Skip to main content

Capabilities

ResourceSyncProvision
Accounts
Groups
Folders
Roles
Projects
Organizations
Workforce Identity pools*
Workforce Identity pool providers*
Secrets - API keys
Secrets - Service account keys
*Workforce Identity Federation support is optional and must be configured when you set up the connector. This connector can sync secrets and display them on the Inventory page.

Gather Google Cloud Platform with Google Workspace credentials

Configuring the connector requires you to pass in credentials generated in Google Cloud Platform with Google Workspace. Gather these credentials before you move on.
A user with the Super Admin role in Google Cloud Platform with Google Workspace must perform this task.

Create a new project

1
As a Google Cloud Platform with Google Workspace Super Admin, sign in to https://console.cloud.google.com.
2
In the toolbar, click the project select dropdown, and click NEW PROJECT.
3
Create a new project for your organization:
  • Project Name: Choose a names, such as “ConductorOne Integration”
  • Organization/Location: Choose the appropriate Organization/Location
4
After the project is created, make sure the correct project is selected in the dropdown at the top.

Enable the API

1
In the navigation menu, navigate to > APIs & Services > Library.
2
Search for and select the Admin SDK API.
3
Click Enable.

Create a service account

1
In the navigation menu, navigate to > APIs & Services > Credentials.
2
Select CREATE CREDENTIALS > Service Account.
3
Under Service account details, fill in the following:
  • Service account name: ConductorOne Integration
  • Service account description: for example, “Service account for ConductorOne Google Cloud Platform with Google Workspace Integration”
Click CREATE AND CONTINUE.
4
Under Grant this service account access to a project, grant the following permissions to either the Editor role or a custom role on the org level, and assign that role to the service account:
5
You’ll need these permissions to give ConductorOne READ access (syncing access data):
cloudasset.assets.analyzeIamPolicy
cloudasset.assets.searchAllIamPolicies
cloudasset.assets.searchAllResources
iam.roles.get
resourcemanager.folders.getIamPolicy
resourcemanager.folders.list
resourcemanager.organizations.get
resourcemanager.organizations.getIamPolicy
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list
You’ll need these permissions to give ConductorOne READ/WRITE access (syncing access data and provisioning access):
cloudasset.assets.analyzeIamPolicy
cloudasset.assets.searchAllIamPolicies
cloudasset.assets.searchAllResources
iam.roles.get
resourcemanager.folders.getIamPolicy
resourcemanager.folders.list
resourcemanager.folders.setIamPolicy
resourcemanager.organizations.get
resourcemanager.organizations.getIamPolicy
resourcemanager.organizations.setIamPolicy
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list
resourcemanager.projects.setIamPolicy
6
Leave Grant users access to this service account blank.
7
Click DONE.

Get credentials

1
Navigate back to APIs & Services > Credentials and select the service account you just created.
2
Click the service account’s email address. Locate and save the Unique ID.
3
On the Service Account Details Page, click KEYS.
4
Click ADD KEY > Create new key.
5
Choose JSON and click CREATE. The new key is created and downloaded to your computer.
6
Keep the downloaded file safe, you’ll use it to set up the connector.

Add the service account to Google Cloud Platform with Google Workspace

1
Go to https://admin.google.com as a SUPER ADMIN.
2
In the navigation menu, select Security > Access and data control > API Controls.
3
Click MANAGE DOMAIN WIDE DELEGATION.
4
Click Add new and fill out the form:
  • Client ID: The saved ID
  • OAuth Scopes: Copy and paste in the relevant scopes
    • Use the following scopes to give ConductorOne READ access (syncing access data): 
      https://www.googleapis.com/auth/admin.directory.user.alias.readonly,https://www.googleapis.com/auth/admin.directory.rolemanagement.readonly,https://www.googleapis.com/auth/admin.directory.group.member.readonly,https://www.googleapis.com/auth/admin.directory.group.readonly,https://www.googleapis.com/auth/admin.directory.user.readonly,https://www.googleapis.com/auth/admin.directory.domain.readonly,https://www.googleapis.com/auth/admin.reports.audit.readonly
    • Use the following scopes to give ConductorOne READ/WRITE access (syncing access data and provisioning access): 
      https://www.googleapis.com/auth/admin.directory.user.alias.readonly,https://www.googleapis.com/auth/admin.directory.rolemanagement,https://www.googleapis.com/auth/admin.directory.group.member,https://www.googleapis.com/auth/admin.directory.group,https://www.googleapis.com/auth/admin.directory.user.readonly,https://www.googleapis.com/auth/admin.directory.domain.readonly,https://www.googleapis.com/auth/admin.reports.audit.readonly
5
Click AUTHORIZE.
6
In the navigation menu, select Account > Account Settings.
7
Copy and save the Customer ID from this page.

Locate your primary domain

1
In the navigation panel on the left, click Account > Domains.
2
Click Manage Domains. Locate and copy the domain labeled as the Primary Domain in the Type column.
That’s it! Next, move on to the connector configuration instructions.

Configure the Google Cloud Platform with Google Workspace connector

To complete this task, you’ll need:
  • The Connector Administrator or Super Administrator role in ConductorOne
  • Access to the set of Google Cloud Platform with Google Workspace credentials generated by following the instructions above
Follow these instructions to use a built-in, no-code connector hosted by ConductorOne.
1
In ConductorOne, navigate to Admin > Connectors and click Add connector.
2
Search for Google Cloud Platform with Google Workspace and click Add.
3
Choose how to set up the new Google Cloud Platform with Google Workspace connector:
  • Add the connector to a currently unmanaged app (select from the list of apps that were discovered in your identity, SSO, or federation provider that aren’t yet managed with ConductorOne)
  • Add the connector to a managed app (select from the list of existing managed apps)
  • Create a new managed app
4
Set the owner for this connector. You can manage the connector yourself, or choose someone else from the list of ConductorOne users. Setting multiple owners is allowed.If you choose someone else, ConductorOne will notify the new connector owner by email that their help is needed to complete the setup process.
5
Click Next.
6
Find the Settings area of the page and click Edit.
7
In the Customer ID field, enter the customer ID.
8
In the Domain field, enter the primary domain.
9
In the Administrator email field, enter the email address associated with your domain or a super admin.
10
In the Credentials (JSON) area, click Choose file and upload the file.
11
Optional. Check the box if you want to skip syncing Google Cloud Platform system accounts.
12
Optional. Uncheck the box (which is checked by default) if you want to sync Google Cloud Platform default projects.
13
Optional. In the Project IDs field, enter a list of project IDs to limit the connector’s sync to only those projects. Be sure to enter project IDs, not project names.
14
Optional. Check the box to Enable Workforce Identity Federation, which allows the connector to sync Workforce Identity pools and pool providers.
  • If you want the connector to provision Workforce Identity pools, enter the relevant Workforce Identity Pool ID and Workforce Identity Pool Provider ID in the relevant fields.
15
By default, the connector only syncs roles that are assigned to an IAM policy. These settings allow you to configure the connector to sync roles regardless of their IAM policy status.
  1. Optional. Check the box to Always sync custom roles.
  2. Optional. In the List of role IDs to always sync field, enter a list of role IDs that should be synced. Be sure to enter role IDs, not role names.
16
Click Save.
17
If enabling Workforce Identity Federation, complete these additional steps:
  1. In the Shared identity source area of the page, click Edit.
  2. Select the connector from which you want to pull identities.
  3. Optional. Limit the identities pulled from the connector you selected to only those with a certain entitlement by setting the entitlement.
  4. Click Save.
18
The connector’s label changes to Syncing, followed by Connected. You can view the logs to ensure that information is syncing.
That’s it! Your Google Cloud Platform with Google Workspace connector is now pulling access data into ConductorOne.