Installing a GCP connector with Helm
Deploy the Apono connector with Helm
Integrating a cloud account with Apono allows you to sync and manage your resources:
- Discover existing privileges and identities
- Manage employee and application provisioning to cloud assets and data repositories with delegated approval workflows
- Provide granular permissions to customer-sensitive data
This article explains how to set up an Apono connector for Google Cloud with Helm.
Prerequisites
Item | Description |
---|---|
Apono Token | Account-specific Apono authentication value Use the following steps to obtain your token:
|
Kubernetes Command Line Tool (kubectl) | Command-line tool used for communicating with a Kubernetes cluster's control plane |
Google Cloud Command Line Interface (Google Cloud CLI) | Command-line interface used to manage Google Cloud resources |
Google Cloud Information | Information for your Google Cloud instance:
|
Owner Role | Google Cloud role that provides Owner permissions for the project or organization |
Create an IAM service account
Use the following sections to create an IAM service account user for either your Google Project or Google Organization.
Project
Follow these steps to create a service account for a Google Project:
-
In your shell environment, log in to Google Cloud and enable the API.
gcloud auth login \ gcloud services enable cloudresourcemanager.googleapis.com
-
Set the environment variables.
export GCP_PROJECT_ID=<GOOGLE_PROJECT_ID> export APONO_TOKEN=<YOUR_APONO_TOKEN> export APONO_CONNECTOR_ID=<A_UNIQUE_CONNECTOR_NAME> export NAMESPACE=<GKE_CLUSTER_NAMESPACE> export SERVICE_ACCOUNT_NAME=<SERVICE_ACCOUNT_NAME>
-
Create the service account.
gcloud iam service-accounts create $SERVICE_ACCOUNT_NAME --project $GCP_PROJECT_ID
-
Assign the following roles to the service account.
Role Permissions Granted role/secretmanager.secretAccessor - Access secret versions
- Read the secret data
roles/iam.securityAdmin - Manage IAM policies, roles, and service accounts
- Set and update IAM policies
- Grant, modify, and revoke IAM roles for users and service accounts
gcloud projects add-iam-policy-binding $GCP_PROJECT_ID \ --member="serviceAccount:$SERVICE_ACCOUNT_NAME@$GCP_PROJECT_ID.iam.gserviceaccount.com" \ --role="roles/secretmanager.secretAccessor" \ --project $GCP_PROJECT_ID gcloud projects add-iam-policy-binding $GCP_PROJECT_ID \ --member="serviceAccount:$SERVICE_ACCOUNT_NAME@$GCP_PROJECT_ID.iam.gserviceaccount.com" \ --role="roles/iam.securityAdmin" \ --project $GCP_PROJECT_ID
Organization
Follow these steps to create a service account for a Google Organization:
-
In your shell environment, log in to Google Cloud and enable the API.
gcloud alpha auth login \ gcloud services enable cloudresourcemanager.googleapis.com
-
Set the environment variables.
export GCP_PROJECT_ID=<GOOGLE_PROJECT_ID> export GCP_ORGANIZATION_ID=<GOOGLE_ORGANIZATION_ID> export APONO_TOKEN=<YOUR_APONO_TOKEN> export APONO_CONNECTOR_ID=<A_UNIQUE_CONNECTOR_NAME> export NAMESPACE=<GKE_CLUSTER_NAMESPACE> export SERVICE_ACCOUNT_NAME=<SERVICE_ACCOUNT_NAME>
-
Create the service account.
gcloud iam service-accounts create $SERVICE_ACCOUNT_NAME --project $GCP_PROJECT_ID
-
Assign the following roles to the service account.
Role Permissions Granted role/secretmanager.secretAccessor - Access secret versions
- Read the secret data
roles/iam.securityAdmin - Manage IAM policies, roles, and service accounts
- Set and update IAM policies
- Grant, modify, and revoke IAM roles for users and service accounts
roles/browser - List resources within the organization
- View metadata
gcloud organizations add-iam-policy-binding $GCP_ORGANIZATION_ID \ --member="serviceAccount:$SERVICE_ACCOUNT_NAME@$GCP_PROJECT_ID.iam.gserviceaccount.com" \ --role="roles/secretmanager.secretAccessor" gcloud organizations add-iam-policy-binding $GCP_ORGANIZATION_ID \ --member="serviceAccount:$SERVICE_ACCOUNT_NAME@$GCP_PROJECT_ID.iam.gserviceaccount.com" \ --role="roles/iam.securityAdmin" gcloud organizations add-iam-policy-binding $GCP_ORGANIZATION_ID \ --member="serviceAccount:$SERVICE_ACCOUNT_NAME@$GCP_PROJECT_ID.iam.gserviceaccount.com" \ --role="roles/browser"
Deploy the connector
Follow these steps to deploy the Apono connector:
-
Deploy the Apono connector on a GKE cluster.
New GKE Cluster
- Create a new GKE cluster.
gcloud container clusters create CLUSTER_NAME
- Connect the GKE cluster.
gcloud container clusters get-credentials CLUSTER_NAME --region REGION --project $GCP_PROJECT_ID
- Verify the GKE cluster is selected as the default cluster. The default cluster is denoted with
\*
.kubectl get-contexts
Existing GKE Cluster
- Connect the GKE cluster.
gcloud container clusters get-credentials CLUSTER_NAME --region REGION --project $GCP_PROJECT_ID
- Verify the GKE cluster is selected as the default cluster. The default cluster is denoted with
\*
.kubectl get-contexts
- Create a new GKE cluster.
-
Bind the IAM Service Account to the GKE Service Account.
gcloud iam service-accounts add-iam-policy-binding $SERVICE_ACCOUNT_NAME@$GCP_PROJECT_ID.iam.gserviceaccount.com \ --member="serviceAccount:$PROJECT_ID.svc.id.goog[$NAMESPACE/apono-connector-service-account]" \ --role="roles/iam.workloadIdentityUser" \ --project $GCP_PROJECT_ID
-
Deploy Apono connector on your GKE cluster using Helm Chart.
helm install apono-connector apono-connector --repo https://apono-io.github.io/apono-helm-charts \ --set-string apono.token=$APONO_TOKEN \ --set-string apono.connectorId=$APONO_CONNECTOR_ID \ --set-string serviceAccount.gcpServiceAccountEmail=$SERVICE_ACCOUNT_NAME@$GCP_PROJECT_ID.iam.gserviceaccount.com \ --namespace $NAMESPACE \ --create-namespace
Updated 2 months ago