# Installing a GCP connector on GKE using CLI (Helm)

Integrating a cloud account with Apono allows you to sync and manage your resources:

* Discover existing privileges and identities
* Manage employee and application provisioning to cloud assets and data repositories with delegated approval workflows
* Provide granular permissions to customer-sensitive data

This article explains how to set up an Apono connector for Google Cloud with Helm.

***

### Prerequisites

<table><thead><tr><th width="216">Item</th><th>Description</th></tr></thead><tbody><tr><td><strong>Apono Token</strong></td><td><p>Account-specific Apono authentication value<br><br>Use the following steps to obtain your token:</p><ol><li>On the <a href="https://app.apono.io/connectors"><strong>Connectors</strong></a> page, click <strong>Install Connector</strong>. The <strong>Install Connector</strong> page appears.</li><li>Click <strong>Cloud installation</strong>.</li><li>Click <strong>Cloud installation > GCP > Install and Connect GCP Project > CLI (Cloud Run)</strong>.</li><li>Copy the token listed on the page in step <strong>1</strong>.</li></ol></td></tr><tr><td><strong>Kubernetes Command Line Tool (kubectl)</strong></td><td><a href="https://kubernetes.io/docs/reference/kubectl/">Command-line tool</a> used for communicating with a Kubernetes cluster's control plane</td></tr><tr><td><strong>Google Cloud Command Line Interface (Google Cloud CLI)</strong></td><td><a href="https://cloud.google.com/sdk/gcloud">Command-line interface</a> used to manage Google Cloud resources</td></tr><tr><td><strong>Google Cloud Information</strong></td><td><p>Information for your Google Cloud instance:</p><ul><li>(Organization) <a href="https://cloud.google.com/resource-manager/docs/creating-managing-organization#retrieving_your_organization_id">Organization ID</a></li><li><a href="https://cloud.google.com/resource-manager/docs/creating-managing-projects#identifying_projects">Project ID</a></li><li>GKE Cluster Namespace</li><li>Service Account Name</li></ul></td></tr><tr><td><strong>Owner Role</strong></td><td><a href="https://cloud.google.com/iam/docs/roles-overview?sjid=2603002525407015039-NC#basic">Google Cloud role</a> that provides <strong>Owner</strong> permissions for the project or organization</td></tr></tbody></table>

***

### Create an IAM service account

Use the following sections to create an IAM service account user for either your [Google Project](#project) or [Google Organization](#organization).

#### Project

Follow these steps to create a service account for a Google Project:

1. Set the environment variables.

   ```shell
   export GCP_PROJECT_ID=<GOOGLE_PROJECT_ID>
   export APONO_TOKEN=<YOUR_APONO_TOKEN>
   export APONO_CONNECTOR_ID=<A_UNIQUE_CONNECTOR_NAME>
   export NAMESPACE=<GKE_CLUSTER_NAMESPACE>
   export SERVICE_ACCOUNT_NAME=<SERVICE_ACCOUNT_NAME>
   ```
2. In your shell environment, log in to Google Cloud and enable the API.

   <pre class="language-shell" data-overflow="wrap"><code class="lang-shell">gcloud auth login 
   gcloud services enable cloudresourcemanager.googleapis.com --project $GCP_PROJECT_ID
   gcloud services enable cloudasset.googleapis.com --project $GCP_PROJECT_ID
   gcloud services enable cloudidentity.googleapis.com --project $GCP_PROJECT_ID
   gcloud services enable admin.googleapis.com --project $GCP_PROJECT_ID
   </code></pre>
3. Create the service account.

   <pre class="language-shell" data-overflow="wrap"><code class="lang-shell">gcloud iam service-accounts create $SERVICE_ACCOUNT_NAME --project $GCP_PROJECT_ID
   </code></pre>
4. Assign the following roles to the service account.

   <table><thead><tr><th width="238">Role</th><th>Permissions Granted</th></tr></thead><tbody><tr><td><strong>role/secretmanager.secretAccessor</strong></td><td><ul><li>Access secret versions</li><li>Read the secret data</li></ul></td></tr><tr><td><strong>roles/iam.securityAdmin</strong></td><td><ul><li>Manage IAM policies, roles, and service accounts</li><li>Set and update IAM policies</li><li>Grant, modify, and revoke IAM roles for users and service accounts</li></ul></td></tr></tbody></table>

   ```shell
   gcloud projects add-iam-policy-binding $GCP_PROJECT_ID \
       --member="serviceAccount:$SERVICE_ACCOUNT_NAME@$GCP_PROJECT_ID.iam.gserviceaccount.com" \
       --role="roles/secretmanager.secretAccessor" \
       --project $GCP_PROJECT_ID

   gcloud projects add-iam-policy-binding $GCP_PROJECT_ID \
       --member="serviceAccount:$SERVICE_ACCOUNT_NAME@$GCP_PROJECT_ID.iam.gserviceaccount.com" \
       --role="roles/iam.securityAdmin" \
       --project $GCP_PROJECT_ID
   ```

#### Organization

Follow these steps to create a service account for a Google Organization:

1. In your shell environment, log in to Google Cloud and enable the API.

   ```shell
   gcloud alpha auth login
   gcloud services enable cloudresourcemanager.googleapis.com
   gcloud services enable cloudasset.googleapis.com
   gcloud services enable cloudidentity.googleapis.com
   gcloud services enable admin.googleapis.com
   ```
2. Set the environment variables.

   ```shell
   export GCP_PROJECT_ID=<GOOGLE_PROJECT_ID>
   export GCP_ORGANIZATION_ID=<GOOGLE_ORGANIZATION_ID>
   export APONO_TOKEN=<YOUR_APONO_TOKEN>
   export APONO_CONNECTOR_ID=<A_UNIQUE_CONNECTOR_NAME>
   export NAMESPACE=<GKE_CLUSTER_NAMESPACE>
   export SERVICE_ACCOUNT_NAME=<SERVICE_ACCOUNT_NAME>
   ```
3. Create the service account.

   <pre class="language-shell" data-overflow="wrap"><code class="lang-shell">gcloud iam service-accounts create $SERVICE_ACCOUNT_NAME --project $GCP_PROJECT_ID
   </code></pre>
4. Assign the following roles to the service account.

   <table><thead><tr><th width="253">Role</th><th>Permissions Granted</th></tr></thead><tbody><tr><td><strong>role/secretmanager.secretAccessor</strong></td><td><ul><li>Access secret versions</li><li>Read the secret data</li></ul></td></tr><tr><td><strong>roles/iam.securityAdmin</strong></td><td><ul><li>Manage IAM policies, roles, and service accounts</li><li>Set and update IAM policies</li><li>Grant, modify, and revoke IAM roles for users and service accounts</li></ul></td></tr><tr><td><strong>roles/browser</strong></td><td><ul><li>List resources within the organization</li><li>View metadata</li></ul></td></tr></tbody></table>

   <pre class="language-shell" data-overflow="wrap"><code class="lang-shell">gcloud organizations add-iam-policy-binding $GCP_ORGANIZATION_ID \
       --member="serviceAccount:$SERVICE_ACCOUNT_NAME@$GCP_PROJECT_ID.iam.gserviceaccount.com" \
       --role="roles/secretmanager.secretAccessor"

   gcloud organizations add-iam-policy-binding $GCP_ORGANIZATION_ID \
       --member="serviceAccount:$SERVICE_ACCOUNT_NAME@$GCP_PROJECT_ID.iam.gserviceaccount.com" \
       --role="roles/iam.securityAdmin"
       
   gcloud organizations add-iam-policy-binding $GCP_ORGANIZATION_ID \
       --member="serviceAccount:$SERVICE_ACCOUNT_NAME@$GCP_PROJECT_ID.iam.gserviceaccount.com" \
       --role="roles/browser"
   </code></pre>

***

### Deploy the connector

Follow these steps to deploy the Apono connector:

1. Deploy the Apono connector on a GKE cluster.

{% tabs %}
{% tab title="New GKE Cluster" %}

1. Create a new GKE cluster

   ```shell
   gcloud container clusters create CLUSTER_NAME
   ```
2. Connect the GKE cluster.

{% code overflow="wrap" %}

```
gcloud container clusters get-credentials CLUSTER_NAME --region REGION --project $GCP_PROJECT_ID
```

{% endcode %}

3. Verify the GKE cluster is selected as the default cluster. The default cluster is denoted with `\*`.

   ```shell
   kubectl get-contexts
   ```

{% endtab %}

{% tab title="Existing GKE Cluster" %}

1. Connect the GKE cluster.

{% code overflow="wrap" %}

```
gcloud container clusters get-credentials CLUSTER_NAME --region REGION --project $GCP_PROJECT_ID
```

{% endcode %}

2. Verify the GKE cluster is selected as the default cluster. The default cluster is denoted with `\*`.

   ```shell
   kubectl get-contexts
   ```

{% endtab %}
{% endtabs %}

2. Bind the IAM Service Account to the GKE Service Account.

{% code overflow="wrap" lineNumbers="true" fullWidth="false" %}

```shell
gcloud iam service-accounts add-iam-policy-binding $SERVICE_ACCOUNT_NAME@$GCP_PROJECT_ID.iam.gserviceaccount.com \
    --member="serviceAccount:$GCP_PROJECT_ID.svc.id.goog[$NAMESPACE/apono-connector-service-account]" \
    --role="roles/iam.workloadIdentityUser" \
    --project $GCP_PROJECT_ID
```

{% endcode %}

3. Deploy Apono connector on your GKE cluster using Helm Chart.

{% code overflow="wrap" lineNumbers="true" %}

```shell
helm install apono-connector apono-connector --repo https://apono-io.github.io/apono-helm-charts \
    --set resources.limits.cpu=1 \
    --set resources.limits.memory=2Gi \
    --set resources.requests.cpu=1 \
    --set resources.requests.memory=2Gi \
    --set-string apono.token=$APONO_TOKEN \
    --set-string apono.connectorId=$APONO_CONNECTOR_ID \
    --set-string serviceAccount.gcpServiceAccountEmail=$SERVICE_ACCOUNT_NAME@$GCP_PROJECT_ID.iam.gserviceaccount.com \
    --namespace $NAMESPACE \
    --create-namespace
```

{% endcode %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.apono.io/docs/gcp-environment/apono-connector-for-gcp/installing-a-gcp-connector-with-helm.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.