LogoLogo
Documentation and Guides
Documentation and Guides
  • ABOUT APONO
    • Why Choose Apono
    • Security and Architecture
    • Glossary
  • GETTING STARTED
    • How Apono Works
    • Getting started
    • Access Discovery
    • Integrating with Apono
  • CONNECTORS AND SECRETS
    • Apono Integration Secret
    • High Availability for Connectors
    • Installing a connector with Docker
    • Manage integrations
    • Manage connectors
    • S3 Storage
  • AWS ENVIRONMENT
    • AWS Overview
    • Apono Connector for AWS
      • Installing a connector on EKS Using Terraform
      • Updating a connector in AWS
      • Installing a connector on AWS ECS using Terraform
    • AWS Integrations
      • Integrate an AWS account or organization
        • Auto Discover AWS RDS Instances
        • AWS Best Practices
      • Amazon Redshift
      • RDS PostgreSQL
      • AWS RDS MySQL
      • Integrate with EKS
      • AWS Lambda Custom Integration
      • EC2 via Systems Manager Agent (SSM)
  • AZURE ENVIRONMENT
    • Apono Connector for Azure
      • Install an Azure connector on ACI using Azure CLI
      • Install an Azure connector on ACI using PowerShell
      • Install an Azure connector on ACI using Terraform
      • Updating a connector in Azure
    • Azure Integrations
      • Integrate with Azure Management Group or Subscription
        • Auto Discover Azure SQL Databases
      • Azure MySQL
      • Azure PostgreSQL
      • Integrate with AKS
  • GCP ENVIRONMENT
    • Apono Connector for GCP
      • Installing a GCP connector on Cloud Run using CLI
      • Installing a GCP connector on GKE using CLI (Helm)
      • Installing a GCP connector on GKE using Terraform
      • Updating a connector in Google Cloud
    • GCP Integrations
      • Integrate a GCP organization or project
      • CloudSQL - MySQL
      • CloudSQL - PostgreSQL
      • Google Cloud Functions
      • Integrate with GKE
      • AlloyDB
  • KUBERNETES ENVIRONMENT
    • Apono Connector for Kubernetes
      • Installing a connector on Kubernetes with AWS permissions
      • Updating a Kubernetes connector
    • Kubernetes Integrations
      • Integrate with Self-Managed Kubernetes
  • ADDITIONAL INTEGRATIONS
    • Databases and Data Repositories
      • Microsoft SQL Server
      • MongoDB
      • MongoDB Atlas
      • MongoDB Atlas Portal
      • MySQL
      • Oracle Database
      • PostgreSQL
      • RabbitMQ
      • Redis Cloud (Redislabs)
      • Snowflake
      • Vertica
      • MariaDB
    • Network Management
      • SSH Servers
      • RDP Servers
      • Windows Domain Controller
      • AWS EC2 SSH Servers
      • Azure VM SSH Servers
      • Installing the Apono HTTP Proxy
    • Development Tools
      • GitHub
      • Rancher
    • Identity Providers
      • Okta SCIM
      • Okta Groups
      • Okta SSO for Apono logins
      • Google Workspace (Gsuite)
      • Google Workspace (GSuite) Groups
      • Azure Active Directory (Microsoft Entra ID)
      • Azure Active Directory (Entra ID) Groups
      • Jumpcloud
      • JumpCloud Groups
      • OneLogin
      • OneLogin Group
      • LDAP Groups
      • The Manager Attribute in Access Flows
      • HiBob
      • Ping Identity SSO
    • Incident Response Integrations
      • Opsgenie
      • PagerDuty
      • VictorOps (Splunk On-Call)
      • Zenduty
    • ChatOps Integrations
      • Slack integration
      • Teams integration
      • Backstage Integration
    • Secret Management
      • 1Password
  • WEBHOOK INTEGRATIONS
    • Webhooks Overview
    • Anomaly Webhook
    • Audit Log Webhook
    • Request Webhook
      • Custom Webhooks
      • Communications and Notifications
        • Slack Outbound Webhooks
        • Teams
        • Outlook and Gmail (Using Azure Logic App)
      • ITSM
        • Freshdesk
        • Jira
        • ServiceNow
        • Zendesk
        • Freshservice
        • ServiceDesk Plus
      • Logs and SIEMs
        • Coralogix
        • Datadog
        • Logz.io
        • Grafana
        • New Relic
        • SolarWinds
        • Sumo Logic
        • Cortex
        • Logpoint
        • Splunk
        • Microsoft Sentinel
      • Orchestration and workflow builders
        • Okta Workflows
        • Torq
    • Integration Webhook
    • Webhook Payload References
      • Audit Log Webhook Payload Schema Reference
      • Webhook Payload Schema Reference
    • Manage webhooks
    • Troubleshoot a webhook
    • Manual Webhook
      • ITSM
        • PagerDuty
  • ACCESS FLOWS
    • Access Flows
      • What are Access Flows?
    • Create Access Flows
      • Self Serve Access Flows
      • Automatic Access Flows
      • Access Duration
    • Manage Access Flows
      • Right Sizing
    • Revoke Access
    • Dynamic Access Management
      • Resource and Integration Owners
    • Common Use Cases
      • Ensuring SLA
      • Protecting PII and Customer Data
      • Production Stability and Management
      • Break Glass Protocol
    • Create Bundles
    • Manage Bundles
  • ACCESS REQUESTS AND APPROVALS
    • Slack
      • Requesting Access with Slack
      • Approving Access with Slack
      • Reviewing historical requests with Slack
    • Teams
      • Requesting Access with Teams
      • Approving Access with Teams
    • CLI
      • Install and manage the Apono CLI
      • Requesting Access with CLI
    • Web Portal
      • Requesting Access with the Web Portal
      • Approving Access with the Web Portal
      • Reviewing historical requests with the Web Portal
    • Freshservice
    • Favorites
  • Inventory
    • Inventory Overview
    • Inventory
    • Access Scopes
    • Risk Scores
    • Apono Query Language
  • AUDITS AND REPORTS
    • Activity Overview
      • Activity
      • Create Reports
      • Manage Reports
    • Compliance: Audit and Reporting
    • Auditing Access in Apono
    • Admin Audit Log (Syslog)
  • HELP AND DEBUGGING
    • Integration Status Page
    • Troubleshooting Errors
  • ARCHITECTURE AND SECURITY
    • Anomaly Detection
    • Multi-factor Authentication
    • Credentials Rotation Policy
    • Periodic User Cleanup & Deletion
    • End-user Authentication
    • Personal API Tokens
  • User Administration
    • Role-Based Access Control (RBAC) Reference
    • Create Identities
    • Manage Identities
Powered by GitBook
On this page
  • How to install
  • GCP Organization Connector
  • GCP Project Connector
  • Results

Was this helpful?

Export as PDF
  1. GCP ENVIRONMENT

Apono Connector for GCP

How to install a Connector on a GCP Project to integrate a GCP Organization or Project with Apono with Helm

PreviousIntegrate with AKSNextInstalling a GCP connector on Cloud Run using CLI

Last updated 7 months ago

Was this helpful?

To and start managing JIT access to GCP cloud resources, you must first install a connector in your GCP environment.

The GCP connector must be installed on a GKE cluster. You can do this with CLI or with GCP Deployment Manager in the GCP Portal. The Apono connector will require permissions to the organization or to a specific project, depending on the level of access management you want to achieve with Apono.

  • To manage access to a single GCP Project, install a connector in a GKE cluster on that project and give the connector the appropriate role to the project. Follow .

  • To manage access to a GCP Organization, install a connector in a GKE cluster on any project and give the connector the appropriate role to the organization. Follow .

What's a connector? What makes it so secure?

The Apono Connector is an on-prem connection that can be used to connect resources to Apono and separate the Apono web app from the environment for maximal .

Read more about the recommended .

How to install

GCP Organization Connector

Using Helm

Prerequisites

  • A GKE cluster on any GCP Project of your choosing

  • Kubernetes command-line tool (kubectl)

  • The Apono GCP token generated in the Apono UI:

Step-by-step guide

  1. Prepare parameters for Apono installation

Fill and set the values for the following variables:

# Your GCP Project ID
export PROJECT_ID=
# The token from your Apono Account
export APONO_TOKEN=
# Your Organization Id (gcloud projects get-ancestors $PROJECT_ID)
export ORGANIZATION_ID=
# The connector identifier
export APONO_CONNECTOR_ID=apono-google-integration
# The namespace to deploy the cluster on
export NAMESPACE=apono-connector-namespace

echo "PROJECT_ID: $PROJECT_ID"
echo "APONO_TOKEN: $APONO_TOKEN"
echo "APONO_CONNECTOR_ID: $APONO_CONNECTOR_ID"
echo "NAMESPACE: $NAMESPACE"
echo "ORGANIZATION_ID: $ORGANIZATION_ID"

Set the connector service account variable:

export GCP_SERVICE_ACCOUNT_EMAIL=apono-connector-iam-sa@$PROJECT_ID.iam.gserviceaccount.com && 

echo "GCP_SERVICE_ACCOUNT_EMAIL: $GCP_SERVICE_ACCOUNT_EMAIL"

  1. Make sure Cloud Resource Manager API is enabled

gcloud services enable cloudresourcemanager.googleapis.com  --project $PROJECT_ID

  1. Create IAM Service Account and grant it the roles: Browser, Security Admin and Tag Viewer for the entire organization.

gcloud iam service-accounts create apono-connector-iam-sa --project $PROJECT_ID

gcloud organizations add-iam-policy-binding $ORGANIZATION_ID \
    --member="serviceAccount:$GCP_SERVICE_ACCOUNT_EMAIL" \
    --role="roles/browser"

gcloud organizations add-iam-policy-binding $ORGANIZATION_ID \
    --member="serviceAccount:$GCP_SERVICE_ACCOUNT_EMAIL" \
    --role="roles/iam.securityAdmin"
    
gcloud organizations add-iam-policy-binding $ORGANIZATION_ID \
    --member="serviceAccount:$GCP_SERVICE_ACCOUNT_EMAIL" \
    --role="roles/resourcemanager.tagViewer"

  1. Verifying default GKE cluster for installation

  • Open the Kubernetes command-line tool

  • Run kubectl config get-contexts to see the GKE clusters list

  • Set the desired cluster to be the default - kubectl config use-context #the name of the cluster

  • Run kubectl get-contexts - verify the "*" indicates the correct cluster.

  1. Bind the IAM Service Account to the K8S Service Account

gcloud iam service-accounts add-iam-policy-binding $GCP_SERVICE_ACCOUNT_EMAIL \
    --member="serviceAccount:$PROJECT_ID.svc.id.goog[$NAMESPACE/apono-connector-service-account]" \
    --role="roles/iam.workloadIdentityUser" \
    --project $PROJECT_ID

  1. Install Helm Chart

The helm chart installs the following:

  • Kubernetes Deployment containing the Apono-Connector image container

  • Kubernetes Service Account annotated with GCP IAM Service Account

  • Kubernetes Secret containing Docker Registry credentials

helm install apono-connector apono-connector --repo https://apono-io.github.io/apono-helm-charts \
    --set-string apono.token=$APONO_TOKEN \
    --set-string apono.connectorId=$APONO_CONNECTOR_ID \
    --set-string serviceAccount.gcpServiceAccountEmail=$GCP_SERVICE_ACCOUNT_EMAIL \
    --namespace $NAMESPACE \
    --create-namespace

Interested in HA for the connector?

Add this variable to the Helm chart to create one or more replicas of the Apono connector instance:

--set-string replicaCount=<number_of_replicas>

GCP Project Connector

Using Helm

Prerequisites

  • A GKE cluster on the GCP Project you'd like to integrate with Apono

  • Kubernetes command-line tool (kubectl)

  • The Apono GCP token generated in the Apono UI:

Step-by-step guide

  1. Prepare parameters for Apono installation

Fill and set the values for the following variables:

# Your GCP Project ID
export PROJECT_ID=
# The token from your Apono Account
export APONO_TOKEN=
# The connector identifier
export APONO_CONNECTOR_ID=apono-google-integration
# The namespace to deploy the cluster on
export NAMESPACE=apono-connector-namespace

echo "PROJECT_ID: $PROJECT_ID"
echo "APONO_TOKEN: $APONO_TOKEN"
echo "APONO_CONNECTOR_ID: $APONO_CONNECTOR_ID"
echo "NAMESPACE: $NAMESPACE"

Set the following variable:

export GCP_SERVICE_ACCOUNT_EMAIL=apono-connector-iam-sa@$PROJECT_ID.iam.gserviceaccount.com && echo "GCP_SERVICE_ACCOUNT_EMAIL: $GCP_SERVICE_ACCOUNT_EMAIL"

  1. Enable Cloud Resource Manager API

gcloud services enable cloudresourcemanager.googleapis.com  --project $PROJECT_ID

  1. Create IAM Service Account and grant it with the roles: Browser, Security Admin and Tag Viewer for the project.

gcloud iam service-accounts create apono-connector-iam-sa --project $PROJECT_ID

gcloud projects add-iam-policy-binding $PROJECT_ID \
    --member="serviceAccount:$GCP_SERVICE_ACCOUNT_EMAIL" \
    --role="roles/browser" \
    --project $PROJECT_ID

gcloud projects add-iam-policy-binding $PROJECT_ID \
    --member="serviceAccount:$GCP_SERVICE_ACCOUNT_EMAIL" \
    --role="roles/iam.securityAdmin" \
    --project $PROJECT_ID
    
gcloud projects add-iam-policy-binding $PROJECT_ID \
    --member="serviceAccount:$GCP_SERVICE_ACCOUNT_EMAIL" \
    --role="roles/resourcemanager.tagViewer" \
    --project $PROJECT_ID

  1. Verifying default GKE cluster for installation

  • Open the Kubernetes command-line tool

  • Run kubectl config get-contexts to see the GKE clusters list

  • Set the desired cluster to be the default - kubectl config use-context #the name of the cluster

  • Run kubectl get-contexts - verify the "*" indicates the correct cluster.

  1. Bind the IAM Service Account to the K8S Service Account

gcloud iam service-accounts add-iam-policy-binding $GCP_SERVICE_ACCOUNT_EMAIL \
    --member="serviceAccount:$PROJECT_ID.svc.id.goog[$NAMESPACE/apono-connector-service-account]" \
    --role="roles/iam.workloadIdentityUser" \
    --project $PROJECT_ID

  1. Install Helm Chart

The helm chart installs the following:

  • Kubernetes Deployment containing the Apono-Connector image container

  • Kubernetes Service Account annotated with GCP IAM Service Account

  • Kubernetes Secret containing Docker Registry credentials

helm install apono-connector apono-connector --repo https://apono-io.github.io/apono-helm-charts \
    --set-string apono.token=$APONO_TOKEN \
    --set-string apono.connectorId=$APONO_CONNECTOR_ID \
    --set-string serviceAccount.gcpServiceAccountEmail=$GCP_SERVICE_ACCOUNT_EMAIL \
    --namespace $NAMESPACE \
    --create-namespace

Interested in HA for the connector?

Add this variable to the Helm chart to create one or more replicas of the Apono connector instance:

--set-string replicaCount=<number_of_replicas>

Results

Then, In the Apono app, you will see the connector was found and a green checkmark indication.

Hurray!

You now have a GCP connector installed in your GCP environment with permissions to the Project.

Make sure Cloud Asset API is turned on in the Project where the connector is installed using this .

Read more .

Read more .

Make sure Cloud Asset API is turned on in the Project where the connector is installed using this .

Read more .

Read more .

You can validate the Connector is installed in the .

You can now integrate Apono with a or .

link
here
here
A GCP user with owner permissions for the organization
Google CLI
link
here
here
Connector status page
integrate with GCP
security
A GCP user with owner permissions for the organization
Google CLI
this guide
this guide
GCP Installation Architecture
GCP Project
GCP Organization