Advanced-Integration with GCP (Installing on an existing cluster)

Integrate GCP with Apono to manage access within Buckets, GKE clusters, BigQuery, CloudSQL databases and many more.

Overview

  • Reduce Over Privileges - Discover existing privileges to GCP roles, groups and services to convert to on-demand access flows to reduce over-privileges.
  • Self Service Access - Empower your developers to gain self-servable access to GCP services, buckets, instances and more using Slack.
  • Automated Approval Workflows - Create approval workflows to specific sensitive resources.
  • Restricted Third Party Access - Grant third-party (customer or vendor) time-based access to specific buckets, databases or instances with MFA verification.
  • Review Access - View a detailed access audit of who was granted access to which specific instances, buckets or other resources in GCP.

Prerequisites

  • A GCP user with owner permissions for the organization
  • Google project to connect to Apono
  • Google Cloud CLI

How to integrate GCP

📘

You choose to install on a new cluster (Easy)

This guide installs Apono on an existing cluster. You can follow this guide to install on a new cluster instead.

In Apono

  1. Click on Integrations Catalog
  2. Click on Connect your GCP Account
  3. Copy and save your token
14001400

In your local gcloud CLI

Verify you have already logged in

Install on an existing GKE cluster

Open the gcloud CLI
Prepare parameters for Apono installation
Fill and set the values for the following variables:

export APONO_TOKEN= #The token from your Apono Account
export PROJECT_ID= #Your GCP Project ID
export CLUSTER_ENDPOINT= #The GKE cluster endpoint
export APONO_CONNECTOR_ID=apono-google-integration #The connector identifier

Set the following variables:

export ORGANIZATION_ID=$(gcloud projects get-ancestors $PROJECT_ID | grep organization | awk '{print $1}')
export PROJECT_NUMBER=$(gcloud projects list --filter="$PROJECT_ID" --format="value(PROJECT_NUMBER)")

Add Permission to Deployment Manager to install Apono
Add the role iam.securityAdmin to your Google APIs Service Agent:

gcloud organizations add-iam-policy-binding $ORGANIZATION_ID --member=serviceAccount:[email protected] --role=roles/iam.securityAdmin

Install

curl https://apono-public.s3.amazonaws.com/gcp/apono-connector-deployment-manager.py --output /tmp/apono-connector-deployment-manager.py && \

gcloud deployment-manager deployments create apono-connector-deployment --template=/tmp/apono-connector-deployment-manager.py --properties=APONO_CONNECTOR_ID:$APONO_CONNECTOR_ID,APONO_TOKEN:$APONO_TOKEN,ORGANIZATION_ID:$ORGANIZATION_ID,CLUSTER_ENDPOINT:$CLUSTER_ENDPOINT --project $PROJECT_ID

The installation process will do the following:

  • Create a service account for Apono Connector
  • Bind roles for the Apono Connector service account:(Security Admin, Secret Accessor)
  • Create a GKE cluster for the connector if needed
  • Create a Kubernetes deployment for Apono Connector in the cluster
  • Create a Kubernetes secret for Apono Connector containing docker registry credentials
  • Create a Kubernetes service account for the connector

📘

Advanced (with Helm)

You can choose to isntall Apono using Helm directly instead. Follow this advanced guide.

👍

Hurray!

You've successfully integrated GCP with Apono. If you would like to use Apono to create Access Flows with resources like to BigQuery, Cloud Storage, CloudSQL and other GCP services you can easily connect them to Apono as well. Just select them from the Integrations Catalog.


What’s Next