Apono Connector for GCP
How to install a Connector on a GCP Project to integrate a GCP Organization or Project with Apono with Helm
To integrate with GCP and start managing JIT access to GCP cloud resources, you must first install a connector in your GCP environment.
The GCP connector must be installed on a GKE cluster. You can do this with CLI or with GCP Deployment Manager in the GCP Portal. The Apono connector will require permissions to the organization or to a specific project, depending on the level of access management you want to achieve with Apono.
To manage access to a single GCP Project, install a connector in a GKE cluster on that project and give the connector the appropriate role to the project. Follow this guide.
To manage access to a GCP Organization, install a connector in a GKE cluster on any project and give the connector the appropriate role to the organization. Follow this guide.
How to install
GCP Organization Connector
Using Helm
Prerequisites
A GKE cluster on any GCP Project of your choosing
Kubernetes command-line tool (kubectl)
The Apono GCP token generated in the Apono UI:

Step-by-step guide
Prepare parameters for Apono installation
Fill and set the values for the following variables:
# Your GCP Project ID
export PROJECT_ID=
# The token from your Apono Account
export APONO_TOKEN=
# Your Organization Id (gcloud projects get-ancestors $PROJECT_ID)
export ORGANIZATION_ID=
# The connector identifier
export APONO_CONNECTOR_ID=apono-google-integration
# The namespace to deploy the cluster on
export NAMESPACE=apono-connector-namespace
echo "PROJECT_ID: $PROJECT_ID"
echo "APONO_TOKEN: $APONO_TOKEN"
echo "APONO_CONNECTOR_ID: $APONO_CONNECTOR_ID"
echo "NAMESPACE: $NAMESPACE"
echo "ORGANIZATION_ID: $ORGANIZATION_ID"
Set the connector service account variable:
export GCP_SERVICE_ACCOUNT_EMAIL=apono-connector-iam-sa@$PROJECT_ID.iam.gserviceaccount.com &&
echo "GCP_SERVICE_ACCOUNT_EMAIL: $GCP_SERVICE_ACCOUNT_EMAIL"
Make sure Cloud Resource Manager API is enabled
gcloud services enable cloudresourcemanager.googleapis.com --project $PROJECT_ID
Create IAM Service Account and grant it the roles: Browser, Security Admin and Tag Viewer for the entire organization.
gcloud iam service-accounts create apono-connector-iam-sa --project $PROJECT_ID
gcloud organizations add-iam-policy-binding $ORGANIZATION_ID \
--member="serviceAccount:$GCP_SERVICE_ACCOUNT_EMAIL" \
--role="roles/browser"
gcloud organizations add-iam-policy-binding $ORGANIZATION_ID \
--member="serviceAccount:$GCP_SERVICE_ACCOUNT_EMAIL" \
--role="roles/iam.securityAdmin"
gcloud organizations add-iam-policy-binding $ORGANIZATION_ID \
--member="serviceAccount:$GCP_SERVICE_ACCOUNT_EMAIL" \
--role="roles/resourcemanager.tagViewer"
Verifying default GKE cluster for installation
Open the Kubernetes command-line tool
Run
kubectl config get-contexts
to see the GKE clusters listSet the desired cluster to be the default -
kubectl config use-context
#the name of the clusterRun
kubectl get-contexts
- verify the "*" indicates the correct cluster.
Bind the IAM Service Account to the K8S Service Account
gcloud iam service-accounts add-iam-policy-binding $GCP_SERVICE_ACCOUNT_EMAIL \
--member="serviceAccount:$PROJECT_ID.svc.id.goog[$NAMESPACE/apono-connector-service-account]" \
--role="roles/iam.workloadIdentityUser" \
--project $PROJECT_ID
Install Helm Chart
The helm chart installs the following:
Kubernetes Deployment containing the Apono-Connector image container
Kubernetes Service Account annotated with GCP IAM Service Account
Kubernetes Secret containing Docker Registry credentials
helm install apono-connector apono-connector --repo https://apono-io.github.io/apono-helm-charts \
--set-string apono.token=$APONO_TOKEN \
--set-string apono.connectorId=$APONO_CONNECTOR_ID \
--set-string serviceAccount.gcpServiceAccountEmail=$GCP_SERVICE_ACCOUNT_EMAIL \
--namespace $NAMESPACE \
--create-namespace
GCP Project Connector
Using Helm
Prerequisites
A GKE cluster on the GCP Project you'd like to integrate with Apono
Kubernetes command-line tool (kubectl)
The Apono GCP token generated in the Apono UI:

Step-by-step guide
Prepare parameters for Apono installation
Fill and set the values for the following variables:
# Your GCP Project ID
export PROJECT_ID=
# The token from your Apono Account
export APONO_TOKEN=
# The connector identifier
export APONO_CONNECTOR_ID=apono-google-integration
# The namespace to deploy the cluster on
export NAMESPACE=apono-connector-namespace
echo "PROJECT_ID: $PROJECT_ID"
echo "APONO_TOKEN: $APONO_TOKEN"
echo "APONO_CONNECTOR_ID: $APONO_CONNECTOR_ID"
echo "NAMESPACE: $NAMESPACE"
Set the following variable:
export GCP_SERVICE_ACCOUNT_EMAIL=apono-connector-iam-sa@$PROJECT_ID.iam.gserviceaccount.com && echo "GCP_SERVICE_ACCOUNT_EMAIL: $GCP_SERVICE_ACCOUNT_EMAIL"
Enable Cloud Resource Manager API
gcloud services enable cloudresourcemanager.googleapis.com --project $PROJECT_ID
Create IAM Service Account and grant it with the roles: Browser, Security Admin and Tag Viewer for the project.
gcloud iam service-accounts create apono-connector-iam-sa --project $PROJECT_ID
gcloud projects add-iam-policy-binding $PROJECT_ID \
--member="serviceAccount:$GCP_SERVICE_ACCOUNT_EMAIL" \
--role="roles/browser" \
--project $PROJECT_ID
gcloud projects add-iam-policy-binding $PROJECT_ID \
--member="serviceAccount:$GCP_SERVICE_ACCOUNT_EMAIL" \
--role="roles/iam.securityAdmin" \
--project $PROJECT_ID
gcloud projects add-iam-policy-binding $PROJECT_ID \
--member="serviceAccount:$GCP_SERVICE_ACCOUNT_EMAIL" \
--role="roles/resourcemanager.tagViewer" \
--project $PROJECT_ID
Verifying default GKE cluster for installation
Open the Kubernetes command-line tool
Run
kubectl config get-contexts
to see the GKE clusters listSet the desired cluster to be the default -
kubectl config use-context
#the name of the clusterRun
kubectl get-contexts
- verify the "*" indicates the correct cluster.
Bind the IAM Service Account to the K8S Service Account
gcloud iam service-accounts add-iam-policy-binding $GCP_SERVICE_ACCOUNT_EMAIL \
--member="serviceAccount:$PROJECT_ID.svc.id.goog[$NAMESPACE/apono-connector-service-account]" \
--role="roles/iam.workloadIdentityUser" \
--project $PROJECT_ID
Install Helm Chart
The helm chart installs the following:
Kubernetes Deployment containing the Apono-Connector image container
Kubernetes Service Account annotated with GCP IAM Service Account
Kubernetes Secret containing Docker Registry credentials
helm install apono-connector apono-connector --repo https://apono-io.github.io/apono-helm-charts \
--set-string apono.token=$APONO_TOKEN \
--set-string apono.connectorId=$APONO_CONNECTOR_ID \
--set-string serviceAccount.gcpServiceAccountEmail=$GCP_SERVICE_ACCOUNT_EMAIL \
--namespace $NAMESPACE \
--create-namespace
Interested in HA for the connector?
Add this variable to the Helm chart to create one or more replicas of the Apono connector instance:
--set-string replicaCount=<number_of_replicas>
Read more here.
Results
You can validate the Connector is installed in the Connector status page.
Then, In the Apono app, you will see the connector was found and a green checkmark indication.
Hurray!
You now have a GCP connector installed in your GCP environment with permissions to the Project.
You can now integrate Apono with a GCP Project or GCP Organization.
Last updated
Was this helpful?