Apono Connector for GCP

How to install a Connector on a GCP Project to integrate a GCP Organization or Project with Apono with Helm

To integrate with GCP and start managing JIT access to GCP cloud resources, you must first install a connector in your GCP environment.

The GCP connector must be installed on a GKE cluster. You can do this with CLI or with GCP Deployment Manager in the GCP Portal. The Apono connector will require permissions to the organization or to a specific project, depending on the level of access management you want to achieve with Apono.

  • To manage access to a single GCP Project, install a connector in a GKE cluster on that project and give the connector the appropriate role to the project. Follow this guide.

  • To manage access to a GCP Organization, install a connector in a GKE cluster on any project and give the connector the appropriate role to the organization. Follow this guide.

How to install

GCP Organization Connector

Using Helm

Prerequisites

  • Make sure Cloud Asset API is turned on in the Project where the connector is installed using this link.

Step-by-step guide

  1. Prepare parameters for Apono installation

Fill and set the values for the following variables:

# Your GCP Project ID
export PROJECT_ID=
# The token from your Apono Account
export APONO_TOKEN=
# Your Organization Id (gcloud projects get-ancestors $PROJECT_ID)
export ORGANIZATION_ID=
# The connector identifier
export APONO_CONNECTOR_ID=apono-google-integration
# The namespace to deploy the cluster on
export NAMESPACE=apono-connector-namespace

echo "PROJECT_ID: $PROJECT_ID"
echo "APONO_TOKEN: $APONO_TOKEN"
echo "APONO_CONNECTOR_ID: $APONO_CONNECTOR_ID"
echo "NAMESPACE: $NAMESPACE"
echo "ORGANIZATION_ID: $ORGANIZATION_ID"

Set the connector service account variable:

export GCP_SERVICE_ACCOUNT_EMAIL=apono-connector-iam-sa@$PROJECT_ID.iam.gserviceaccount.com && 

echo "GCP_SERVICE_ACCOUNT_EMAIL: $GCP_SERVICE_ACCOUNT_EMAIL"
  1. Make sure Cloud Resource Manager API is enabled

gcloud services enable cloudresourcemanager.googleapis.com  --project $PROJECT_ID
  1. Create IAM Service Account and grant it the roles: Browser, Security Admin and Tag Viewer for the entire organization.

gcloud iam service-accounts create apono-connector-iam-sa --project $PROJECT_ID

gcloud organizations add-iam-policy-binding $ORGANIZATION_ID \
    --member="serviceAccount:$GCP_SERVICE_ACCOUNT_EMAIL" \
    --role="roles/browser"

gcloud organizations add-iam-policy-binding $ORGANIZATION_ID \
    --member="serviceAccount:$GCP_SERVICE_ACCOUNT_EMAIL" \
    --role="roles/iam.securityAdmin"
    
gcloud organizations add-iam-policy-binding $ORGANIZATION_ID \
    --member="serviceAccount:$GCP_SERVICE_ACCOUNT_EMAIL" \
    --role="roles/resourcemanager.tagViewer"
  1. Verifying default GKE cluster for installation

  • Open the Kubernetes command-line tool

  • Run kubectl config get-contexts to see the GKE clusters list

  • Set the desired cluster to be the default - kubectl config use-context #the name of the cluster

  • Run kubectl get-contexts - verify the "*" indicates the correct cluster.

  1. Bind the IAM Service Account to the K8S Service Account

gcloud iam service-accounts add-iam-policy-binding $GCP_SERVICE_ACCOUNT_EMAIL \
    --member="serviceAccount:$PROJECT_ID.svc.id.goog[$NAMESPACE/apono-connector-service-account]" \
    --role="roles/iam.workloadIdentityUser" \
    --project $PROJECT_ID
  1. Install Helm Chart

The helm chart installs the following:

  • Kubernetes Deployment containing the Apono-Connector image container

  • Kubernetes Service Account annotated with GCP IAM Service Account

  • Kubernetes Secret containing Docker Registry credentials

helm install apono-connector apono-connector --repo https://apono-io.github.io/apono-helm-charts \
    --set-string apono.token=$APONO_TOKEN \
    --set-string apono.connectorId=$APONO_CONNECTOR_ID \
    --set-string serviceAccount.gcpServiceAccountEmail=$GCP_SERVICE_ACCOUNT_EMAIL \
    --namespace $NAMESPACE \
    --create-namespace

GCP Project Connector

Using Helm

Prerequisites

  • Make sure Cloud Asset API is turned on in the Project where the connector is installed using this link.

Step-by-step guide

  1. Prepare parameters for Apono installation

Fill and set the values for the following variables:

# Your GCP Project ID
export PROJECT_ID=
# The token from your Apono Account
export APONO_TOKEN=
# The connector identifier
export APONO_CONNECTOR_ID=apono-google-integration
# The namespace to deploy the cluster on
export NAMESPACE=apono-connector-namespace

echo "PROJECT_ID: $PROJECT_ID"
echo "APONO_TOKEN: $APONO_TOKEN"
echo "APONO_CONNECTOR_ID: $APONO_CONNECTOR_ID"
echo "NAMESPACE: $NAMESPACE"

Set the following variable:

export GCP_SERVICE_ACCOUNT_EMAIL=apono-connector-iam-sa@$PROJECT_ID.iam.gserviceaccount.com && echo "GCP_SERVICE_ACCOUNT_EMAIL: $GCP_SERVICE_ACCOUNT_EMAIL"
  1. Enable Cloud Resource Manager API

gcloud services enable cloudresourcemanager.googleapis.com  --project $PROJECT_ID
  1. Create IAM Service Account and grant it with the roles: Browser, Security Admin and Tag Viewer for the project.

gcloud iam service-accounts create apono-connector-iam-sa --project $PROJECT_ID

gcloud projects add-iam-policy-binding $PROJECT_ID \
    --member="serviceAccount:$GCP_SERVICE_ACCOUNT_EMAIL" \
    --role="roles/browser" \
    --project $PROJECT_ID

gcloud projects add-iam-policy-binding $PROJECT_ID \
    --member="serviceAccount:$GCP_SERVICE_ACCOUNT_EMAIL" \
    --role="roles/iam.securityAdmin" \
    --project $PROJECT_ID
    
gcloud projects add-iam-policy-binding $PROJECT_ID \
    --member="serviceAccount:$GCP_SERVICE_ACCOUNT_EMAIL" \
    --role="roles/resourcemanager.tagViewer" \
    --project $PROJECT_ID
  1. Verifying default GKE cluster for installation

  • Open the Kubernetes command-line tool

  • Run kubectl config get-contexts to see the GKE clusters list

  • Set the desired cluster to be the default - kubectl config use-context #the name of the cluster

  • Run kubectl get-contexts - verify the "*" indicates the correct cluster.

  1. Bind the IAM Service Account to the K8S Service Account

gcloud iam service-accounts add-iam-policy-binding $GCP_SERVICE_ACCOUNT_EMAIL \
    --member="serviceAccount:$PROJECT_ID.svc.id.goog[$NAMESPACE/apono-connector-service-account]" \
    --role="roles/iam.workloadIdentityUser" \
    --project $PROJECT_ID
  1. Install Helm Chart

The helm chart installs the following:

  • Kubernetes Deployment containing the Apono-Connector image container

  • Kubernetes Service Account annotated with GCP IAM Service Account

  • Kubernetes Secret containing Docker Registry credentials

helm install apono-connector apono-connector --repo https://apono-io.github.io/apono-helm-charts \
    --set-string apono.token=$APONO_TOKEN \
    --set-string apono.connectorId=$APONO_CONNECTOR_ID \
    --set-string serviceAccount.gcpServiceAccountEmail=$GCP_SERVICE_ACCOUNT_EMAIL \
    --namespace $NAMESPACE \
    --create-namespace

Interested in HA for the connector?

Add this variable to the Helm chart to create one or more replicas of the Apono connector instance:

--set-string replicaCount=<number_of_replicas>

Read more here.

Results

You can validate the Connector is installed in the Connector status page.

Then, In the Apono app, you will see the connector was found and a green checkmark indication.

Hurray!

You now have a GCP connector installed in your GCP environment with permissions to the Project.

You can now integrate Apono with a GCP Project or GCP Organization.

Last updated

Was this helpful?