Integrate with Google Cloud Platform (GCP)

Integrate GCP with Apono to manage access within Buckets, GKE clusters, BigQuery, CloudSQL databases and many more.

Overview

  • Reduce Over Privileges - Discover existing privileges to GCP roles, groups and services to convert to on-demand access flows to reduce over-privileges.
  • Self Service Access - Empower your developers to gain self-servable access to GCP services, buckets, instances and more using Slack.
  • Automated Approval Workflows - Create approval workflows to specific sensitive resources.
  • Restricted Third Party Access - Grant third-party (customer or vendor) time-based access to specific buckets, databases or instances with MFA verification.
  • Review Access - View a detailed access audit of who was granted access to which specific instances, buckets or other resources in GCP.

Prerequisites

How to integrate GCP

In Apono

  1. Click on Integrations Catalog
  2. Click on Connect your GCP Account
  3. Copy and save your token
14001400

In your local gcloud CLI

Open the gcloud CLI
Verify you have already logged in

Prepare parameters for Apono installation
Fill and set the values for the following variables:

Linux
Set the following variables:

export APONO_TOKEN= #The token from your Apono Account
export PROJECT_ID= #Your GCP Project ID
export NETWORK=default #The network for the new GKE cluster
export SUBNET=default #The subnet for the GKE cluster
export REGION=us-central1 #The regions for the GKE cluster
export APONO_CONNECTOR_ID=apono-google-integration #The connector identifier
export ORGANIZATION_ID=$(gcloud projects get-ancestors $PROJECT_ID | grep organization | awk '{print $1}')
export PROJECT_NUMBER=$(gcloud projects list --filter="$PROJECT_ID" --format="value(PROJECT_NUMBER)")

Windows
Set the following variables:

set APONO_TOKEN= #The token from your Apono Account
# In your GCP account, choose the Organization, click on the ALL Tab, and look for the Project ID
Click on the project and set the Project ID

set PROJECT_ID= #Your GCP Project ID

set NETWORK=default
  #Note – when connecting a database (MySQL, PostgreSQL), the connector must be installed on the same network.
set SUBNET=default
set REGION= #the region where the account hosted
set APONO_CONNECTOR_ID=pono-google-integration
  #Note - the connector ID can be anything. Best practice – meaningful name
set ORGANIZATION_ID=
set PROJECT_NUMBER=

Add Permission to Deployment Manager to install Apono

Linux
Add the role iam.securityAdmin to your Google APIs Service Agent:
Run in the CLI the following command:

gcloud organizations add-iam-policy-binding $ORGANIZATION_ID --member=serviceAccount:[email protected] --role=roles/iam.securityAdmin

Windows
Add the role iam.securityAdmin to your Google APIs Service Agent:
Run in the CLI the following command:

gcloud organizations add-iam-policy-binding %ORGANIZATION_ID% --member=serviceAccount:%PROJECT_NUMBER%@cloudservices.gserviceaccount.com --role=roles/iam.securityAdmin

Install Apono (Connector installation using Google Deployment Manager)

Linux

curl https://apono-public.s3.amazonaws.com/gcp/apono-connector-deployment-manager.py --output /tmp/apono-connector-deployment-manager.py && \

gcloud deployment-manager deployments create apono-connector-deployment --template=/tmp/apono-connector-deployment-manager.py --properties=CLUSTER_REGION:$REGION,APONO_CONNECTOR_ID:$APONO_CONNECTOR_ID,APONO_TOKEN:$APONO_TOKEN,NETWORK:$NETWORK,SUBNET:$SUBNET,ORGANIZATION_ID:$ORGANIZATION_ID --project $PROJECT_ID

Windows
NOTE – make sure your CLI location is on the Temp folder (cd %temp%)

curl https://apono-public.s3.amazonaws.com/gcp/apono-connector-deployment-manager.py --output %temp%\apono-connector-deployment-manager.py

gcloud deployment-manager deployments create apono-connector-deployment --template=%temp%\apono-connector-deployment-manager.py --properties=CLUSTER_REGION:%REGION%,APONO_CONNECTOR_ID:%APONO_CONNECTOR_ID%,APONO_TOKEN:%APONO_TOKEN%,NETWORK:%NETWORK%,SUBNET:%SUBNET%,ORGANIZATION_ID:%ORGANIZATION_ID% --project %PROJECT_ID%

The installation process will do the following:

  • Create a service account for Apono Connector
  • Bind roles for the Apono Connector service account:(Security Admin, Secret Accessor)
  • Create a GKE cluster for the connector if needed
  • Create a Kubernetes deployment for Apono Connector in the cluster
  • Create a Kubernetes secret for Apono Connector containing docker registry credentials
  • Create a Kubernetes service account for the connector

📘

Advanced (on an existing Cluster)

You can choose to install Apono on an existing Cluster instead. Follow this advanced guide.

📘

Advanced (with Helm)

You can choose to isntall Apono using Helm directly instead. Follow this advanced guide.

👍

Hurray!

You've successfully integrated GCP with Apono. If you would like to use Apono to create Access Flows with resources like to BigQuery, Cloud Storage, CloudSQL and other GCP services you can easily connect them to Apono as well. Just select them from the catalog.


What’s Next

Now that you have successfully integrated a GCP project with Apono you can