Overview
This guide explains how to integrate Google Cloud Platform (GCP) with Axiom Security.
Prerequisites
Before proceeding, ensure the Axiom - Google Workspace integration is completed. Refer to the guide here.
Make sure to have 'Owner' access.
Supported Capabilities
Capability type | Access level | What | For who |
Assign (Provision) | Role | Folder -> Project |
|
Unassign (Deprovision) | Role | Project -> Folder |
|
Scopes
The integration supports the following scopes:
Organization
Project
Folder
Integration Setup
1. Configure a Service Account in GCP
1.1 Create a Service Account
Create a new service account or use the one configured for the Google Workspace integration. Follow this guide.
Note: make sure to enable the following APIs (in the API Controls section):
Cloud Resource Manager API
Identity and Access Management (IAM) API
How to verify this step:
Go to the GCP console and ensure the project is created and selected:
In the left-side navigation menu, select Go to APIs & Services > Enabled APIs & Services -> 'Enabled APIs and services':
Verify that the required APIs are listed:
Ensure that the service account is created: In the left-side navigation menu, select 'IAM and Admin' > 'Service accounts':
1.2 Downloaded the service account private key file (json) - you will use it in the Axiom console to complete the integration (section 4.4 below).
1.2 Download the Service Account Private Key
Download the private key file (JSON format), which is required for Axiom setup.
2. Create a Custom Role
Option 1: Create a Custom Role using the GCP console:
Important! Make sure to create the custom role on the organization level (and not the project level)
1. Go to 'IAM and admin' > 'Roles'
2. Click on 'Create Role':
3. Define the following:
Title: e.g. Axiom integration role
Description: e.g. Axiom integration role
4. Click on 'Add Permissions' and assign the following permissions:
[
"iam.roles.list",
"iam.roles.get",
"resourcemanager.organizations.get", "resourcemanager.organizations.getIamPolicy", "resourcemanager.organizations.setIamPolicy", "iam.serviceAccounts.list",
"iam.serviceAccounts.get",
"iam.serviceAccounts.getIamPolicy",
"resourcemanager.folders.list",
"resourcemanager.folders.get",
"resourcemanager.folders.getIamPolicy", "resourcemanager.folders.setIamPolicy",
"resourcemanager.projects.list",
"resourcemanager.projects.get",
"resourcemanager.projects.getIamPolicy", "resourcemanager.projects.setIamPolicy"
]
Option 2: Creating a Custom Role using the GCP CLI:
Note: replace <organization-id> with your Organization ID
gcloud iam roles create AxiomRole --organization=<organization-id> --title=AxiomRole --permissions=iam.roles.list,iam.roles.get,resourcemanager.organizations.get,resourcemanager.organizations.getIamPolicy,resourcemanager.organizations.setIamPolicy,iam.serviceAccounts.list,iam.serviceAccounts.get,iam.serviceAccounts.getIamPolicy,resourcemanager.folders.list,resourcemanager.folders.get,resourcemanager.folders.getIamPolicy,resourcemanager.folders.setIamPolicy,resourcemanager.projects.list,resourcemanager.projects.get,resourcemanager.projects.getIamPolicy,resourcemanager.projects.setIamPolicy
3. Grant Access to the Service Account
Assign the Custom Role:
3.1. Navigate to 'IAM and Admin' > 'Service Accounts'
3.2. Copy the Service Account email:
3.3. Navigate to 'IAM and admin' > 'IAM'
3.4 Make sure to select your organization and not your GCP project
3.5. Click on 'Grant Access'
3.6. In the 'New Principals' field, paste the Service Account email you copied in section 3.2:
3.7. Assign the Custom Role created in Section 2.
3.8. Click 'Save'
3.9. Navigate to 'Managed resources' and copy the Organization ID:
4. Configure GCP Integration in Axiom Security Console
4.1. In the Axiom platform, open the 'Integration Page' from the left-side navigation menu:
4.2 Click on '+Add' in the GCP card:
4.3 Provide the following:
Name (integration name)
Organization ID (the Organization ID copied in Section 3.9)
4.4. Click on 'Continue'
4.5. Upload the Service Account Key File (JSON file downloaded in Section 1.2)
4.6. Click on 'Integrate'