Connecting Google Cloud Platform (GCP) to Drata allows automated, continuous monitoring and evidence collection of dozens of infrastructure security controls required for compliance. This article describes technical insights pertaining to the set up and functionality of the integration.
There are two ways to connect your GCP to Drata. You can either connect using a script or connect manually. It is recommended to connect using a script. To learn how to connect through a script, go to Connect (GCP) Google Cloud Platform to Drata.
Prerequisites
You can connect each GCP project individually or connect the GCP organization.
When connecting each GCP project individually, ensure that each project belongs to an organization. For more information on migrating projects to an organization, go to Moving a project.
It is recommended to connect the GCP organization.
Ensure the user account that is connecting the GCP connection has the following roles/privileges:
GCP Owner role (Basic -> Owner) at the project and organization levels.
GCP Organization Administrator (
resourcemanager.organizationAdmin
).
Ensure that the Google Workspace Super Admin account email matches the GCP Organization Administrator email.
If this account does not exist, Drata cannot retrieve MFA on your GCP IAM users (Test 88 - MFA on Infrastructure Console).
For the purposes of syncing IAM users, Drata supports pulling individual emails as listed from the IAM entries in your GCP organization and the single project in which the service account was created. If you want IAM users from all projects to be synced, please reach out to our Technical Support team.
Drata does not support pulling members within groups (i.e. we will sync the group's email as if it were an individual IAM entry).
Overview of what we're going to set up
NOTE: It is critical to follow these instructions exactly as described and in order. Skipping ahead can result in an incomplete connection that will force you to delete your roles and service account and start over.
Ensure specific APIs are enabled in the project.
Create a custom Project Role for Drata.
Create an IAM Service Account and apply the Project Role.
Create a custom Organization Role for Drata.
Apply the Organization Role to that service account.
This step determines if you will monitor all projects in the GCP organization or only one project per connection.
Provision a Domain-wide delegation client in Google Workspace.
Ensure specific APIs are enabled in the project
These are the GCP APIs that Drata will use for evidence collection automation. These APIs only need to be enabled on the project where the service account is created.
Go to the API & Services Dashboard and verify that the project you want to connect to Drata is selected (in the top menu bar next to the GCP logo).
Verify that the APIs are enabled and already in the list of available APIs & Services. If not, go to the API Library, search and enable them.
If you do not enable these APIs, this does not prevent connection, but various monitoring tests are unable to source relevant data causing the tests to fail.
Compute Engine API
Cloud Resource Manager API
Admin SDK API
Cloud SQL Admin API
Cloud Monitoring API (or "Stackdriver Monitoring API")
Cloud Asset Inventory API (used to pull GCP Assets)
Troubleshoot
If the VPC Firewall Rules Enabled setting is enabled in the GCP environment, this might prohibit Drata’s API calls. To learn how to ensure you have created an allow list entry for Drata’s IP address, go to Dratabot.
Ensure all projects you would like to monitor in Drata belong to a GCP organization. Follow the instructions on Moving Projects to migrate any standalone projects to a connected organization.
When a GCP organization is created, a companion Google Workspace account is automatically provisioned by Google. You must grant the GCP service account access to your connected Google Workspace account through domain-wide delegation. This Google Workspace account does not need to be connected to Drata as your IdP.
Create a custom Project Role for Drata
Create a custom project role to allow Drata to read metadata on your buckets that are scoped outside the general project.
Under the project or organization dropdown in the header, select your main GCP project.
In the main navigation menu (in the left sidebar), go to the Roles page through "IAM & Admin → Roles", to create a custom project role.
Select the CREATE ROLE button on the top of the page, copy and paste the fields below into the form on the page, and set the Role launch stage to "General Availability".
Title:
Drata Read-Only Project Role
Description:
Service Account for Drata Autopilot to get read access to all project resources
ID:
DrataReadOnlyProjectRole
4. Select the Add Permissions button to open the permissions modal to select the required permissions:
storage.buckets.get
storage.buckets.getIamPolicy
Note: Do not use the Filter permissions by role search bar. Use the filter field on the table.
Reduced permissions
For reduced permissions, create a custom project role and assign these ‘non-excess’ permissions required to complete the connection.
For reduced permissions, create a custom project role and assign these ‘non-excess’ permissions required to complete the connection.
cloudsql.instances.list
compute.firewalls.list
compute.forwardingRules.list
compute.instances.list
compute.securityPolicies.list
compute.urlMaps.list
container.clusters.list
datastore.entities.get
datastore.entities.list
datastore.statistics.get
datastore.statistics.list
memcache.instances.list
monitoring.alertPolicies.list
monitoring.notificationChannels.get
pubsub.topics.list
redis.instances.list
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
storage.buckets.list
Create a Service Account and apply the Project Role
This is the mechanism that Drata utilizes to gain read-only access to your GCP account.
Within the same project, under the main navigation menu (in the left sidebar), go to the Service Accounts page through "IAM & Admin → Service Accounts", to create a new service account.
Select the CREATE SERVICE ACCOUNT button on the top of the page, and copy and paste the fields below onto the form from the first step and then select Create.
Service Account Name:
Drata Service Account
(Note: the service account ID will auto-fill)
Service Account Description
Service Account with read-only access for Drata Autopilot
3. On Step 2, select the Select a role select box, hover over Basic and in the Quick access sub-section, select Viewer in the fly-out menu.
The Project Viewer role allows listing Cloud Storage buckets, but does not allow listing or downloading bucket contents.
4. To add a custom Read-Only Project Role, select ADD ANOTHER ROLE button. Then, select Select a role, and filter for "drata" to select the "Drata Read-Only Project Role" Role. Once added, select the CONTINUE and DONE to finish the creation of the service account.
5. Copy and save the email that is shown in the row for the newly created Service Account. The email will be used in the Apply the Organization Role to an IAM account section.
6. Select the ellipse button in the right column and select Manage Key then Add Key. In the modal, make sure JSON is selected as the Key type and then create. This will download a JSON file to your machine (you will need it to complete the connection).
7. Select the name of the Service Account to go to its detail page, then select the Details tab on the top.
8. Copy and save the Unique ID that was generated. The ID is used in the Provision a Domain wide delegation client in Google Workspace section.
Create a custom Organization Role for Drata
Most IAM accounts are scoped at the organizational level, though the Project-level service account will not have access to those IAM accounts. Thus, we need to create this organizational role to allow access so Drata can auto-sync your infrastructure accounts.
Under the project or organization dropdown in the header, switch back to your organization.
In the main navigation menu (in the left sidebar), go to the Roles page via "IAM & Admin → Roles", to create the custom Organizational Role.
Click on the CREATE ROLE button on the top of the page, and copy and paste the fields below into the form on the page.
Make sure to set the Role launch stage to "General Availability".
Title:
Drata Read-Only Organizational Role
Description:
Service Account with read-only access for Drata Autopilot to get organizational IAM data.
ID:
DrataReadOnlyOrganizationalRole
Note: For the following steps, do not use the Filter permissions by role search bar. Use the filter field on the table.
4. Select the Add Permissions button to open the permissions modal where you will filter the table down to the needed permission. Please find and select the following permission.
cloudasset.assets.searchAllResources
resourcemanager.folders.get
resourcemanager.organizations.get
resourcemanager.organizations.getIamPolicy
storage.buckets.get
storage.buckets.getIamPolicy
5. Select the CREATE button to create the role.
Apply the Organization Role to an IAM account
Now we are going to grant your new service account access to your organization with the custom organizational role you just created!
NOTE: It will not be possible to assign this role to the IAM account if the user who is creating the account does not have the 'Owner' role (mentioned in 'BEFORE DIVING IN' section at top of article).
Ensure you are still in your organization from the project selector in the header.
In the main navigation menu (in the left sidebar), go to the IAM page via "IAM & Admin → IAM", so we can create the IAM account.
Click on the GRANT ACCESS button towards the top of the page and in the New members text field, enter the email of the project-level service account (which you saved from a step above).
Select the Select a role select box, and use the value below to copy and paste the custom role name we created above.
Drata Read-Only Organizational Role
If you wish to connect multiple projects to Drata (including any new projects), you will need to add one more role to the service account. Select the Select a role select box, hover over Basic and in the Quick access sub-section, select the Viewer in the fly-out menu.
Select the Save button.
Provision a Domain wide delegation client in Google Workspace
Please login to your Google Admin console with an account that has Super Admin privileges, then go to "Security → Access and data control → API controls." Scroll to the bottom to get to Domain wide delegation.
In the Domain wide delegation section, click on Manage Domain Wide Delegation button.
Note: If you are using Google Workspace as your IdP and you have already connected it to Drata, you will see another entry in the Domain Wide Delegation list. It's OAuth scope will be:
https://www.googleapis.com/auth/admin.directory.user.readonly
Ensure this entry remains intact so as not to break your IdP connection.
Click on the Add new button.
Enter the numeric client ID (unique ID - not the service account email address) (which you saved from a step above)
Leave the Overwrite existing client ID checkbox un-checked.
Copy and paste the below Cloud Platform Scope into the OAuth scopes (comma-delimited) text field. Once done, click on the AUTHORIZE button.
Comma-delimited Scopes:
https://www.googleapis.com/auth/admin.directory.user.readonly,https://www.googleapis.com/auth/admin.directory.group.readonly,https://www.googleapis.com/auth/admin.directory.group.member.readonly
For improved readability, the same scopes are listed without commas and separated by spaces:
https://www.googleapis.com/auth/admin.directory.user.readonly
https://www.googleapis.com/auth/admin.directory.group.readonly
https://www.googleapis.com/auth/admin.directory.group.member.readonly
🎉 You have just successfully set up proper read-only access for Drata! 🎉
Additional Resources