# Installing a GCP connector on GKE using CLI (Helm)

Integrating a cloud account with Apono allows you to sync and manage your resources:

* Discover existing privileges and identities
* Manage employee and application provisioning to cloud assets and data repositories with delegated approval workflows
* Provide granular permissions to customer-sensitive data

This article explains how to set up an Apono connector for Google Cloud with Helm.

***

### Prerequisites

<table><thead><tr><th width="216">Item</th><th>Description</th></tr></thead><tbody><tr><td><strong>Apono Token</strong></td><td><p>Account-specific Apono authentication value<br><br>Use the following steps to obtain your token:</p><ol><li>On the <a href="https://app.apono.io/connectors"><strong>Connectors</strong></a> page, click <strong>Install Connector</strong>. The <strong>Install Connector</strong> page appears.</li><li>Click <strong>Cloud installation</strong>.</li><li>Click <strong>Cloud installation > GCP > Install and Connect GCP Project > CLI (Cloud Run)</strong>.</li><li>Copy the token listed on the page in step <strong>1</strong>.</li></ol></td></tr><tr><td><strong>Kubernetes Command Line Tool (kubectl)</strong></td><td><a href="https://kubernetes.io/docs/reference/kubectl/">Command-line tool</a> used for communicating with a Kubernetes cluster's control plane</td></tr><tr><td><strong>Google Cloud Command Line Interface (Google Cloud CLI)</strong></td><td><a href="https://cloud.google.com/sdk/gcloud">Command-line interface</a> used to manage Google Cloud resources</td></tr><tr><td><strong>Google Cloud Information</strong></td><td><p>Information for your Google Cloud instance:</p><ul><li>(Organization) <a href="https://cloud.google.com/resource-manager/docs/creating-managing-organization#retrieving_your_organization_id">Organization ID</a></li><li><a href="https://cloud.google.com/resource-manager/docs/creating-managing-projects#identifying_projects">Project ID</a></li><li>GKE Cluster Namespace</li><li>Service Account Name</li></ul></td></tr><tr><td><strong>Owner Role</strong></td><td><a href="https://cloud.google.com/iam/docs/roles-overview?sjid=2603002525407015039-NC#basic">Google Cloud role</a> that provides <strong>Owner</strong> permissions for the project or organization</td></tr></tbody></table>

***

### Create an IAM service account

Use the following sections to create an IAM service account user for either your [Google Project](#project) or [Google Organization](#organization).

#### Project

Follow these steps to create a service account for a Google Project:

1. Set the environment variables.

   ```shell
   export GCP_PROJECT_ID=<GOOGLE_PROJECT_ID>
   export APONO_TOKEN=<YOUR_APONO_TOKEN>
   export APONO_CONNECTOR_ID=<A_UNIQUE_CONNECTOR_NAME>
   export NAMESPACE=<GKE_CLUSTER_NAMESPACE>
   export SERVICE_ACCOUNT_NAME=<SERVICE_ACCOUNT_NAME>
   ```
2. In your shell environment, log in to Google Cloud and enable the API.

   <pre class="language-shell" data-overflow="wrap"><code class="lang-shell">gcloud auth login 
   gcloud services enable cloudresourcemanager.googleapis.com --project $GCP_PROJECT_ID
   gcloud services enable cloudasset.googleapis.com --project $GCP_PROJECT_ID
   gcloud services enable cloudidentity.googleapis.com --project $GCP_PROJECT_ID
   gcloud services enable admin.googleapis.com --project $GCP_PROJECT_ID
   </code></pre>
3. Create the service account.

   <pre class="language-shell" data-overflow="wrap"><code class="lang-shell">gcloud iam service-accounts create $SERVICE_ACCOUNT_NAME --project $GCP_PROJECT_ID
   </code></pre>
4. Assign the following roles to the service account.

   <table><thead><tr><th width="238">Role</th><th>Permissions Granted</th></tr></thead><tbody><tr><td><strong>role/secretmanager.secretAccessor</strong></td><td><ul><li>Access secret versions</li><li>Read the secret data</li></ul></td></tr><tr><td><strong>roles/iam.securityAdmin</strong></td><td><ul><li>Manage IAM policies, roles, and service accounts</li><li>Set and update IAM policies</li><li>Grant, modify, and revoke IAM roles for users and service accounts</li></ul></td></tr></tbody></table>

   ```shell
   gcloud projects add-iam-policy-binding $GCP_PROJECT_ID \
       --member="serviceAccount:$SERVICE_ACCOUNT_NAME@$GCP_PROJECT_ID.iam.gserviceaccount.com" \
       --role="roles/secretmanager.secretAccessor" \
       --project $GCP_PROJECT_ID

   gcloud projects add-iam-policy-binding $GCP_PROJECT_ID \
       --member="serviceAccount:$SERVICE_ACCOUNT_NAME@$GCP_PROJECT_ID.iam.gserviceaccount.com" \
       --role="roles/iam.securityAdmin" \
       --project $GCP_PROJECT_ID
   ```

#### Organization

Follow these steps to create a service account for a Google Organization:

1. In your shell environment, log in to Google Cloud and enable the API.

   ```shell
   gcloud alpha auth login
   gcloud services enable cloudresourcemanager.googleapis.com
   gcloud services enable cloudasset.googleapis.com
   gcloud services enable cloudidentity.googleapis.com
   gcloud services enable admin.googleapis.com
   ```
2. Set the environment variables.

   ```shell
   export GCP_PROJECT_ID=<GOOGLE_PROJECT_ID>
   export GCP_ORGANIZATION_ID=<GOOGLE_ORGANIZATION_ID>
   export APONO_TOKEN=<YOUR_APONO_TOKEN>
   export APONO_CONNECTOR_ID=<A_UNIQUE_CONNECTOR_NAME>
   export NAMESPACE=<GKE_CLUSTER_NAMESPACE>
   export SERVICE_ACCOUNT_NAME=<SERVICE_ACCOUNT_NAME>
   ```
3. Create the service account.

   <pre class="language-shell" data-overflow="wrap"><code class="lang-shell">gcloud iam service-accounts create $SERVICE_ACCOUNT_NAME --project $GCP_PROJECT_ID
   </code></pre>
4. Assign the following roles to the service account.

   <table><thead><tr><th width="253">Role</th><th>Permissions Granted</th></tr></thead><tbody><tr><td><strong>role/secretmanager.secretAccessor</strong></td><td><ul><li>Access secret versions</li><li>Read the secret data</li></ul></td></tr><tr><td><strong>roles/iam.securityAdmin</strong></td><td><ul><li>Manage IAM policies, roles, and service accounts</li><li>Set and update IAM policies</li><li>Grant, modify, and revoke IAM roles for users and service accounts</li></ul></td></tr><tr><td><strong>roles/browser</strong></td><td><ul><li>List resources within the organization</li><li>View metadata</li></ul></td></tr></tbody></table>

   <pre class="language-shell" data-overflow="wrap"><code class="lang-shell">gcloud organizations add-iam-policy-binding $GCP_ORGANIZATION_ID \
       --member="serviceAccount:$SERVICE_ACCOUNT_NAME@$GCP_PROJECT_ID.iam.gserviceaccount.com" \
       --role="roles/secretmanager.secretAccessor"

   gcloud organizations add-iam-policy-binding $GCP_ORGANIZATION_ID \
       --member="serviceAccount:$SERVICE_ACCOUNT_NAME@$GCP_PROJECT_ID.iam.gserviceaccount.com" \
       --role="roles/iam.securityAdmin"
       
   gcloud organizations add-iam-policy-binding $GCP_ORGANIZATION_ID \
       --member="serviceAccount:$SERVICE_ACCOUNT_NAME@$GCP_PROJECT_ID.iam.gserviceaccount.com" \
       --role="roles/browser"
   </code></pre>

***

### Deploy the connector

Follow these steps to deploy the Apono connector:

1. Deploy the Apono connector on a GKE cluster.

{% tabs %}
{% tab title="New GKE Cluster" %}

1. Create a new GKE cluster

   ```shell
   gcloud container clusters create CLUSTER_NAME
   ```
2. Connect the GKE cluster.

{% code overflow="wrap" %}

```
gcloud container clusters get-credentials CLUSTER_NAME --region REGION --project $GCP_PROJECT_ID
```

{% endcode %}

3. Verify the GKE cluster is selected as the default cluster. The default cluster is denoted with `\*`.

   ```shell
   kubectl get-contexts
   ```

{% endtab %}

{% tab title="Existing GKE Cluster" %}

1. Connect the GKE cluster.

{% code overflow="wrap" %}

```
gcloud container clusters get-credentials CLUSTER_NAME --region REGION --project $GCP_PROJECT_ID
```

{% endcode %}

2. Verify the GKE cluster is selected as the default cluster. The default cluster is denoted with `\*`.

   ```shell
   kubectl get-contexts
   ```

{% endtab %}
{% endtabs %}

2. Bind the IAM Service Account to the GKE Service Account.

{% code overflow="wrap" lineNumbers="true" fullWidth="false" %}

```shell
gcloud iam service-accounts add-iam-policy-binding $SERVICE_ACCOUNT_NAME@$GCP_PROJECT_ID.iam.gserviceaccount.com \
    --member="serviceAccount:$GCP_PROJECT_ID.svc.id.goog[$NAMESPACE/apono-connector-service-account]" \
    --role="roles/iam.workloadIdentityUser" \
    --project $GCP_PROJECT_ID
```

{% endcode %}

3. Deploy Apono connector on your GKE cluster using Helm Chart.

{% code overflow="wrap" lineNumbers="true" %}

```shell
helm install apono-connector apono-connector --repo https://apono-io.github.io/apono-helm-charts \
    --set resources.limits.cpu=1 \
    --set resources.limits.memory=2Gi \
    --set resources.requests.cpu=1 \
    --set resources.requests.memory=2Gi \
    --set-string apono.token=$APONO_TOKEN \
    --set-string apono.connectorId=$APONO_CONNECTOR_ID \
    --set-string serviceAccount.gcpServiceAccountEmail=$SERVICE_ACCOUNT_NAME@$GCP_PROJECT_ID.iam.gserviceaccount.com \
    --namespace $NAMESPACE \
    --create-namespace
```

{% endcode %}