Configure GCP Cloud
Last modified on August 10, 2022
This configuration guide explains how to add Google Cloud Platform (GCP) as a Cloud resource in strongDM. After setup is complete, you will be able to manage access to your GCP Cloud environment in the command line via strongDM.
- There is no SDK, Terraform, Ansible, or other such support for GCP.
- The GCP driver does nothing to limit privilege escalation. It is the responsibility of the resource creator to not provide credentials that can be used to create more credentials.
GCP Cloud Properties
- GCP supports the
gcloudcommand-line tool and
- Port 65112 is the port used for GCP.
- In strongDM, you must have the Account Administrator Permission Level.
- You must have administrator access to your GCP environment and be familiar with
- In the Google Cloud Console, create a service account.
- Create a service account key (JSON key file) and save it.
To set up the GCP Cloud in the CLI, open your terminal. While logged in to strongDM, use the following command:
sdm admin clouds add gcp
You can view all help text and options by appending
-h to the same command:
NAME: sdm admin clouds add gcp - create GCP cloud USAGE: sdm admin clouds add gcp [command options] <name> OPTIONS: --egress-filter value apply filter to select egress nodes e.g. 'field:name tag:key=value ...' --port-override value port profile override (default: -1) --scopes value Space separated scopes that this login should assume into when authenticating (required) --secret-store-id value secret store id --svc-keyfile value The service account keyfile to authenticate with (required, secret) --tags value tags e.g. 'key=value,...' --template, -t display a JSON template
Admin UI setup
If you would rather set up GCP Cloud in the strongDM Admin UI, go to Infrastructure > Clouds and click the add cloud button.
gsutil. If you intend to connect to a specific Google-hosted resource, that resource needs to be set up separately in the appropriate areas of the Admin UI.
In the configuration dialog, set the following properties:
- Display Name (Required): Enter a meaningful name for this resource. This name displays throughout strongDM. Do not include special characters like quotes (") or angle brackets (< or >).
- Cloud Type (Required): Select GCP.
- Secret Store (Optional): If a secret store integration is configured, select where the credentials for this resource will be stored.
- Service Account Keyfile (JSON): Either paste the contents of the service account key file (JSON) that you saved when you created the Google Cloud service account, or import the key file.
- Scopes: Enter the access scope(s) (e.g.,
https://www.googleapis.com/auth/cloud-platform) to allow authentication to Google Cloud APIs. If setting multiple scopes, separate them with a space.
Click create when done.
After you have generated credentials, created the resources themselves in Google Cloud, and added GCP as a Cloud type in strongDM, you should be able to call GCP in the CLI via
sdm gcp or
GCP also supports this via
gsutil, which will respectively execute
gsutil commands (e.g.,
sdm gcp gsutil ls or
sdm gcp cli iam service-accounts list).
In addition, GCP supports
init, which will create a strongDM configuration that you can change into via
sdm gcp activate, which is effectively an alias for
gcloud config configurations activate strongdm. In this state, all
gsutil commands will go through strongDM until you revert to a different configuration (via
gcloud config configurations activate <NAME>).
You can use
sdm gcloud --help to view example usage and command options:
NAME: sdm gcloud - gcloud commands USAGE: sdm gcloud command [command options] [arguments...] COMMANDS: activate Enable gcloud's usage of strongdm cli Call gcloud via the SDM proxy gsutil Call gsutil via the SDM proxy init Initialize gcloud to use a SDM proxy OPTIONS: --help, -h show help
sdm gcloud activate, we recommend that you run the following command to check that the line with strongDM has an account and a project:
sdm gcloud config configurations list
You should see output similar to the following:
NAME IS_ACTIVE ACCOUNT PROJECT COMPUTE_DEFAULT_ZONE COMPUTE_DEFAULT_REGION strongdm True strongdm@strongdm strongdm
Should you attempt to use a Cloud resource without a listener/GUI running, you will see an error such as the following:
ERROR: gcloud crashed (TransportError): HTTPSConnectionPool(host='oauth2.googleapis.com', port=443): Max retries exceeded with url: /token (Caused by ProxyError('Cannot connect to proxy.', NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x10c7c9d30>: Failed to establish a new connection: [Errno 61] Connection refused')))
sdm gcp activateor by setting environment variables in your terminal). In these cases, you will likely see SSL errors, and nothing will happen when you run commands.
In the Cloud Logs section of the Admin UI, you can find all of the activities of the Users who accessed the GCP resource. Note that strongDM makes an attempt to drop the Authorization header of logs for display in the Admin UI.
User Setup Steps and Usage
This section describes general installation and usage for the Users in your organization. You can follow along by logging in with a User Permission Level.
In order for your organization’s Users to access the GCP Cloud resource via strongDM, Users will need to install the following:
- The strongDM GUI
- The latest version of the strongDM CLI. If the CLI is already installed, you can run
sdm updatein the CLI to update it. Alternatively, if any updates are available, you can open the GUI and click the upgrade button.
After installation, Users must exit and restart the GUI, and then select the GCP Cloud resource to connect to.
Then, Users can open a terminal and use
gcloud through strongDM, using the base syntax of
sdm gcp or
sdm gcloud instead of the usual