Google Cloud Platform (GCP) - Service Account
This topic describes the Google Cloud Platform (GCP) Service account plugin.
Prerequisites
This plugin requires .NET Framework 4.8. If you are using an older version of the CPM, .NET Framework 4.8 must be installed on the CPM machine as well.
Support
Target devices
The CPM supports remote account management for Google Cloud Platform (GCP) service account keys on the following target devices:
-
Google Cloud Platform (GCP)
Accounts
The CPM supports account management for the following accounts:
-
Service Account Keys
Platforms
In the PVWA Platform Management page, make sure that the following target account platform is displayed:
-
Google Cloud Platform (GCP) - Service Account
Connection methods
This plugin supports the following connection methods to the remote machine:
-
Rest API
Actions
The following table lists the supported password/SSH key management actions for this platform.
|
Action |
Supported |
Permissions |
||
|---|---|---|---|---|
|
Verify |
Yes |
N/A |
||
|
Change |
Yes |
List, Create, Delete keys
|
||
|
Reconcile |
Yes |
List, Create, Delete keys |
||
|
Delete |
No |
N/A |
Change account
|
Action |
Supported |
Required |
Platform |
Permissions |
|---|---|---|---|---|
|
Change |
Yes |
No |
Google Cloud Platform (GCP) - Service Account |
List, create, delete keys |
Reconcile account
|
Action |
Supported |
Required |
Platform |
Permissions |
|---|---|---|---|---|
|
Reconcile |
Yes |
Yes |
Google Cloud Platform (GCP) - Service Account |
List, create, delete keys |
Create a Service account and set the account's password in the GCP console
-
In the GCP console, with the relevant project selected, search for and select IAM & Admin.
-
In the IAM & Admin page, from the Navigation pane, select Service Accounts.
-
On the Service Accounts page, click Create Service Account, enter a name and description for the Service account, and then click Create.
-
In the Grant this service account access to project section, search for and select the Service Account Key Admin role, and then click Continue.
This role specifically allows the Service Account to manage credentials in their environment, which is a best practice.
-
Click Done.
-
On the Service Accounts page, select the new Service account that you just created.
-
Select the Keys tab, click the Add Key drop-down, and then select Create new key.
-
In the Create private key for <service account name> pop-up, select JSON, and then click Create.
The JSON file containing the private key is downloaded.
-
Save the JSON key file in a secure location, and open it in Notepad++.
This file is used to grant the Service account Domain-Wide Delegation in the next step.
Add the GCP Service account in the PVWA
Make sure that you have created the GCP Service account, and have the JSON file available with the Service account key content. For more information, see Create a Service account and set the account's password in the GCP console.
-
In the PVWA Account page, click Add account, and select the system type, platform, and Safe.
-
In the Define account properties page, set the following parameters:
Parameter
Definition
Client Email
Use the value of the client_email property from the JSON key file.
Password
Copy and paste the entire contents of the JSON key file. Make sure to include the opening and closing braces { }.
Key ID
Use the value of the private_key_id property from the JSON key file
Populate key
Select Yes.
Impersonate User
Enter the username of the Google account for Logon and Reconcile accounts For more information, see Google Cloud Platform (GCP) - Service Account.
For more information about the above parameters, see GCP Service account parameters.
- Click Add.
Import platform
This procedure is relevant if the platform is not included in installation.
-
Add the following file categories, if they do not already exist:
Parameter
Description
KeyID
Type: Text
Required: No
Valid value: None
PopulateKey
Type: Text
Required: No
Valid value: None
GCP Service account parameters
Platform parameters
|
Parameter |
Description |
||
|---|---|---|---|
|
PopulateKey |
Indicates whether to populate the key if it doesn't exist on reconcile. Required: Yes Valid values: Yes/No Default value: Yes |
||
|
ImpersonateUser |
The name of the user with user management permissions that the plugin uses for connecting and managing account passwords for the GCP Account Management plugin.
Default value: None |
Account parameters
|
Parameter |
Description |
||
|---|---|---|---|
|
Username |
The Client Email identifying the service account. Required: Yes Valid value: Valid email address |
||
|
KeyID |
The ID of the key. Required: Yes Valid value: Alphanumeric string |
||
|
Key |
The JSON value of the key generated in GCP. Required: Yes Valid value: Valid JSON service account key |
||
|
PopulateKey |
Indicates whether to populate the key if it doesn't exist on reconcile. Required: No Valid values: Yes/No Default value: PopulateKey as set in the platform. In no value is set, default is Yes. |
||
|
Password |
The GCP Service account key with permissions to authenticate and manage Google users. Valid values: Yes/No Default value: No |
||
|
ImpersonateUser |
The name of the user with user management permissions that the plugin uses for connecting and managing account passwords for the GCP Account Management plugin.
Default value: None |
|
Reduce excessive cloud IAM permissions Implement CyberArk Cloud Entitlements Manager to detect excessive permissions and generate recommendations to remediate risky access on your cloud platform. Only risky permissions are removed, resulting in least privilege for all human and machine identities while maintaining valid access for Cloud and DevOps teams. CEM also detects unmanaged credentials for cloud entities with administrative access, enabling organizations to on-board cloud admin and Shadow Admin to PAM - Self-Hosted |
