Google Cloud Provisioning Configuration Guide

Last modified on February 2, 2023

This guide explains how to configure Google Cloud as an identity provider (IdP) for user and group provisioning. Configuration involves creating a Google Cloud service account and setting up the StrongDM Admin UI for provisioning. When done, you can use provisioning to securely automate and manage user identity information, such as user account creation, updates, and deactivation between Google Cloud and StrongDM.

Prerequisites

  • You must have a Google super administrator account to complete the service account configuration.
  • You must be familiar with Google group creation.

Create a Service Account

Follow the steps in this section to create a service account. The service account is used to connect to StrongDM. See additional steps in Google documentation.

Create a project

In the Google Cloud console, create a new project. After the project is created, make sure to select your project from the Select from dropdown list on the Dashboard page.

Activate Admin SDK API access

  1. In the Google Cloud console, go to Menu > APIs and Services > Library.
  2. Search the API library for and select the Admin SDK API.
  3. Enable the API for your project.

Create a new service account

  1. In the Google Cloud console, go to Menu > APIs and Services > OAuth consent screen.
  2. Select the Internal user type and click Create.
  3. Configure the remaining OAuth consent screen information, fill out all mandatory fields, and return to the dashboard.
  4. From the APIs and Services menu, select Credentials.
  5. Click Create credentials and select Service account.
  6. Fill out the service account details.
  7. Select the service account’s email address to configure the service account details. The user you are logged in as is the owner of the service account.
  8. From the Keys tab, add and then create a new JSON key; the key downloads to your computer. You may rename the key for easier identification.
  9. From the Details tab, copy the Unique ID; you use this in the following step.

Enable domain delegation

  1. Navigate to admin.google.com.

  2. Go to Menu > Security > Access and data control > API Controls.

  3. Select Manage Domain Wide Delegation.

  4. Click Add new and paste the Unique ID in the Client ID field.

  5. In the OAuth Scopes fields, enter and authorize the following scopes:

    https://www.googleapis.com/auth/admin.directory.user.readonly
    https://www.googleapis.com/auth/admin.directory.group.readonly
    https://www.googleapis.com/auth/admin.directory.group.member.readonly
    

Configure Provisioning in the Admin UI

  1. Log in to the StrongDM Admin UI.

  2. Go to Settings > User Management.

  3. Under Provisioning, select Google as the provider.

  4. Enter the Designated user email. This email address must have appropriate API resource access.

  5. Import or manually enter the Service account keyfile (JSON); this is the service account JSON file that downloaded.

  6. Click Activate provisioning.

    Google Group Provisioning
    Google Group Provisioning
  7. Select groups to import. Information about group creation and management is available in Google documentation.

    Select Groups for Google Cloud Provisioning
    Select Groups for Google Cloud Provisioning

Provisioning setup is now complete.

Provisioning Management in the Admin UI

The Admin UI’s Provisioning section provides important information about your provisioning configuration.

Sync Groups for Google Cloud Provisioning as Needed
Sync Groups for Google Cloud Provisioning as Needed

After you are done configuring Google Cloud provisioning, you can view and manage your setup using the following buttons.

  • Edit configuration lets you make changes to your provisioning configuration.
  • Sync now checks for changes in Google Cloud and synchronizes groups. Organizations configured with Google provisioning automatically sync every 15 minutes. That means that changes in Google group memberships may not be reflected immediately in StrongDM. Please be patient while waiting for the periodic sync to complete.
  • View and manage groups displays all groups selected for provisioning and allows you to change your group selection.
  • Deactivate provisioning disables provisioning and converts every Google Cloud-managed user and role into a StrongDM-managed user and role. Deactivation does not delete or suspend users or roles, and it does not change access. Deactivation simply means that Google Cloud can no longer provision accounts and roles in StrongDM.

Provisioning properties

The following table describes the properties shown in the Provisioning section. All properties are read-only.

PropertyDescription
Designated user emailUser’s Google email address
EstablishedWhen provisioning was activated
Group SelectionNumber of groups currently selected and the last time groups were selected
Last ActivityLast time changes were found in Google Cloud and applied in StrongDM
Last SyncLast time the sync ran to check for changes in Google Cloud
ProviderName of identity provider (in this case, Google)

Information about groups, roles, and users

Google groups correspond to StrongDM roles. When a Google group is selected for provisioning, a role with the same name is provisioned in StrongDM, and all members of that group are provisioned as users assigned to that role.

When configuring provisioning in the Admin UI, you must select groups for provisioning in order to get roles provisioned within StrongDM. If you don’t select groups, they are not provisioned. The same rule applies when a group has member groups within it—you must select every group and member group in order to get those roles provisioned within StrongDM. Examples 1 and 2 illustrate how selected groups are provisioned as roles and how users are assigned to the roles.

Example 1 group and role assignment

In the example shown, the Engineering group is selected for provisioning.

Example Showing Engineering Group Selected for Provisioning
Example Showing Engineering Group Selected for Provisioning

This selection causes only the Engineering role to be created. Only the members of Engineering are provisioned as users assigned to the Engineering role. No one from the Marketing group is provisioned.

Users inHave role(s)
Back EndEngineering
Core TeamEngineering
DataEngineering
EngineeringEngineering
Front EndEngineering
MarketingNone
QAEngineering
UX TeamEngineering

Example 2 group and role assignment

In the example shown, the following groups are selected for provisioning:

  • Engineering group
  • Back End (a member group of Engineering)
  • Core Team (a member group of Back End)
Example Showing Several Groups Selected for Provisioning
Example Showing Several Groups Selected for Provisioning

This selection causes three roles to be provisioned in StrongDM with the following users assigned to them:

Users inHave role(s)
Back EndEngineering, Back End
Core TeamEngineering, Back End, Core Team
DataEngineering
EngineeringEngineering
Front EndEngineering
MarketingNone
QAEngineering, Back End
UX TeamEngineering

Troubleshooting and Tips

This section describes some common sync errors that may occur when Sync now is selected. These errors are expected behaviors. Please see our recommended solutions.

Error: A user email set up for Google provisioning exists in a separate StrongDM organization

Recommended solution: A user email that exists in one StrongDM organization may not be provisioned into another StrongDM organization. If you do not have access to the incorrect organization, you must contact support@strongdm.com to remove the email address from it. We recommend using different Google workspaces to provision multiple organizations within StrongDM.

Error: Google user email is changed to match an existing StrongDM user email

Recommended solution: Keep each user email unique between StrongDM and Google. If you want to provision a new user from Google that already exists in StrongDM, the Google user takes ownership of the existing StrongDM user (that is, manages it and adds additional Google-specific information).

Error: Google user group is updated to match an existing role in StrongDM

Recommended solution: Keep each group/role name unique between StrongDM and Google. If you want to provision a new group/role from Google that already exists in StrongDM, the Google group takes ownership of the existing StrongDM role (that is, manages it and adds additional Google-specific information).

If you have any issues with your implementation, please contact support@strongdm.com.

Top