# Apono Connector for GCP

To [integrate with GCP](https://docs.apono.io/docs/gcp-environment/gcp-integrations/integrate-a-gcp-organization-or-project) and start managing JIT access to GCP cloud resources, you must first install a connector in your GCP environment.

The GCP connector must be installed on a GKE cluster. You can do this with CLI or with GCP Deployment Manager in the GCP Portal. The Apono connector will require permissions to the organization or to a specific project, depending on the level of access management you want to achieve with Apono.

* To manage access to a single GCP Project, install a connector in a GKE cluster on that project and give the connector the appropriate role to the project. Follow [this guide](#gcp-project-connector).
* To manage access to a GCP Organization, install a connector in a GKE cluster on any project and give the connector the appropriate role to the organization. Follow [this guide](#gcp-organization-connector).

{% hint style="info" %}
What's a connector? What makes it so secure?

The Apono Connector is an on-prem connection that can be used to connect resources to Apono and separate the Apono web app from the environment for maximal [security](https://docs.apono.io/docs/about-apono/security-and-architecture).

Read more about the recommended [GCP Installation Architecture](https://docs.apono.io/docs/about-apono/security-and-architecture#apono-and-gcp).
{% endhint %}

## How to install

### GCP Organization Connector

#### Using Helm

**Prerequisites**

* [A GCP user with *owner* permissions for the organization](https://support.google.com/cloud/answer/7284057?hl=en)
* A GKE cluster on any GCP Project of your choosing
* [Google CLI](https://cloud.google.com/sdk/docs/install)
* [Kubernetes CLI](https://kubernetes.io/docs/reference/kubectl/) (`kubectl`)
* The Apono GCP token generated in the Apono UI:

<figure><img src="https://1094436629-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fv6MBfUGvblSdAz31yJXm%2Fuploads%2Fgit-blob-117dbf28ce5c6ccb1f6a79b0b74dab3c98dd79f8%2FGCP-Apono-Connector-1.png?alt=media" alt="" width="563"><figcaption></figcaption></figure>

* [Organization ID](https://cloud.google.com/resource-manager/docs/creating-managing-organization#retrieving_your_organization_id)
* [Project ID](https://cloud.google.com/resource-manager/docs/creating-managing-projects#identifying_projects)
* Make sure `Cloud Asset API` is [turned on](https://console.developers.google.com/apis/api/cloudasset.googleapis.com/overview?project=\[CONNECTOR_PROJECT]) in the Project where the connector is installed.

{% hint style="info" %}
Learn more about the [Cloud Asset API](https://cloud.google.com/asset-inventory/docs/reference/rest).
{% endhint %}

**Step-by-step guide**

1. **Prepare parameters for Apono installation**

Fill and set the values for the following variables:

```shell
# Your GCP Project ID
export PROJECT_ID=
# The token from your Apono Account
export APONO_TOKEN=
# Your Organization Id (gcloud projects get-ancestors $PROJECT_ID)
export ORGANIZATION_ID=
# The connector identifier
export APONO_CONNECTOR_ID=apono-google-integration
# The namespace to deploy the cluster on
export NAMESPACE=apono-connector-namespace

echo "PROJECT_ID: $PROJECT_ID"
echo "APONO_TOKEN: $APONO_TOKEN"
echo "APONO_CONNECTOR_ID: $APONO_CONNECTOR_ID"
echo "NAMESPACE: $NAMESPACE"
echo "ORGANIZATION_ID: $ORGANIZATION_ID"
```

Set the connector service account variable:

{% code overflow="wrap" %}

```shell
export GCP_SERVICE_ACCOUNT_EMAIL=apono-connector-iam-sa@$PROJECT_ID.iam.gserviceaccount.com && 

echo "GCP_SERVICE_ACCOUNT_EMAIL: $GCP_SERVICE_ACCOUNT_EMAIL"
```

{% endcode %}

2. **Make sure Cloud Resource Manager API is enabled**

```shell
gcloud services enable cloudresourcemanager.googleapis.com  --project $PROJECT_ID
```

3. **Create IAM Service Account and grant it the roles: Browser, Security Admin and Tag Viewer for the entire organization.**

```shell
gcloud iam service-accounts create apono-connector-iam-sa --project $PROJECT_ID

gcloud organizations add-iam-policy-binding $ORGANIZATION_ID \
    --member="serviceAccount:$GCP_SERVICE_ACCOUNT_EMAIL" \
    --role="roles/browser"

gcloud organizations add-iam-policy-binding $ORGANIZATION_ID \
    --member="serviceAccount:$GCP_SERVICE_ACCOUNT_EMAIL" \
    --role="roles/iam.securityAdmin"
    
gcloud organizations add-iam-policy-binding $ORGANIZATION_ID \
    --member="serviceAccount:$GCP_SERVICE_ACCOUNT_EMAIL" \
    --role="roles/resourcemanager.tagViewer"
```

4. **Verifying default GKE cluster for installation**

* Open the Kubernetes command-line tool
* Run `kubectl config get-contexts` to see the GKE clusters list
* Set the desired cluster to be the default - `kubectl config use-context` #the name of the cluster
* Run `kubectl get-contexts` - verify the "\*" indicates the correct cluster.

5. **Bind the IAM Service Account to the K8S Service Account**

```shell
gcloud iam service-accounts add-iam-policy-binding $GCP_SERVICE_ACCOUNT_EMAIL \
    --member="serviceAccount:$PROJECT_ID.svc.id.goog[$NAMESPACE/apono-connector-service-account]" \
    --role="roles/iam.workloadIdentityUser" \
    --project $PROJECT_ID
```

6. **Install Helm Chart**

The helm chart installs the following:

* Kubernetes Deployment containing the Apono-Connector image container
* Kubernetes Service Account annotated with GCP IAM Service Account
* Kubernetes Secret containing Docker Registry credentials

{% code overflow="wrap" %}

```shell
helm install apono-connector apono-connector --repo https://apono-io.github.io/apono-helm-charts \
    --set-string apono.token=$APONO_TOKEN \
    --set-string apono.connectorId=$APONO_CONNECTOR_ID \
    --set-string serviceAccount.gcpServiceAccountEmail=$GCP_SERVICE_ACCOUNT_EMAIL \
    --namespace $NAMESPACE \
    --create-namespace
```

{% endcode %}

{% hint style="info" %}
Interested in HA for the connector?

Add this variable to the Helm chart to create one or more replicas of the Apono connector instance:

`--set-string replicaCount=<number_of_replicas>`

Read more [here](https://docs.apono.io/docs/connectors-and-secrets/high-availability-for-connectors).
{% endhint %}

### GCP Project Connector

#### Using Helm

**Prerequisites**

* [A GCP user with *owner* permissions for the organization](https://support.google.com/cloud/answer/7284057?hl=en)
* A GKE cluster on the GCP Project you'd like to integrate with Apono
* [Google CLI](https://cloud.google.com/sdk/docs/install)
* [Kubernetes CLI](https://kubernetes.io/docs/reference/kubectl/) (`kubectl`)
* The Apono GCP token generated in the Apono UI:

<figure><img src="https://1094436629-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fv6MBfUGvblSdAz31yJXm%2Fuploads%2Fgit-blob-117dbf28ce5c6ccb1f6a79b0b74dab3c98dd79f8%2FGCP-Apono-Connector-1.png?alt=media" alt="" width="563"><figcaption></figcaption></figure>

* [Project ID](https://cloud.google.com/resource-manager/docs/creating-managing-projects#identifying_projects)
* Make sure `Cloud Asset API` is [turned on](https://console.developers.google.com/apis/api/cloudasset.googleapis.com/overview?project=\[CONNECTOR_PROJECT]) in the Project where the connector is installed.

{% hint style="info" %}
Learn more about the [Cloud Asset API](https://cloud.google.com/asset-inventory/docs/reference/rest).
{% endhint %}

**Step-by-step guide**

1. **Prepare parameters for Apono installation**

Fill and set the values for the following variables:

```sh
# Your GCP Project ID
export PROJECT_ID=
# The token from your Apono Account
export APONO_TOKEN=
# The connector identifier
export APONO_CONNECTOR_ID=apono-google-integration
# The namespace to deploy the cluster on
export NAMESPACE=apono-connector-namespace

echo "PROJECT_ID: $PROJECT_ID"
echo "APONO_TOKEN: $APONO_TOKEN"
echo "APONO_CONNECTOR_ID: $APONO_CONNECTOR_ID"
echo "NAMESPACE: $NAMESPACE"
```

Set the following variable:

{% code overflow="wrap" %}

```shell
export GCP_SERVICE_ACCOUNT_EMAIL=apono-connector-iam-sa@$PROJECT_ID.iam.gserviceaccount.com && echo "GCP_SERVICE_ACCOUNT_EMAIL: $GCP_SERVICE_ACCOUNT_EMAIL"
```

{% endcode %}

2. **Enable Cloud Resource Manager API**

{% code overflow="wrap" %}

```shell
gcloud services enable cloudresourcemanager.googleapis.com  --project $PROJECT_ID
```

{% endcode %}

3. **Create IAM Service Account and grant it with the roles: Browser, Security Admin and Tag Viewer for the project.**

```shell
gcloud iam service-accounts create apono-connector-iam-sa --project $PROJECT_ID

gcloud projects add-iam-policy-binding $PROJECT_ID \
    --member="serviceAccount:$GCP_SERVICE_ACCOUNT_EMAIL" \
    --role="roles/browser" \
    --project $PROJECT_ID

gcloud projects add-iam-policy-binding $PROJECT_ID \
    --member="serviceAccount:$GCP_SERVICE_ACCOUNT_EMAIL" \
    --role="roles/iam.securityAdmin" \
    --project $PROJECT_ID
    
gcloud projects add-iam-policy-binding $PROJECT_ID \
    --member="serviceAccount:$GCP_SERVICE_ACCOUNT_EMAIL" \
    --role="roles/resourcemanager.tagViewer" \
    --project $PROJECT_ID
```

4. **Verifying default GKE cluster for installation**

* Open the Kubernetes command-line tool
* Run `kubectl config get-contexts` to see the GKE clusters list
* Set the desired cluster to be the default - `kubectl config use-context` #the name of the cluster
* Run `kubectl get-contexts` - verify the "\*" indicates the correct cluster.

5. **Bind the IAM Service Account to the K8S Service Account**

```shell
gcloud iam service-accounts add-iam-policy-binding $GCP_SERVICE_ACCOUNT_EMAIL \
    --member="serviceAccount:$PROJECT_ID.svc.id.goog[$NAMESPACE/apono-connector-service-account]" \
    --role="roles/iam.workloadIdentityUser" \
    --project $PROJECT_ID
```

6. **Install Helm Chart**

The helm chart installs the following:

* Kubernetes Deployment containing the Apono-Connector image container
* Kubernetes Service Account annotated with GCP IAM Service Account
* Kubernetes Secret containing Docker Registry credentials

{% code overflow="wrap" %}

```shell
helm install apono-connector apono-connector --repo https://apono-io.github.io/apono-helm-charts \
    --set-string apono.token=$APONO_TOKEN \
    --set-string apono.connectorId=$APONO_CONNECTOR_ID \
    --set-string serviceAccount.gcpServiceAccountEmail=$GCP_SERVICE_ACCOUNT_EMAIL \
    --namespace $NAMESPACE \
    --create-namespace
```

{% endcode %}

{% hint style="success" %}
Interested in HA for the connector?

Add this variable to the Helm chart to create one or more replicas of the Apono connector instance:

`--set-string replicaCount=<number_of_replicas>`

Read more [here](https://docs.apono.io/docs/connectors-and-secrets/high-availability-for-connectors).
{% endhint %}

### Results

You can validate the Connector is installed in the [Connector status page](https://app.apono.io/connectors).

Then, In the Apono app, you will see the connector was found and a green checkmark indication.

{% hint style="success" %}
Hurray!

You now have a GCP connector installed in your GCP environment with permissions to the Project.

You can now integrate Apono with a [GCP Project](https://docs.apono.io/docs/gcp-integrations/integrate-a-gcp-organization-or-project#integrate-a-gcp-project) or [GCP Organization](https://docs.apono.io/docs/gcp-integrations/integrate-a-gcp-organization-or-project#integrate-a-gcp-organization).
{% endhint %}