GCP Directory Support
Beginning with 22.4.2, InsightCloudSec has expanded our support for GCP Directory to harvest and display expanded IAM data via GCP's Domain-wide Delegation functionality.
By enabling Domain-wide Delegation in the GCP Console and configuring the service account ID email within InsightCloudSec, you can gain access to additional data from GCP including MFA Status, Group associations, last login, etc., for two existing InsightCloudSec resource types:
Scopes that are included with this data are as follows:
- https://www.googleapis.com/auth/admin.directory.user
- https://www.googleapis.com/auth/admin.directory.group
- https://www.googleapis.com/auth/admin.directory.group.member
Configuring Domain-wide Delegation for Existing GCP Accounts (Steps in GCP)
Within your GCP Console (e.g., https://console.cloud.google.com) you will need to locate the service account associated with your InsightCloudSec installation and ensure that you enable the Domain-wide Delegation feature. Steps to validate/enable this capability within GCP's console are as follows:
Locate Your Service Account Client ID
1. Search for and open the "IAM & Admin" portion of the GCP Console.
2. Locate and open the "Service Accounts" section on the IAM page navigation.
3. Open to view the details of your InsightCloudSec configured service account.
4. Scroll to advanced settings and locate "Domain-wide Delegation".
5. Click to copy the "Client ID" for your Service account.
Sample Service Account - Domain-wide Delegation Client ID
- Under Client ID, click on the "View Google Workspace Admin Console" and move to the next section of steps.
Validate/Enable Domain-wide Delegation
From the Google Workspace Admin view (which you can launch from the IAM & Admin page referenced in the previous steps):
1. Navigate to "Security --> Overview".
2. Scroll to "API Controls" and click to expand.
3. Under API Controls scroll to locate "Domain-wide Delegation" and click "Manage Domain Wide Delegation".
4-a. Now you will either need to search for and confirm that the Client ID you copied from your service account already exists, or:
4-b. Click "Add new" and add the Client ID to specify the service account you want to configure for Domain-wide delegation.
Note: If you are adding a new Client ID you will also need to specify the following scopes:
- https://www.googleapis.com/auth/admin.directory.user
- https://www.googleapis.com/auth/admin.directory.group
- https://www.googleapis.com/auth/admin.directory.group.member
Validate/Copy Email for Domain-wide Delegation Configuration
From the Google Workspace Admin view:
1. Navigate to "Directory --> Users".
2. Filter for Admin Role and select "Super Admin" to narrow the list of user accounts.
3. Identify the email for the account you want to use to specify for Domain-wide Delegation.
- Save this email in a safe place, you will be using this address in the setup steps within InsightCloudSec.
Configuring Delegation for GCP Accounts (Steps in InsightCloudSec)
Adding Domain-Wide Delegation for an Existing GCP Account
Enable Domain-wide delegation for customers with existing GCP Cloud Accounts with the following steps.
1. Navigate to "Cloud --> Clouds" and open the Organizations tab.
- Alternatively you can identify and select an individual GCP Cloud Account from the Listings tab and edit the settings for each individual GCP Cloud account (the field is the same "Email Delegation").
2. Select "Edit" for the GCP Organization you want to modify.
3. Click the "unlock" button next to "Credentials for harvesting Organization data" to make the form editable.
4. Scroll to the "Email Delegation (Optional)" field and update with the email address of your desired account.
- Note that the email address provided must be from an appropriately configured GCP Super-Admin from the correct Service Organization to ensure that the data can pass from the GCP Console to InsightCloudSec
Example GCP Organization - Email Delegation option
5. Click "Update" to finalize the changes.
Adding Domain-Wide Delegation for a New GCP Account
Adding Domain-Wide Delegation for a New GCP Cloud Account follows the currently documented steps for onboarding. Users will simply need to populate the Email Delegation field with an appropriately permissioned GCP administrator as identified above.
Email Delegation field
Check out our Projects (GCP) or Organizations (GCP) GCP documentation for detailed instructions for onboarding new GCP Cloud Accounts.
Viewing GCP Directory Data
Once configured and harvested the additional GCP Directory Data available through Domain-wide Delegation will be visible under "Resource --> Resources" on the Identity Management tab for both Cloud Domain Group and Cloud Domain User (shown below).
GCP Directory Enhanced Data Example - Cloud Domain User
Updated 10 days ago