Google Cloud Platform (GCP) - Account management plugin

This topic describes the Google Cloud Platform (GCP) Account management plugin and how to set up and configure the plugin.

Prerequisites

• .NET Framework 4.8 must be installed on the CPM machine.

• This plugin can only be used with a GCP Service account version 12.2 or later. This version contains the optional ImpersonateUser parameter. If you do not see this parameter, reimport the latest version of the platform.

Support

Target devices

The CPM supports remote account management on the following target devices:

• Google Cloud Platform (GCP)

Accounts

The CPM supports account management with MFA for the following accounts:

• IAM User Google accounts for different roles (managed by Google Admin console)

Platforms

In the Privilege Cloud Portal Platform Management page, make sure that the following target account platform is displayed:

• Google Cloud Platform (GCP) - Google Account

Actions

The following table lists the supported password management actions for this platform:

Action	Supported	Permissions
Verify	No	N/A
Change	Yes	The account that performs this action is the Logon account. See Logon account permissions below.
Reconcile	Yes	The account that performs this action is the Reconcile account. See Reconcile account permissions below.
Delete	No	N/A

Logon account

Action	Supported	Required	Platform	Permissions
Change	Yes	Yes	Google Cloud Platform (GCP) - Service Account	The Impersonate User is a property of the Logon account. The user that is defined as the Impersonate User must have the following permissions: If the target account has lower permissions than the Admin role, the Logon account Impersonate User role must be a User Management Admin role, or higher, for example, a Super Admin role If the target account has an Admin role or higher permissions, the Logon account Impersonate User role must be a Super Admin role

Reconcile account

Action	Supported	Required	Platform	Permissions
Reconcile	Yes	Yes	Google Cloud Platform (GCP) - Service Account	The Impersonate User is a property of the Reconcile account. The user that is defined as the Impersonate User must have the following permissions: If the target account has lower permissions than the Admin role, the Reconcile account Impersonate User role must be a User Management Admin role, or higher, for example, a Super Admin role If the target account has an Admin role or higher permissions, the Reconcile account Impersonate User role must be a Super Admin role

Set up the GCP accounts in the Google Cloud Console

Step 1: Enable Google Admin SDK API functionality

1. In the GCP console, select the relevant project.

2. Select the APIs & Services > Library.

3. Search for and select the Admin SDK API, and then click Enable.

   The Admin SDK API enables the use of Administrative credentials with CyberArk to execute password management APIs in order to manage credentials.

Step 2: Create a Service account and set the account's password in the GCP console

1. In the GCP console, with the relevant project selected, search for and select IAM & Admin.

2. In the IAM & Admin page, from the Navigation pane, select Service Accounts.

3. On the Service Accounts page, click Create Service Account, enter a name and description for the Service account, and then click Create.

4. In the Grant this service account access to project section, search for and select the Service Account Key Admin role, and then click Continue.

   This role specifically allows the Service Account to manage credentials in their environment, which is a best practice.

5. Click Done.

6. On the Service Accounts page, select the new Service account that you just created.

7. Select the Keys tab, click the Add Key drop-down, and then select Create new key.

8. In the Create private key for <service account name> pop-up, select JSON, and then click Create.

   The JSON file containing the private key is downloaded.

9. Save the JSON key file in a secure location, and open it in Notepad++.

   This file is used to grant the Service account Domain-Wide Delegation in the next step.

Step 3: Grant the GCP Service account Domain-wide delegation to use the Google Cloud API

1. In the Google Admin console, go to the API Controls page, and from the Navigation pane, select Security > API controls.

2. On the API Controls page, in the Domain wide delegation section, select Manage Domain Wide Delegation, and then click Add new.

3. In the Add a new client ID pop-up, enter the following information:

   Parameter	Definition
   Client ID	Use the value of the client_id property from the JSON key file that was generated and downloaded in the previous step.
   OAuth scopes	https://www.googleapis.com/auth/admin.directory.user

4. Click Authorize.

   The Service account's Client ID and Scope appear in the Domain-wide Delegation page.

Step 4: Create the Google account for Logon and Reconcile account functionality

This account will be used as the ImpersonateUser property in the Logon or Reconcile account. For more information, see Platform parameter - GCP Service account (Logon and Reconcile account)

1. In the Google Admin console, go to the API Controls page, and from the Navigation pane, select Directory > Users.

2. On the Users page, do one of the following actions:

   • Create a new Reconcile user

     1. Click Add new user, and enter the information for the Reconcile account.

     2. Click Add New User.

     3. Click Done.

   • Assign the User Management Admin or Super Admin role to an existing user

     1. Select the relevant user.

     2. Expand the Admin roles and privileges area, and click Assign Roles.

     3. For the Super Admin role or the User Management Admin role, click Assigned, and then click Save.

Step 5: Create the Google account user for the GCP target account

1. In the Google Admin console, go to the API Controls page, and from the Navigation pane, select Directory > Users.

2. On the Users page, click Add new user, and enter the information for the target account.

3. Click Add New User, and then click Done.

Set up the GCP Account management plugin in the Privilege Cloud Portal

Step 1: Import and install the GCP Account management platform

Step 2: Add the GCP Service account in the Privilege Cloud Portal

Make sure that you have created the GCP Service account, and have the JSON file available with the Service account key content. For more information, see Create a Service account and set the account's password in the GCP console.

1. In the Privilege Cloud Portal Account page, click Add account, and select the system type, platform, and Safe.

2. In the Define account properties page, set the following parameters:

   Parameter	Definition
   Client Email	Use the value of the client_email property from the JSON key file.
   Password	Copy and paste the entire contents of the JSON key file. Make sure to include the opening and closing braces { }.
   Key ID	Use the value of the private_key_id property from the JSON key file
   Populate key	Select Yes.
   Impersonate User	Enter the username of the Google account for Logon and Reconcile accounts that you created in Step 4, Create the Google account for Logon and Reconcile account functionality.

   For more information about the above parameters, see GCP Service account parameters.

3. Click Add.

Step 3: Add the GCP target account in the Privilege Cloud Portal

1. In the Privilege Cloud Portal Account page, click Add account, and select the system type, platform, and Safe.

2. In the Define account properties page, enter the email and password of the GCP target account user that you created in Step 5 Create the Google account user for the GCP target account above.

3. Click Add.

Platform settings

Platform parameters - GCP Account Management target account

Parameter	Description
ProxyAddress	Controls whether or not the plugin sends API requests to Google APIs via a web proxy, when a web proxy is defined. When this parameter is defined, the connection is directed through the web proxy, otherwise, the API requests are sent directly to Google APIs. Default value: None
BypassProxyOnLocal	Controls whether or not requests to local Internet resources use the proxy server. When this parameter is set to Yes, requests to local Internet resources do not use the proxy server. When this parameter is set to No, all Internet requests are made through the proxy server. Valid values: Yes/No Default value: No

Platform parameter - GCP Service account (Logon and Reconcile account)

Parameter	Description
ImpersonateUser	The name of the user with user management permissions that the plugin uses for connecting and managing account passwords for the GCP Account Management plugin. Required: Yes - must be defined in either the platform level or the account level Default value: None

Account settings

Account parameter - GCP target account

Parameter	Description
Username	The user name for the GCP target account. Required: Yes Default value: None

Account parameters - GCP Service (Logon/Reconcile) account

Parameter	Description
Password	The GCP Service account key with permissions to authenticate and manage Google users. Required: Yes Default value: None
ImpersonateUser	The name of the user with user management permissions that the plugin uses for connecting and managing account passwords for the GCP Account Management plugin. Required: Yes - must be defined in either the platform level or the account level Default value: None

Reduce excessive cloud IAM permissions. Implement CyberArk Cloud Entitlements Manager to detect excessive permissions and generate recommendations to remediate risky access on your cloud platform. Only risky permissions are removed, resulting in least privilege for all human and machine identities while maintaining valid access for Cloud and DevOps teams. CEM also detects unmanaged credentials for cloud entities with administrative access, enabling organizations to on-board cloud admin and Shadow Admin to Privilege Cloud