1 of 1

Installing a GCP connector on GKE using CLI (Helm)

Deploy the Apono connector with Helm

Integrating a cloud account with Apono allows you to sync and manage your resources:

Discover existing privileges and identities
Manage employee and application provisioning to cloud assets and data repositories with delegated approval workflows
Provide granular permissions to customer-sensitive data

This article explains how to set up an Apono connector for Google Cloud with Helm.

Prerequisites

Item

Description

Create an IAM service account

Use the following sections to create an IAM service account user for either your or .

Project

Follow these steps to create a service account for a Google Project:

Set the environment variables.
In your shell environment, log in to Google Cloud and enable the API.
Create the service account.
Assign the following roles to the service account.

Organization

Follow these steps to create a service account for a Google Organization:

In your shell environment, log in to Google Cloud and enable the API.
Set the environment variables.
Create the service account.
Assign the following roles to the service account.

Deploy the connector

Follow these steps to deploy the Apono connector:

Deploy the Apono connector on a GKE cluster.

Create a new GKE cluster
Connect the GKE cluster.

Verify the GKE cluster is selected as the default cluster. The default cluster is denoted with \*.

Bind the IAM Service Account to the GKE Service Account.

Deploy Apono connector on your GKE cluster using Helm Chart.

Installing a GCP connector on GKE using CLI (Helm)

Deploy the Apono connector with Helm

Integrating a cloud account with Apono allows you to sync and manage your resources:

Discover existing privileges and identities
Manage employee and application provisioning to cloud assets and data repositories with delegated approval workflows
Provide granular permissions to customer-sensitive data

This article explains how to set up an Apono connector for Google Cloud with Helm.

Prerequisites

Item

Description

Create an IAM service account

Use the following sections to create an IAM service account user for either your or .

Project

Follow these steps to create a service account for a Google Project:

Set the environment variables.
In your shell environment, log in to Google Cloud and enable the API.
Create the service account.
Assign the following roles to the service account.

Organization

Follow these steps to create a service account for a Google Organization:

In your shell environment, log in to Google Cloud and enable the API.
Set the environment variables.
Create the service account.
Assign the following roles to the service account.

Deploy the connector

Follow these steps to deploy the Apono connector:

Deploy the Apono connector on a GKE cluster.

Create a new GKE cluster
Connect the GKE cluster.

Verify the GKE cluster is selected as the default cluster. The default cluster is denoted with \*.

Bind the IAM Service Account to the GKE Service Account.

Deploy Apono connector on your GKE cluster using Helm Chart.

Role

Permissions Granted

role/secretmanager.secretAccessor

Access secret versions
Read the secret data

roles/iam.securityAdmin

Manage IAM policies, roles, and service accounts
Set and update IAM policies
Grant, modify, and revoke IAM roles for users and service accounts

Role

Permissions Granted

role/secretmanager.secretAccessor

Access secret versions
Read the secret data

roles/iam.securityAdmin

Manage IAM policies, roles, and service accounts
Set and update IAM policies
Grant, modify, and revoke IAM roles for users and service accounts

roles/browser

List resources within the organization
View metadata

Connect the GKE cluster.

gcloud container clusters get-credentials CLUSTER_NAME --region REGION --project $GCP_PROJECT_ID

Verify the GKE cluster is selected as the default cluster. The default cluster is denoted with \*.
```
kubectl get-contexts
```

Account-specific Apono authentication value Use the following steps to obtain your token:

On the Connectors page, click Install Connector. The Install Connector page appears.
Click Cloud installation.
Click Cloud installation > GCP > Install and Connect GCP Project > CLI (Cloud Run).
Copy the token listed on the page in step 1.

helm install apono-connector apono-connector --repo https://apono-io.github.io/apono-helm-charts \
    --set resources.limits.cpu=1 \
    --set resources.limits.memory=2Gi \
    --set resources.requests.cpu=1 \
    --set resources.requests.memory=2Gi \
    --set-string apono.token=$APONO_TOKEN \
    --set-string apono.connectorId=$APONO_CONNECTOR_ID \
    --set-string serviceAccount.gcpServiceAccountEmail=$SERVICE_ACCOUNT_NAME@$GCP_PROJECT_ID.iam.gserviceaccount.com \
    --namespace $NAMESPACE \
    --create-namespace

gcloud projects add-iam-policy-binding $GCP_PROJECT_ID \
    --member="serviceAccount:$SERVICE_ACCOUNT_NAME@$GCP_PROJECT_ID.iam.gserviceaccount.com" \
    --role="roles/secretmanager.secretAccessor" \
    --project $GCP_PROJECT_ID

gcloud projects add-iam-policy-binding $GCP_PROJECT_ID \
    --member="serviceAccount:$SERVICE_ACCOUNT_NAME@$GCP_PROJECT_ID.iam.gserviceaccount.com" \
    --role="roles/iam.securityAdmin" \
    --project $GCP_PROJECT_ID

gcloud organizations add-iam-policy-binding $GCP_ORGANIZATION_ID \
    --member="serviceAccount:$SERVICE_ACCOUNT_NAME@$GCP_PROJECT_ID.iam.gserviceaccount.com" \
    --role="roles/secretmanager.secretAccessor"

gcloud organizations add-iam-policy-binding $GCP_ORGANIZATION_ID \
    --member="serviceAccount:$SERVICE_ACCOUNT_NAME@$GCP_PROJECT_ID.iam.gserviceaccount.com" \
    --role="roles/iam.securityAdmin"
    
gcloud organizations add-iam-policy-binding $GCP_ORGANIZATION_ID \
    --member="serviceAccount:$SERVICE_ACCOUNT_NAME@$GCP_PROJECT_ID.iam.gserviceaccount.com" \
    --role="roles/browser"

helm install apono-connector apono-connector --repo https://apono-io.github.io/apono-helm-charts \
    --set resources.limits.cpu=1 \
    --set resources.limits.memory=2Gi \
    --set resources.requests.cpu=1 \
    --set resources.requests.memory=2Gi \
    --set-string apono.token=$APONO_TOKEN \
    --set-string apono.connectorId=$APONO_CONNECTOR_ID \
    --set-string serviceAccount.gcpServiceAccountEmail=$SERVICE_ACCOUNT_NAME@$GCP_PROJECT_ID.iam.gserviceaccount.com \
    --namespace $NAMESPACE \
    --create-namespace

gcloud projects add-iam-policy-binding $GCP_PROJECT_ID \
    --member="serviceAccount:$SERVICE_ACCOUNT_NAME@$GCP_PROJECT_ID.iam.gserviceaccount.com" \
    --role="roles/secretmanager.secretAccessor" \
    --project $GCP_PROJECT_ID

gcloud projects add-iam-policy-binding $GCP_PROJECT_ID \
    --member="serviceAccount:$SERVICE_ACCOUNT_NAME@$GCP_PROJECT_ID.iam.gserviceaccount.com" \
    --role="roles/iam.securityAdmin" \
    --project $GCP_PROJECT_ID

gcloud organizations add-iam-policy-binding $GCP_ORGANIZATION_ID \
    --member="serviceAccount:$SERVICE_ACCOUNT_NAME@$GCP_PROJECT_ID.iam.gserviceaccount.com" \
    --role="roles/secretmanager.secretAccessor"

gcloud organizations add-iam-policy-binding $GCP_ORGANIZATION_ID \
    --member="serviceAccount:$SERVICE_ACCOUNT_NAME@$GCP_PROJECT_ID.iam.gserviceaccount.com" \
    --role="roles/iam.securityAdmin"
    
gcloud organizations add-iam-policy-binding $GCP_ORGANIZATION_ID \
    --member="serviceAccount:$SERVICE_ACCOUNT_NAME@$GCP_PROJECT_ID.iam.gserviceaccount.com" \
    --role="roles/browser"

Installing a GCP connector on GKE using CLI (Helm)

hashtagPrerequisites

hashtagCreate an IAM service account

hashtagProject

hashtagOrganization

hashtagDeploy the connector

Installing a GCP connector on GKE using CLI (Helm)

hashtagPrerequisites

hashtagCreate an IAM service account

hashtagProject

hashtagOrganization

hashtagDeploy the connector

Prerequisites

Create an IAM service account

Project

Organization

Deploy the connector

Prerequisites

Create an IAM service account

Project

Organization

Deploy the connector