas and separated by spaces:
https://www.googleapis.com/auth/admin.directory.user.readonly
https://www.googleapis.com/auth/admin.directory.group.readonly
https://www.googleapis.com/auth/admin.directory.group.member.readonly
🎉 You have just successfully set up proper read-only access for Drata! 🎉
Additional Resources