Installing a GCP Connector with Helm (Project Wide)

This guide is intended for admins managing a Connector in the environment

Suggest Edits

Overview

Integrating a cloud account with Apono, syncs your resources so that you can easily use Apono to discover existing privileges and identities, manage employee and application provisioning to cloud assets and data repositories with delegated approval workflows and granular permissions to customer sensitive data.

📘

You have chosen the advanced installation method

If can also easily connect GCP in Apono following this UI guide here

Deploy in a new GKE cluster

Prerequisites

  • A Google project to connect to Apono
  • Google Cloud CLI
  • A GCP user with project Owner permissions
  • Kubernetes command-line tool (kubectl)

Optional - run the installation from the GCP Console

Install Apono

1. Prepare parameters for Apono installation

Fill and set the values for the following variables:

# Your GCP Project ID
export PROJECT_ID=
# The token from your Apono Account
export APONO_TOKEN=
# The connector identifier
export APONO_CONNECTOR_ID=apono-google-integration
# The namespace to deploy the cluster on
export NAMESPACE=apono-connector-namespace

echo "PROJECT_ID: $PROJECT_ID"
echo "APONO_TOKEN: $APONO_TOKEN"
echo "APONO_CONNECTOR_ID: $APONO_CONNECTOR_ID"
echo "NAMESPACE: $NAMESPACE"

Set the following variable:

export [email protected]$PROJECT_ID.iam.gserviceaccount.com && echo "GCP_SERVICE_ACCOUNT_EMAIL: $GCP_SERVICE_ACCOUNT_EMAIL"

2. Enable Cloud Resource Manager API

gcloud services enable cloudresourcemanager.googleapis.com  --project $PROJECT_ID

3. Create IAM Service Account and grant it with the roles: Security Admin, Secret Accessor for the project.

gcloud iam service-accounts create apono-connector-iam-sa --project $PROJECT_ID

gcloud projects add-iam-policy-binding $PROJECT_ID \
    --member="serviceAccount:$GCP_SERVICE_ACCOUNT_EMAIL" \
    --role="roles/secretmanager.secretAccessor" \
    --project $PROJECT_ID

gcloud projects add-iam-policy-binding $PROJECT_ID \
    --member="serviceAccount:$GCP_SERVICE_ACCOUNT_EMAIL" \
    --role="roles/iam.securityAdmin" \
    --project $PROJECT_ID

4. Verifying default GKE cluster for installation

  • Open the Kubernetes command-line tool
  • Run kubectl config get-contexts to see the GKE clusters list
  • Set the desired cluster to be the default - kubectl config use-context #the name of the cluster
  • Run kubectl get-contexts - verify the "*" indicates the correct cluster.

5. Bind the IAM Service Account to the K8S Service Account

gcloud iam service-accounts add-iam-policy-binding $GCP_SERVICE_ACCOUNT_EMAIL \
    --member="serviceAccount:$PROJECT_ID.svc.id.goog[$NAMESPACE/apono-connector-service-account]" \
    --role="roles/iam.workloadIdentityUser" \
    --project $PROJECT_ID

6. Install Helm Chart

The helm chart installs the following:

  • Kubernetes Deployment containing the Apono-Connector image container
  • Kubernetes Service Account annotated with GCP IAM Service Account
  • Kubernetes Secret containing Docker Registry credentials
helm install apono-connector https://apono-io.github.io/apono-helm-charts/apono-connector/apono-connector-<<helmVersion>>.tgz \
    --set-string image.tag=<<connectorVersion>> \
    --set-string apono.token=$APONO_TOKEN \
    --set-string apono.connectorId=$APONO_CONNECTOR_ID \
    --set-string serviceAccount.gcpServiceAccountEmail=$GCP_SERVICE_ACCOUNT_EMAIL \
    --namespace $NAMESPACE \
    --create-namespace

Verify the Connector has been successfully installed

You can validate the Connector is installed in the Connector status page.

👍

Hurray!

You've successfully installed a GCP Connector using Helm!

You can now enable more GCP integrations in the Integrations Catalog.

Updated 3 months ago

What’s Next