Configure GCP Cloud
Last modified on May 15, 2023
This configuration guide explains how to add Google Cloud Platform (GCP) as a cloud resource in StrongDM. After setup is complete, you will be able to manage access to your GCP Cloud environment in the command line via StrongDM.
- There is no SDK, Terraform, Ansible, or other such support for GCP.
- The GCP driver does nothing to limit privilege escalation. It is the responsibility of the resource creator not to provide credentials that can be used to create more credentials.
GCP Cloud Properties
- GCP supports the
gcloudcommand-line tool and
- Port 65112 is used for GCP.
- In StrongDM, you must have the Admin permission level.
- You must have administrator access to your GCP environment and be familiar with
- In the Google cloud console, create a service account.
- Create a service account key (JSON key file) and save it.
To set up the GCP cloud in the CLI, open your terminal. While logged in to StrongDM, use the following command:
sdm admin clouds add gcp
You can view all help text and options by appending
-h to the same command:
NAME: sdm admin clouds add gcp - create GCP cloud USAGE: sdm admin clouds add gcp [command options] <name> OPTIONS: --egress-filter value apply filter to select egress nodes e.g. 'field:name tag:key=value ...' --port-override value port profile override (default: -1) --scopes value Space separated scopes that this login should assume into when authenticating (required) --secret-store-id value secret store id --svc-keyfile value The service account keyfile to authenticate with (required, secret) --tags value tags e.g. 'key=value,...' --template, -t display a JSON template
Admin UI setup
If you would rather set up GCP cloud in the StrongDM Admin UI, go to Infrastructure > Clouds and click the Add cloud button.
gsutil. If you intend to connect to a specific Google-hosted resource, that resource needs to be set up separately in the appropriate areas of the Admin UI.
Set the following properties:
|Display Name||Required||Enter a meaningful name for this resource. This name displays throughout StrongDM. Do not include special characters like quotes (") or angle brackets (< or >).|
|Cloud Type||Required||Select GCP.|
|Secret Store||Optional||Credential store location; defaults to Strong Vault|
|Service Account Keyfile||Required||Either paste the contents of the service account key file (JSON) that you saved when you created the Google Cloud service account, or import the key file.|
|Scopes||Required||Enter the access scope(s) (for example, |
Click Create to save the configuration settings.
After you have generated credentials, created the resources in Google cloud, and added GCP as a cloud type in StrongDM, you should be able to call GCP in the CLI via
sdm gcp or
GCP also supports this via
gsutil, which will respectively execute
gsutil commands (for example,
sdm gcp gsutil ls or
sdm gcp cli iam service-accounts list).
In addition, GCP supports
init, which will create a StrongDM configuration that you can change into via
sdm gcp activate, which is effectively an alias for
gcloud config configurations activate strongdm. In this state, all
gsutil commands will go through StrongDM until you revert to a different configuration (via
gcloud config configurations activate <NAME>).
You can use
sdm gcloud --help to view example usage and command options:
NAME: sdm gcloud - gcloud commands USAGE: sdm gcloud command [command options] [arguments...] COMMANDS: activate Enable gcloud\'s usage of strongdm cli Call gcloud via the SDM proxy gsutil Call gsutil via the SDM proxy init Initialize gcloud to use a SDM proxy OPTIONS: --help, -h show help
sdm gcloud activate, we recommend that you run the following command to check that the line with StrongDM has an account and a project:
sdm gcloud config configurations list
You should see output similar to the following:
NAME IS_ACTIVE ACCOUNT PROJECT COMPUTE_DEFAULT_ZONE COMPUTE_DEFAULT_REGION strongdm True strongdm@strongdm strongdm
Should you attempt to use a cloud resource without a listener/GUI running, you will see an error such as the following:
ERROR: gcloud crashed (TransportError): HTTPSConnectionPool(host='oauth2.googleapis.com', port=443): Max retries exceeded with url: /token (Caused by ProxyError('Cannot connect to proxy.', NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x10c7c9d30>: Failed to establish a new connection: [Errno 61] Connection refused')))
sdm gcp activateor by setting environment variables in your terminal). In these cases, you will likely see SSL errors, and nothing will happen when you run commands.
In the Cloud Logs section of the Admin UI, you can find all of the activities of the users who accessed the GCP resource. Note that StrongDM makes an attempt to drop the Authorization header of logs for display in the Admin UI.
User Setup Steps and Usage
This section describes general installation and usage for users in your organization. You can follow along by logging in with a User permission level.
In order for your organization’s users to access the GCP cloud resource via StrongDM, users need to install the following:
- The StrongDM Desktop application
- The latest version of the StrongDM CLI. If the CLI is already installed, you can run
sdm updatein the CLI to update it. Alternatively, if any updates are available, you can open the GUI and click the Upgrade button.
After installation, users must exit and restart the desktop app, and then select the GCP cloud resource to connect to.
Users can then open a terminal and use
gcloud through StrongDM, with the base syntax of
sdm gcp or
sdm gcloud instead of the usual
Connection to Multiple Cloud Resources
If your organization has multiple AWS Console resources, and you are connected to both at once, you may specify a
--name value in commands in order to specify which you intend to execute the command on. For example,
sdm aws --name <YOUR_RESOURCE_NAME> cli. The flag must come before the
cli portion of the command in order to preserve the ability to use the command as normal with a single AWS Console resource connected.