Installing a GCP connector on GKE using CLI (Helm)

Deploy the Apono connector with Helm

PreviousInstalling a GCP connector on Cloud Run using CLI NextInstalling a GCP connector on GKE using Terraform

Last updated 8 months ago

Was this helpful?

Installing a GCP connector on GKE using CLI (Helm)

Deploy the Apono connector with Helm

Integrating a cloud account with Apono allows you to sync and manage your resources:

Discover existing privileges and identities
Manage employee and application provisioning to cloud assets and data repositories with delegated approval workflows
Provide granular permissions to customer-sensitive data

This article explains how to set up an Apono connector for Google Cloud with Helm.

Prerequisites

Item

Description

Apono Token

Account-specific Apono authentication value Use the following steps to obtain your token:

Click Cloud installation.
Click Cloud installation > GCP > Install and Connect GCP Project > CLI (Cloud Run).
Copy the token listed on the page in step 1.

Kubernetes Command Line Tool (kubectl)

Google Cloud Command Line Interface (Google Cloud CLI)

Google Cloud Information

Information for your Google Cloud instance:

GKE Cluster Namespace
Service Account Name

Owner Role

Create an IAM service account

Use the following sections to create an IAM service account user for either your or .

Project

Follow these steps to create a service account for a Google Project:

In your shell environment, log in to Google Cloud and enable the API.

gcloud auth login
gcloud services enable cloudresourcemanager.googleapis.com

Set the environment variables.

export GCP_PROJECT_ID=<GOOGLE_PROJECT_ID>
export APONO_TOKEN=<YOUR_APONO_TOKEN>
export APONO_CONNECTOR_ID=<A_UNIQUE_CONNECTOR_NAME>
export NAMESPACE=<GKE_CLUSTER_NAMESPACE>
export SERVICE_ACCOUNT_NAME=<SERVICE_ACCOUNT_NAME>

Create the service account.

gcloud iam service-accounts create $SERVICE_ACCOUNT_NAME --project $GCP_PROJECT_ID

Assign the following roles to the service account.

Role

Permissions Granted

role/secretmanager.secretAccessor

Access secret versions
Read the secret data

roles/iam.securityAdmin

Manage IAM policies, roles, and service accounts
Set and update IAM policies
Grant, modify, and revoke IAM roles for users and service accounts

gcloud projects add-iam-policy-binding $GCP_PROJECT_ID \
    --member="serviceAccount:$SERVICE_ACCOUNT_NAME@$GCP_PROJECT_ID.iam.gserviceaccount.com" \
    --role="roles/secretmanager.secretAccessor" \
    --project $GCP_PROJECT_ID

gcloud projects add-iam-policy-binding $GCP_PROJECT_ID \
    --member="serviceAccount:$SERVICE_ACCOUNT_NAME@$GCP_PROJECT_ID.iam.gserviceaccount.com" \
    --role="roles/iam.securityAdmin" \
    --project $GCP_PROJECT_ID

Organization

Follow these steps to create a service account for a Google Organization:

In your shell environment, log in to Google Cloud and enable the API.

gcloud alpha auth login
gcloud services enable cloudresourcemanager.googleapis.com

Set the environment variables.

export GCP_PROJECT_ID=<GOOGLE_PROJECT_ID>
export GCP_ORGANIZATION_ID=<GOOGLE_ORGANIZATION_ID>
export APONO_TOKEN=<YOUR_APONO_TOKEN>
export APONO_CONNECTOR_ID=<A_UNIQUE_CONNECTOR_NAME>
export NAMESPACE=<GKE_CLUSTER_NAMESPACE>
export SERVICE_ACCOUNT_NAME=<SERVICE_ACCOUNT_NAME>

Create the service account.

gcloud iam service-accounts create $SERVICE_ACCOUNT_NAME --project $GCP_PROJECT_ID

Assign the following roles to the service account.
Role
Permissions Granted
role/secretmanager.secretAccessor
Access secret versions
Read the secret data
roles/iam.securityAdmin
Manage IAM policies, roles, and service accounts
Set and update IAM policies
Grant, modify, and revoke IAM roles for users and service accounts
roles/browser
List resources within the organization
View metadata

```shell
gcloud organizations add-iam-policy-binding $GCP_ORGANIZATION_ID \
    --member="serviceAccount:$SERVICE_ACCOUNT_NAME@$GCP_PROJECT_ID.iam.gserviceaccount.com" \
    --role="roles/secretmanager.secretAccessor"

gcloud organizations add-iam-policy-binding $GCP_ORGANIZATION_ID \
    --member="serviceAccount:$SERVICE_ACCOUNT_NAME@$GCP_PROJECT_ID.iam.gserviceaccount.com" \
    --role="roles/iam.securityAdmin"
    
gcloud organizations add-iam-policy-binding $GCP_ORGANIZATION_ID \
    --member="serviceAccount:$SERVICE_ACCOUNT_NAME@$GCP_PROJECT_ID.iam.gserviceaccount.com" \
    --role="roles/browser"
```

Deploy the connector

Follow these steps to deploy the Apono connector:

Deploy the Apono connector on a GKE cluster.

Create a new GKE cluster

gcloud container clusters create CLUSTER_NAME

Connect the GKE cluster.

gcloud container clusters get-credentials CLUSTER_NAME --region REGION --project $GCP_PROJECT_ID

Verify the GKE cluster is selected as the default cluster. The default cluster is denoted with \*.
```
kubectl get-contexts
```

Connect the GKE cluster.

gcloud container clusters get-credentials CLUSTER_NAME --region REGION --project $GCP_PROJECT_ID

Verify the GKE cluster is selected as the default cluster. The default cluster is denoted with \*.
```
kubectl get-contexts
```

Bind the IAM Service Account to the GKE Service Account.

gcloud iam service-accounts add-iam-policy-binding $SERVICE_ACCOUNT_NAME@$GCP_PROJECT_ID.iam.gserviceaccount.com \
    --member="serviceAccount:$GCP_PROJECT_ID.svc.id.goog[$NAMESPACE/apono-connector-service-account]" \
    --role="roles/iam.workloadIdentityUser" \
    --project $GCP_PROJECT_ID

Deploy Apono connector on your GKE cluster using Helm Chart.

helm install apono-connector apono-connector --repo https://apono-io.github.io/apono-helm-charts \
    --set-string apono.token=$APONO_TOKEN \
    --set-string apono.connectorId=$APONO_CONNECTOR_ID \
    --set-string serviceAccount.gcpServiceAccountEmail=$SERVICE_ACCOUNT_NAME@$GCP_PROJECT_ID.iam.gserviceaccount.com \
    --namespace $NAMESPACE \
    --create-namespace

PreviousInstalling a GCP connector on Cloud Run using CLI NextInstalling a GCP connector on GKE using Terraform

Last updated 8 months ago

Was this helpful?

Integrating a cloud account with Apono allows you to sync and manage your resources:

Discover existing privileges and identities
Manage employee and application provisioning to cloud assets and data repositories with delegated approval workflows
Provide granular permissions to customer-sensitive data

This article explains how to set up an Apono connector for Google Cloud with Helm.

Prerequisites

Item

Description

Apono Token

Account-specific Apono authentication value Use the following steps to obtain your token:

On the page, click Install Connector. The Install Connector page appears.
Click Cloud installation.
Click Cloud installation > GCP > Install and Connect GCP Project > CLI (Cloud Run).
Copy the token listed on the page in step 1.

Kubernetes Command Line Tool (kubectl)

used for communicating with a Kubernetes cluster's control plane

Google Cloud Command Line Interface (Google Cloud CLI)

used to manage Google Cloud resources

Google Cloud Information

Information for your Google Cloud instance:

(Organization)
GKE Cluster Namespace
Service Account Name

Owner Role

that provides Owner permissions for the project or organization

Create an IAM service account

Use the following sections to create an IAM service account user for either your or .

Project

Follow these steps to create a service account for a Google Project:

In your shell environment, log in to Google Cloud and enable the API.

gcloud auth login
gcloud services enable cloudresourcemanager.googleapis.com

Set the environment variables.

export GCP_PROJECT_ID=<GOOGLE_PROJECT_ID>
export APONO_TOKEN=<YOUR_APONO_TOKEN>
export APONO_CONNECTOR_ID=<A_UNIQUE_CONNECTOR_NAME>
export NAMESPACE=<GKE_CLUSTER_NAMESPACE>
export SERVICE_ACCOUNT_NAME=<SERVICE_ACCOUNT_NAME>

Create the service account.

gcloud iam service-accounts create $SERVICE_ACCOUNT_NAME --project $GCP_PROJECT_ID

Assign the following roles to the service account.

Role

Permissions Granted

role/secretmanager.secretAccessor

Access secret versions
Read the secret data

roles/iam.securityAdmin

Manage IAM policies, roles, and service accounts
Set and update IAM policies
Grant, modify, and revoke IAM roles for users and service accounts

gcloud projects add-iam-policy-binding $GCP_PROJECT_ID \
    --member="serviceAccount:$SERVICE_ACCOUNT_NAME@$GCP_PROJECT_ID.iam.gserviceaccount.com" \
    --role="roles/secretmanager.secretAccessor" \
    --project $GCP_PROJECT_ID

gcloud projects add-iam-policy-binding $GCP_PROJECT_ID \
    --member="serviceAccount:$SERVICE_ACCOUNT_NAME@$GCP_PROJECT_ID.iam.gserviceaccount.com" \
    --role="roles/iam.securityAdmin" \
    --project $GCP_PROJECT_ID

Organization

Follow these steps to create a service account for a Google Organization:

In your shell environment, log in to Google Cloud and enable the API.

gcloud alpha auth login
gcloud services enable cloudresourcemanager.googleapis.com

Set the environment variables.

export GCP_PROJECT_ID=<GOOGLE_PROJECT_ID>
export GCP_ORGANIZATION_ID=<GOOGLE_ORGANIZATION_ID>
export APONO_TOKEN=<YOUR_APONO_TOKEN>
export APONO_CONNECTOR_ID=<A_UNIQUE_CONNECTOR_NAME>
export NAMESPACE=<GKE_CLUSTER_NAMESPACE>
export SERVICE_ACCOUNT_NAME=<SERVICE_ACCOUNT_NAME>

Create the service account.

gcloud iam service-accounts create $SERVICE_ACCOUNT_NAME --project $GCP_PROJECT_ID

Assign the following roles to the service account.
Role
Permissions Granted
role/secretmanager.secretAccessor
Access secret versions
Read the secret data
roles/iam.securityAdmin
Manage IAM policies, roles, and service accounts
Set and update IAM policies
Grant, modify, and revoke IAM roles for users and service accounts
roles/browser
List resources within the organization
View metadata

```shell
gcloud organizations add-iam-policy-binding $GCP_ORGANIZATION_ID \
    --member="serviceAccount:$SERVICE_ACCOUNT_NAME@$GCP_PROJECT_ID.iam.gserviceaccount.com" \
    --role="roles/secretmanager.secretAccessor"

gcloud organizations add-iam-policy-binding $GCP_ORGANIZATION_ID \
    --member="serviceAccount:$SERVICE_ACCOUNT_NAME@$GCP_PROJECT_ID.iam.gserviceaccount.com" \
    --role="roles/iam.securityAdmin"
    
gcloud organizations add-iam-policy-binding $GCP_ORGANIZATION_ID \
    --member="serviceAccount:$SERVICE_ACCOUNT_NAME@$GCP_PROJECT_ID.iam.gserviceaccount.com" \
    --role="roles/browser"
```

Deploy the connector

Follow these steps to deploy the Apono connector:

Deploy the Apono connector on a GKE cluster.

Create a new GKE cluster

gcloud container clusters create CLUSTER_NAME

Connect the GKE cluster.

gcloud container clusters get-credentials CLUSTER_NAME --region REGION --project $GCP_PROJECT_ID

Verify the GKE cluster is selected as the default cluster. The default cluster is denoted with \*.
```
kubectl get-contexts
```

Connect the GKE cluster.

gcloud container clusters get-credentials CLUSTER_NAME --region REGION --project $GCP_PROJECT_ID

Verify the GKE cluster is selected as the default cluster. The default cluster is denoted with \*.
```
kubectl get-contexts
```

Bind the IAM Service Account to the GKE Service Account.

gcloud iam service-accounts add-iam-policy-binding $SERVICE_ACCOUNT_NAME@$GCP_PROJECT_ID.iam.gserviceaccount.com \
    --member="serviceAccount:$GCP_PROJECT_ID.svc.id.goog[$NAMESPACE/apono-connector-service-account]" \
    --role="roles/iam.workloadIdentityUser" \
    --project $GCP_PROJECT_ID

Deploy Apono connector on your GKE cluster using Helm Chart.

helm install apono-connector apono-connector --repo https://apono-io.github.io/apono-helm-charts \
    --set-string apono.token=$APONO_TOKEN \
    --set-string apono.connectorId=$APONO_CONNECTOR_ID \
    --set-string serviceAccount.gcpServiceAccountEmail=$SERVICE_ACCOUNT_NAME@$GCP_PROJECT_ID.iam.gserviceaccount.com \
    --namespace $NAMESPACE \
    --create-namespace