Configure GCP Cloud

Last modified on August 10, 2022

This configuration guide explains how to add Google Cloud Platform (GCP) as a Cloud resource in strongDM. After setup is complete, you will be able to manage access to your GCP Cloud environment in the command line via strongDM.

Limitations

  • There is no SDK, Terraform, Ansible, or other such support for GCP.
  • The GCP driver does nothing to limit privilege escalation. It is the responsibility of the resource creator to not provide credentials that can be used to create more credentials.

GCP Cloud Properties

  • GCP supports the gcloud command-line tool and gsutil Python application.
  • Port 65112 is the port used for GCP.

Prerequisites

  • In strongDM, you must have the Account Administrator Permission Level.
  • You must have administrator access to your GCP environment and be familiar with gcloud and/or gsutil.

Steps

Generate credentials

  1. In the Google Cloud Console, create a service account.
  2. Create a service account key (JSON key file) and save it.

CLI setup

To set up the GCP Cloud in the CLI, open your terminal. While logged in to strongDM, use the following command:

sdm admin clouds add gcp

You can view all help text and options by appending --help or -h to the same command:

NAME:
   sdm admin clouds add gcp - create GCP cloud

USAGE:
   sdm admin clouds add gcp [command options] <name>

OPTIONS:
   --egress-filter value       apply filter to select egress nodes e.g. 'field:name tag:key=value ...'
   --port-override value       port profile override (default: -1)
   --scopes value              Space separated scopes that this login should assume into when authenticating (required)
   --secret-store-id value     secret store id
   --svc-keyfile value         The service account keyfile to authenticate with (required, secret)
   --tags value                tags e.g. 'key=value,...'
   --template, -t              display a JSON template

Admin UI setup

If you would rather set up GCP Cloud in the strongDM Admin UI, go to Infrastructure > Clouds and click the add cloud button.

In the configuration dialog, set the following properties:

  • Display Name (Required): Enter a meaningful name for this resource. This name displays throughout strongDM. Do not include special characters like quotes (") or angle brackets (< or >).
  • Cloud Type (Required): Select GCP.
  • Secret Store (Optional): If a secret store integration is configured, select where the credentials for this resource will be stored.
  • Service Account Keyfile (JSON): Either paste the contents of the service account key file (JSON) that you saved when you created the Google Cloud service account, or import the key file.
  • Scopes: Enter the access scope(s) (e.g., https://www.googleapis.com/auth/cloud-platform) to allow authentication to Google Cloud APIs. If setting multiple scopes, separate them with a space.

Click create when done.

CLI usage

After you have generated credentials, created the resources themselves in Google Cloud, and added GCP as a Cloud type in strongDM, you should be able to call GCP in the CLI via sdm gcp or sdm gcloud.

GCP also supports this via cli or gsutil, which will respectively execute gcloud or gsutil commands (e.g., sdm gcp gsutil ls or sdm gcp cli iam service-accounts list).

In addition, GCP supports init, which will create a strongDM configuration that you can change into via sdm gcp activate, which is effectively an alias for gcloud config configurations activate strongdm. In this state, all gcloud and gsutil commands will go through strongDM until you revert to a different configuration (via gcloud config configurations activate <NAME>).

You can use sdm gcloud --help to view example usage and command options:

NAME:
   sdm gcloud - gcloud commands

USAGE:
   sdm gcloud command [command options] [arguments...]

COMMANDS:
   activate  Enable gcloud's usage of strongdm
   cli       Call gcloud via the SDM proxy
   gsutil    Call gsutil via the SDM proxy
   init      Initialize gcloud to use a SDM proxy

OPTIONS:
   --help, -h  show help

After running sdm gcloud activate, we recommend that you run the following command to check that the line with strongDM has an account and a project: sdm gcloud config configurations list

You should see output similar to the following:

NAME   IS_ACTIVE ACCOUNT      PROJECT  COMPUTE_DEFAULT_ZONE COMPUTE_DEFAULT_REGION
strongdm True    strongdm@strongdm strongdm

Error Cases

Should you attempt to use a Cloud resource without a listener/GUI running, you will see an error such as the following:

ERROR: gcloud crashed (TransportError): HTTPSConnectionPool(host='oauth2.googleapis.com', port=443): Max retries exceeded with url: /token (Caused by ProxyError('Cannot connect to proxy.', NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x10c7c9d30>: Failed to establish a new connection: [Errno 61] Connection refused')))

Logging

In the Cloud Logs section of the Admin UI, you can find all of the activities of the Users who accessed the GCP resource. Note that strongDM makes an attempt to drop the Authorization header of logs for display in the Admin UI.

User Setup Steps and Usage

This section describes general installation and usage for the Users in your organization. You can follow along by logging in with a User Permission Level.

In order for your organization’s Users to access the GCP Cloud resource via strongDM, Users will need to install the following:

  • The strongDM GUI
  • The latest version of the strongDM CLI. If the CLI is already installed, you can run sdm update in the CLI to update it. Alternatively, if any updates are available, you can open the GUI and click the upgrade button.
  • The gcloud command-line tool

After installation, Users must exit and restart the GUI, and then select the GCP Cloud resource to connect to.

Then, Users can open a terminal and use gcloud through strongDM, using the base syntax of sdm gcp or sdm gcloud instead of the usual gcloud.

Top