Installing a GCP Connector with Helm (Organization Wide)

This guide is intended for admins managing a Connector in the environment


Integrating a cloud account with Apono, syncs your resources so that you can easily use Apono to discover existing privileges and identities, manage employee and application provisioning to cloud assets and data repositories with delegated approval workflows and granular permissions to customer sensitive data.


You have chosen the advanced installation method

You can also easily connect GCP in Apono following this UI guide here

Deploy in a new GKE cluster


  • A Google project to connect to Apono
  • Google Cloud CLI
  • A GCP user with project Owner permissions
  • Kubernetes command-line tool (kubectl)

Optional - run the installation from the GCP Console

Install Apono

1. Prepare parameters for Apono installation

Fill and set the values for the following variables:

# Your GCP Project ID
export PROJECT_ID=
# The token from your Apono Account
# Your Organization Id (gcloud projects get-ancestors $PROJECT_ID)
# The connector identifier
export APONO_CONNECTOR_ID=apono-google-integration
# The namespace to deploy the cluster on
export NAMESPACE=apono-connector-namespace


Set the following variable:


2. Enable Cloud Resource Manager API

gcloud services enable  --project $PROJECT_ID

3. Create IAM Service Account and grant it the roles: Security Admin, Secret Accessor for the entire organization.

gcloud iam service-accounts create apono-connector-iam-sa --project $PROJECT_ID

gcloud organizations add-iam-policy-binding $ORGANIZATION_ID \
    --member="serviceAccount:$GCP_SERVICE_ACCOUNT_EMAIL" \

gcloud organizations add-iam-policy-binding $ORGANIZATION_ID \
    --member="serviceAccount:$GCP_SERVICE_ACCOUNT_EMAIL" \
gcloud organizations add-iam-policy-binding $ORGANIZATION_ID \
    --member="serviceAccount:$GCP_SERVICE_ACCOUNT_EMAIL" \

4. Verifying default GKE cluster for installation

  • Open the Kubernetes command-line tool
  • Run kubectl config get-contexts to see the GKE clusters list
  • Set the desired cluster to be the default - kubectl config use-context #the name of the cluster
  • Run kubectl get-contexts - verify the "*" indicates the correct cluster.

5. Bind the IAM Service Account to the K8S Service Account

gcloud iam service-accounts add-iam-policy-binding $GCP_SERVICE_ACCOUNT_EMAIL \
    --member="serviceAccount:$[$NAMESPACE/apono-connector-service-account]" \
    --role="roles/iam.workloadIdentityUser" \
    --project $PROJECT_ID

6. Install Helm Chart

The helm chart installs the following:

  • Kubernetes Deployment containing the Apono-Connector image container
  • Kubernetes Service Account annotated with GCP IAM Service Account
  • Kubernetes Secret containing Docker Registry credentials
helm install apono-connector apono-connector --repo \
    --set-string apono.token=$APONO_TOKEN \
    --set-string apono.connectorId=$APONO_CONNECTOR_ID \
    --set-string serviceAccount.gcpServiceAccountEmail=$GCP_SERVICE_ACCOUNT_EMAIL \
    --namespace $NAMESPACE \

Verify the Connector has been successfully installed

You can validate the Connector is installed in the Connector status page.



You've successfully installed a GCP Connector using Helm!

You can now enable more GCP integrations in the Integrations Catalog.