Apono Connector for GCP

How to install a Connector on a GCP Project to integrate a GCP Organization or Project with Apono

Overview

To integrate with GCP and start managing JIT access to GCP cloud resources, you must first install a connector in your GCP environment.

The GCP connector must be installed on a GKE cluster. You can do this with CLI or with GCP Deployment Manager in the GCP Portal. The Apono connector will require permissions to the organization or to a specific project, depending on the level of access management you want to achieve with Apono.

  • To manage access to a single GCP Project, install a connector in a GKE cluster on that project and give the connector the appropriate role to the project. Follow this guide.
  • To manage access to a GCP Organization, install a connector in a GKE cluster on any project and give the connector the appropriate role to the organization. Follow this guide.

πŸ“˜

What's a connector? What makes it so secure?

The Apono Connector is an on-prem connection that can be used to connect resources to Apono and separate the Apono web app from the environment for maximal security.

Read more about the recommended GCP Installation Architecture.

How to install

GCP Organization Connector

Using Helm

Prerequisites

  • Make sure Cloud Asset API is turned on in the Project where the connector is installed using this link.

Step-by-step guide

  1. Prepare parameters for Apono installation

Fill and set the values for the following variables:

# Your GCP Project ID
export PROJECT_ID=
# The token from your Apono Account
export APONO_TOKEN=
# Your Organization Id (gcloud projects get-ancestors $PROJECT_ID)
export ORGANIZATION_ID=
# The connector identifier
export APONO_CONNECTOR_ID=apono-google-integration
# The namespace to deploy the cluster on
export NAMESPACE=apono-connector-namespace

echo "PROJECT_ID: $PROJECT_ID"
echo "APONO_TOKEN: $APONO_TOKEN"
echo "APONO_CONNECTOR_ID: $APONO_CONNECTOR_ID"
echo "NAMESPACE: $NAMESPACE"
echo "ORGANIZATION_ID: $ORGANIZATION_ID"

Set the connector service account variable:

export GCP_SERVICE_ACCOUNT_EMAIL=apono-connector-iam-sa@$PROJECT_ID.iam.gserviceaccount.com && 

echo "GCP_SERVICE_ACCOUNT_EMAIL: $GCP_SERVICE_ACCOUNT_EMAIL"
  1. Make sure Cloud Resource Manager API is enabled
gcloud services enable cloudresourcemanager.googleapis.com  --project $PROJECT_ID
  1. Create IAM Service Account and grant it the roles: Browser, Security Admin and Tag Viewer for the entire organization.
gcloud iam service-accounts create apono-connector-iam-sa --project $PROJECT_ID

gcloud organizations add-iam-policy-binding $ORGANIZATION_ID \
    --member="serviceAccount:$GCP_SERVICE_ACCOUNT_EMAIL" \
    --role="roles/browser"

gcloud organizations add-iam-policy-binding $ORGANIZATION_ID \
    --member="serviceAccount:$GCP_SERVICE_ACCOUNT_EMAIL" \
    --role="roles/iam.securityAdmin"
    
gcloud organizations add-iam-policy-binding $ORGANIZATION_ID \
    --member="serviceAccount:$GCP_SERVICE_ACCOUNT_EMAIL" \
    --role="roles/resourcemanager.tagViewer"
  1. Verifying default GKE cluster for installation
  • Open the Kubernetes command-line tool
  • Run kubectl config get-contexts to see the GKE clusters list
  • Set the desired cluster to be the default - kubectl config use-context #the name of the cluster
  • Run kubectl get-contexts - verify the "*" indicates the correct cluster.
  1. Bind the IAM Service Account to the K8S Service Account
gcloud iam service-accounts add-iam-policy-binding $GCP_SERVICE_ACCOUNT_EMAIL \
    --member="serviceAccount:$PROJECT_ID.svc.id.goog[$NAMESPACE/apono-connector-service-account]" \
    --role="roles/iam.workloadIdentityUser" \
    --project $PROJECT_ID
  1. Install Helm Chart

The helm chart installs the following:

  • Kubernetes Deployment containing the Apono-Connector image container
  • Kubernetes Service Account annotated with GCP IAM Service Account
  • Kubernetes Secret containing Docker Registry credentials
helm install apono-connector apono-connector --repo https://apono-io.github.io/apono-helm-charts \
    --set-string apono.token=$APONO_TOKEN \
    --set-string apono.connectorId=$APONO_CONNECTOR_ID \
    --set-string serviceAccount.gcpServiceAccountEmail=$GCP_SERVICE_ACCOUNT_EMAIL \
    --namespace $NAMESPACE \
    --create-namespace

GCP Project Connector

Using Helm

Prerequisites

  • Make sure Cloud Asset API is turned on in the Project where the connector is installed using this link.

Step-by-step guide

  1. Prepare parameters for Apono installation

Fill and set the values for the following variables:

# Your GCP Project ID
export PROJECT_ID=
# The token from your Apono Account
export APONO_TOKEN=
# The connector identifier
export APONO_CONNECTOR_ID=apono-google-integration
# The namespace to deploy the cluster on
export NAMESPACE=apono-connector-namespace

echo "PROJECT_ID: $PROJECT_ID"
echo "APONO_TOKEN: $APONO_TOKEN"
echo "APONO_CONNECTOR_ID: $APONO_CONNECTOR_ID"
echo "NAMESPACE: $NAMESPACE"

Set the following variable:

export GCP_SERVICE_ACCOUNT_EMAIL=apono-connector-iam-sa@$PROJECT_ID.iam.gserviceaccount.com && echo "GCP_SERVICE_ACCOUNT_EMAIL: $GCP_SERVICE_ACCOUNT_EMAIL"
  1. Enable Cloud Resource Manager API
gcloud services enable cloudresourcemanager.googleapis.com  --project $PROJECT_ID
  1. Create IAM Service Account and grant it with the roles: Browser, Security Admin and Tag Viewer for the project.
gcloud iam service-accounts create apono-connector-iam-sa --project $PROJECT_ID

gcloud projects add-iam-policy-binding $PROJECT_ID \
    --member="serviceAccount:$GCP_SERVICE_ACCOUNT_EMAIL" \
    --role="roles/browser" \
    --project $PROJECT_ID

gcloud projects add-iam-policy-binding $PROJECT_ID \
    --member="serviceAccount:$GCP_SERVICE_ACCOUNT_EMAIL" \
    --role="roles/iam.securityAdmin" \
    --project $PROJECT_ID
    
gcloud projects add-iam-policy-binding $PROJECT_ID \
    --member="serviceAccount:$GCP_SERVICE_ACCOUNT_EMAIL" \
    --role="roles/resourcemanager.tagViewer" \
    --project $PROJECT_ID
  1. Verifying default GKE cluster for installation
  • Open the Kubernetes command-line tool
  • Run kubectl config get-contexts to see the GKE clusters list
  • Set the desired cluster to be the default - kubectl config use-context #the name of the cluster
  • Run kubectl get-contexts - verify the "*" indicates the correct cluster.
  1. Bind the IAM Service Account to the K8S Service Account
gcloud iam service-accounts add-iam-policy-binding $GCP_SERVICE_ACCOUNT_EMAIL \
    --member="serviceAccount:$PROJECT_ID.svc.id.goog[$NAMESPACE/apono-connector-service-account]" \
    --role="roles/iam.workloadIdentityUser" \
    --project $PROJECT_ID
  1. Install Helm Chart

The helm chart installs the following:

  • Kubernetes Deployment containing the Apono-Connector image container
  • Kubernetes Service Account annotated with GCP IAM Service Account
  • Kubernetes Secret containing Docker Registry credentials
helm install apono-connector apono-connector --repo https://apono-io.github.io/apono-helm-charts \
    --set-string apono.token=$APONO_TOKEN \
    --set-string apono.connectorId=$APONO_CONNECTOR_ID \
    --set-string serviceAccount.gcpServiceAccountEmail=$GCP_SERVICE_ACCOUNT_EMAIL \
    --namespace $NAMESPACE \
    --create-namespace

Results

You can validate the Connector is installed in the Connector status page.

Then, In the Apono app, you will see the connector was found and a green checkmark indication.

πŸ‘

Hurray!

You now have a GCP connector installed in your GCP environment with permissions to the Project.

You can now integrate Apono with a GCP Project or GCP Organization.