GCP Directory Support
This page has moved
For up-to-date information about GCP Configuration options, go to GCP Additional Configuration.
InsightCloudSec includes support for GCP Directory to harvest and display expanded IAM data via GCP's Domain-wide Delegation functionality. By enabling Domain-wide Delegation in the GCP Console and configuring the service account ID email within InsightCloudSec, you can gain access to additional data from GCP including MFA Status, Group associations, last login, etc., for two existing InsightCloudSec resource types:
Scopes that are included with this data are as follows:
- https://www.googleapis.com/auth/admin.directory.user
- https://www.googleapis.com/auth/admin.directory.group
- https://www.googleapis.com/auth/admin.directory.group.member
Configuring Domain-wide Delegation for Existing GCP Accounts in GCP
Within your GCP Console (e.g., https://console.cloud.google.com) you will need to locate the service account associated with your InsightCloudSec installation and ensure that you enable the Domain-wide Delegation feature.
- Copy the Service Account Client ID.
- Go to IAM & Admin > Service Accounts and select the newly configured service account.
- In the Advanced Settings section, in the Domain-wide Delegation field, copy the Client ID for your Service account.
- Under Client ID, click View Google Workspace Admin Console.
- Validate and enable domain-wide delegation.
- In the Google Workspace Admin Console, go to Security > Overview and expand API Controls.
- In Domain-wide Delegation, click Manage Domain Wide Delegation.
- Next you will either need to:
- Search for and confirm that the Client ID you copied from your service account already exists.
- Click Add new and add the Client ID to specify the service account you want to configure for Domain-wide delegation. Note: For an existing client ID (a.) verify the following scopes. For a new Client ID (b.) these scopes will have to be added:
- Specify an email address for domain-wide delegation.
- Go to Directory > Users.
- Filter for Admin Role and select Super Admin to narrow the list of user accounts.
- Identify the email for the account you want to use to specify for Domain-wide Delegation.
- The email address provided must be from an appropriately configured GCP Super-Admin from the correct Service Organization to ensure that the data can pass from the GCP Console to InsightCloudSec.
- Save this email in a safe place, you will be using this address in the setup steps within InsightCloudSec.
Configuring delegation for GCP accounts in InsightCloudSec
You can configure delegation for existing or new GCP accounts in InsightCloudSec.
- In InsightCloudSec, go to Cloud > Clouds and open the Organizations tab.
- Select Edit for the GCP Organization you want to modify.
- Click the unlock button next to Credentials for harvesting Organization data to make the form editable.
- Scroll to the Email Delegation (Optional) field and update with the email address of your desired account. The email address provided must be from an appropriately configured GCP Super-Admin from the correct Service Organization to ensure that the data can pass from the GCP Console to InsightCloudSec.
- Click Update to finalize the changes.
Viewing GCP Directory Data
Once configured and harvested the additional GCP Directory Data available through Domain-wide Delegation will be visible under Inventory > Resources on the Identity and Management tab for both Cloud Domain Group and Cloud Domain User.