# Apono Connector for GCP

To [integrate with GCP](/docs/gcp-environment/gcp-integrations/integrate-a-gcp-organization-or-project.md) and start managing JIT access to GCP cloud resources, you must first install a connector in your GCP environment.

The GCP connector must be installed on a GKE cluster. You can do this with CLI or with GCP Deployment Manager in the GCP Portal. The Apono connector will require permissions to the organization or to a specific project, depending on the level of access management you want to achieve with Apono.

* To manage access to a single GCP Project, install a connector in a GKE cluster on that project and give the connector the appropriate role to the project. Follow [this guide](#gcp-project-connector).
* To manage access to a GCP Organization, install a connector in a GKE cluster on any project and give the connector the appropriate role to the organization. Follow [this guide](#gcp-organization-connector).

{% hint style="info" %}
What's a connector? What makes it so secure?

The Apono Connector is an on-prem connection that can be used to connect resources to Apono and separate the Apono web app from the environment for maximal [security](/docs/about-apono/security-and-architecture.md).

Read more about the recommended [GCP Installation Architecture](/docs/about-apono/security-and-architecture.md#apono-and-gcp).
{% endhint %}

## How to install

### GCP Organization Connector

#### Using Helm

**Prerequisites**

* [A GCP user with *owner* permissions for the organization](https://support.google.com/cloud/answer/7284057?hl=en)
* A GKE cluster on any GCP Project of your choosing
* [Google CLI](https://cloud.google.com/sdk/docs/install)
* [Kubernetes CLI](https://kubernetes.io/docs/reference/kubectl/) (`kubectl`)
* The Apono GCP token generated in the Apono UI:

<figure><img src="/files/7t5KolZ3mEMJwC1uxinY" alt="" width="563"><figcaption></figcaption></figure>

* [Organization ID](https://cloud.google.com/resource-manager/docs/creating-managing-organization#retrieving_your_organization_id)
* [Project ID](https://cloud.google.com/resource-manager/docs/creating-managing-projects#identifying_projects)
* Make sure `Cloud Asset API` is [turned on](https://console.developers.google.com/apis/api/cloudasset.googleapis.com/overview?project=\[CONNECTOR_PROJECT]) in the Project where the connector is installed.

{% hint style="info" %}
Learn more about the [Cloud Asset API](https://cloud.google.com/asset-inventory/docs/reference/rest).
{% endhint %}

**Step-by-step guide**

1. **Prepare parameters for Apono installation**

Fill and set the values for the following variables:

```shell
# Your GCP Project ID
export PROJECT_ID=
# The token from your Apono Account
export APONO_TOKEN=
# Your Organization Id (gcloud projects get-ancestors $PROJECT_ID)
export ORGANIZATION_ID=
# The connector identifier
export APONO_CONNECTOR_ID=apono-google-integration
# The namespace to deploy the cluster on
export NAMESPACE=apono-connector-namespace

echo "PROJECT_ID: $PROJECT_ID"
echo "APONO_TOKEN: $APONO_TOKEN"
echo "APONO_CONNECTOR_ID: $APONO_CONNECTOR_ID"
echo "NAMESPACE: $NAMESPACE"
echo "ORGANIZATION_ID: $ORGANIZATION_ID"
```

Set the connector service account variable:

{% code overflow="wrap" %}

```shell
export GCP_SERVICE_ACCOUNT_EMAIL=apono-connector-iam-sa@$PROJECT_ID.iam.gserviceaccount.com && 

echo "GCP_SERVICE_ACCOUNT_EMAIL: $GCP_SERVICE_ACCOUNT_EMAIL"
```

{% endcode %}

2. **Make sure Cloud Resource Manager API is enabled**

```shell
gcloud services enable cloudresourcemanager.googleapis.com  --project $PROJECT_ID
```

3. **Create IAM Service Account and grant it the roles: Browser, Security Admin and Tag Viewer for the entire organization.**

```shell
gcloud iam service-accounts create apono-connector-iam-sa --project $PROJECT_ID

gcloud organizations add-iam-policy-binding $ORGANIZATION_ID \
    --member="serviceAccount:$GCP_SERVICE_ACCOUNT_EMAIL" \
    --role="roles/browser"

gcloud organizations add-iam-policy-binding $ORGANIZATION_ID \
    --member="serviceAccount:$GCP_SERVICE_ACCOUNT_EMAIL" \
    --role="roles/iam.securityAdmin"
    
gcloud organizations add-iam-policy-binding $ORGANIZATION_ID \
    --member="serviceAccount:$GCP_SERVICE_ACCOUNT_EMAIL" \
    --role="roles/resourcemanager.tagViewer"
```

4. **Verifying default GKE cluster for installation**

* Open the Kubernetes command-line tool
* Run `kubectl config get-contexts` to see the GKE clusters list
* Set the desired cluster to be the default - `kubectl config use-context` #the name of the cluster
* Run `kubectl get-contexts` - verify the "\*" indicates the correct cluster.

5. **Bind the IAM Service Account to the K8S Service Account**

```shell
gcloud iam service-accounts add-iam-policy-binding $GCP_SERVICE_ACCOUNT_EMAIL \
    --member="serviceAccount:$PROJECT_ID.svc.id.goog[$NAMESPACE/apono-connector-service-account]" \
    --role="roles/iam.workloadIdentityUser" \
    --project $PROJECT_ID
```

6. **Install Helm Chart**

The helm chart installs the following:

* Kubernetes Deployment containing the Apono-Connector image container
* Kubernetes Service Account annotated with GCP IAM Service Account
* Kubernetes Secret containing Docker Registry credentials

{% code overflow="wrap" %}

```shell
helm install apono-connector apono-connector --repo https://apono-io.github.io/apono-helm-charts \
    --set-string apono.token=$APONO_TOKEN \
    --set-string apono.connectorId=$APONO_CONNECTOR_ID \
    --set-string serviceAccount.gcpServiceAccountEmail=$GCP_SERVICE_ACCOUNT_EMAIL \
    --namespace $NAMESPACE \
    --create-namespace
```

{% endcode %}

{% hint style="info" %}
Interested in HA for the connector?

Add this variable to the Helm chart to create one or more replicas of the Apono connector instance:

`--set-string replicaCount=<number_of_replicas>`

Read more [here](/docs/connectors-and-secrets/high-availability-for-connectors.md).
{% endhint %}

### GCP Project Connector

#### Using Helm

**Prerequisites**

* [A GCP user with *owner* permissions for the organization](https://support.google.com/cloud/answer/7284057?hl=en)
* A GKE cluster on the GCP Project you'd like to integrate with Apono
* [Google CLI](https://cloud.google.com/sdk/docs/install)
* [Kubernetes CLI](https://kubernetes.io/docs/reference/kubectl/) (`kubectl`)
* The Apono GCP token generated in the Apono UI:

<figure><img src="/files/7t5KolZ3mEMJwC1uxinY" alt="" width="563"><figcaption></figcaption></figure>

* [Project ID](https://cloud.google.com/resource-manager/docs/creating-managing-projects#identifying_projects)
* Make sure `Cloud Asset API` is [turned on](https://console.developers.google.com/apis/api/cloudasset.googleapis.com/overview?project=\[CONNECTOR_PROJECT]) in the Project where the connector is installed.

{% hint style="info" %}
Learn more about the [Cloud Asset API](https://cloud.google.com/asset-inventory/docs/reference/rest).
{% endhint %}

**Step-by-step guide**

1. **Prepare parameters for Apono installation**

Fill and set the values for the following variables:

```sh
# Your GCP Project ID
export PROJECT_ID=
# The token from your Apono Account
export APONO_TOKEN=
# The connector identifier
export APONO_CONNECTOR_ID=apono-google-integration
# The namespace to deploy the cluster on
export NAMESPACE=apono-connector-namespace

echo "PROJECT_ID: $PROJECT_ID"
echo "APONO_TOKEN: $APONO_TOKEN"
echo "APONO_CONNECTOR_ID: $APONO_CONNECTOR_ID"
echo "NAMESPACE: $NAMESPACE"
```

Set the following variable:

{% code overflow="wrap" %}

```shell
export GCP_SERVICE_ACCOUNT_EMAIL=apono-connector-iam-sa@$PROJECT_ID.iam.gserviceaccount.com && echo "GCP_SERVICE_ACCOUNT_EMAIL: $GCP_SERVICE_ACCOUNT_EMAIL"
```

{% endcode %}

2. **Enable Cloud Resource Manager API**

{% code overflow="wrap" %}

```shell
gcloud services enable cloudresourcemanager.googleapis.com  --project $PROJECT_ID
```

{% endcode %}

3. **Create IAM Service Account and grant it with the roles: Browser, Security Admin and Tag Viewer for the project.**

```shell
gcloud iam service-accounts create apono-connector-iam-sa --project $PROJECT_ID

gcloud projects add-iam-policy-binding $PROJECT_ID \
    --member="serviceAccount:$GCP_SERVICE_ACCOUNT_EMAIL" \
    --role="roles/browser" \
    --project $PROJECT_ID

gcloud projects add-iam-policy-binding $PROJECT_ID \
    --member="serviceAccount:$GCP_SERVICE_ACCOUNT_EMAIL" \
    --role="roles/iam.securityAdmin" \
    --project $PROJECT_ID
    
gcloud projects add-iam-policy-binding $PROJECT_ID \
    --member="serviceAccount:$GCP_SERVICE_ACCOUNT_EMAIL" \
    --role="roles/resourcemanager.tagViewer" \
    --project $PROJECT_ID
```

4. **Verifying default GKE cluster for installation**

* Open the Kubernetes command-line tool
* Run `kubectl config get-contexts` to see the GKE clusters list
* Set the desired cluster to be the default - `kubectl config use-context` #the name of the cluster
* Run `kubectl get-contexts` - verify the "\*" indicates the correct cluster.

5. **Bind the IAM Service Account to the K8S Service Account**

```shell
gcloud iam service-accounts add-iam-policy-binding $GCP_SERVICE_ACCOUNT_EMAIL \
    --member="serviceAccount:$PROJECT_ID.svc.id.goog[$NAMESPACE/apono-connector-service-account]" \
    --role="roles/iam.workloadIdentityUser" \
    --project $PROJECT_ID
```

6. **Install Helm Chart**

The helm chart installs the following:

* Kubernetes Deployment containing the Apono-Connector image container
* Kubernetes Service Account annotated with GCP IAM Service Account
* Kubernetes Secret containing Docker Registry credentials

{% code overflow="wrap" %}

```shell
helm install apono-connector apono-connector --repo https://apono-io.github.io/apono-helm-charts \
    --set-string apono.token=$APONO_TOKEN \
    --set-string apono.connectorId=$APONO_CONNECTOR_ID \
    --set-string serviceAccount.gcpServiceAccountEmail=$GCP_SERVICE_ACCOUNT_EMAIL \
    --namespace $NAMESPACE \
    --create-namespace
```

{% endcode %}

{% hint style="success" %}
Interested in HA for the connector?

Add this variable to the Helm chart to create one or more replicas of the Apono connector instance:

`--set-string replicaCount=<number_of_replicas>`

Read more [here](/docs/connectors-and-secrets/high-availability-for-connectors.md).
{% endhint %}

### Results

You can validate the Connector is installed in the [Connector status page](https://app.apono.io/connectors).

Then, In the Apono app, you will see the connector was found and a green checkmark indication.

{% hint style="success" %}
Hurray!

You now have a GCP connector installed in your GCP environment with permissions to the Project.

You can now integrate Apono with a [GCP Project](/docs/gcp-environment/gcp-integrations/integrate-a-gcp-organization-or-project.md#integrate-a-gcp-project) or [GCP Organization](/docs/gcp-environment/gcp-integrations/integrate-a-gcp-organization-or-project.md#integrate-a-gcp-organization).
{% endhint %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.apono.io/docs/gcp-environment/apono-connector-for-gcp.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.