Configure GCP Cloud

Last modified on May 15, 2023

This configuration guide explains how to add Google Cloud Platform (GCP) as a cloud resource in StrongDM. After setup is complete, you will be able to manage access to your GCP Cloud environment in the command line via StrongDM.

Limitations

  • There is no SDK, Terraform, Ansible, or other such support for GCP.
  • The GCP driver does nothing to limit privilege escalation. It is the responsibility of the resource creator not to provide credentials that can be used to create more credentials.

GCP Cloud Properties

  • GCP supports the gcloud command-line tool and gsutil Python application.
  • Port 65112 is used for GCP.

Prerequisites

  • In StrongDM, you must have the Admin permission level.
  • You must have administrator access to your GCP environment and be familiar with gcloud and/or gsutil.

Steps

Generate credentials

  1. In the Google cloud console, create a service account.
  2. Create a service account key (JSON key file) and save it.

CLI setup

To set up the GCP cloud in the CLI, open your terminal. While logged in to StrongDM, use the following command:

sdm admin clouds add gcp

You can view all help text and options by appending --help or -h to the same command:

NAME:
   sdm admin clouds add gcp - create GCP cloud

USAGE:
   sdm admin clouds add gcp [command options] <name>

OPTIONS:
   --egress-filter value       apply filter to select egress nodes e.g. 'field:name tag:key=value ...'
   --port-override value       port profile override (default: -1)
   --scopes value              Space separated scopes that this login should assume into when authenticating (required)
   --secret-store-id value     secret store id
   --svc-keyfile value         The service account keyfile to authenticate with (required, secret)
   --tags value                tags e.g. 'key=value,...'
   --template, -t              display a JSON template

Admin UI setup

If you would rather set up GCP cloud in the StrongDM Admin UI, go to Infrastructure > Clouds and click the Add cloud button.

Add GCP Cloud Type
Add GCP Cloud Type

Set the following properties:

PropertyRequirementDescription
Display NameRequiredEnter a meaningful name for this resource. This name displays throughout StrongDM. Do not include special characters like quotes (") or angle brackets (< or >).
Cloud TypeRequiredSelect GCP.
Secret StoreOptionalCredential store location; defaults to Strong Vault
Service Account KeyfileRequiredEither paste the contents of the service account key file (JSON) that you saved when you created the Google Cloud service account, or import the key file.
ScopesRequiredEnter the access scope(s) (for example, https://www.googleapis.com/auth/cloud-platform) to allow authentication to Google cloud APIs. If setting multiple scopes, separate them with a space.

Click Create to save the configuration settings.

CLI usage

After you have generated credentials, created the resources in Google cloud, and added GCP as a cloud type in StrongDM, you should be able to call GCP in the CLI via sdm gcp or sdm gcloud.

GCP also supports this via cli or gsutil, which will respectively execute gcloud or gsutil commands (for example, sdm gcp gsutil ls or sdm gcp cli iam service-accounts list).

In addition, GCP supports init, which will create a StrongDM configuration that you can change into via sdm gcp activate, which is effectively an alias for gcloud config configurations activate strongdm. In this state, all gcloud and gsutil commands will go through StrongDM until you revert to a different configuration (via gcloud config configurations activate <NAME>).

You can use sdm gcloud --help to view example usage and command options:

NAME:
   sdm gcloud - gcloud commands

USAGE:
   sdm gcloud command [command options] [arguments...]

COMMANDS:
   activate  Enable gcloud\'s usage of strongdm
   cli       Call gcloud via the SDM proxy
   gsutil    Call gsutil via the SDM proxy
   init      Initialize gcloud to use a SDM proxy

OPTIONS:
   --help, -h  show help

After running sdm gcloud activate, we recommend that you run the following command to check that the line with StrongDM has an account and a project:

sdm gcloud config configurations list

You should see output similar to the following:

NAME   IS_ACTIVE ACCOUNT      PROJECT  COMPUTE_DEFAULT_ZONE COMPUTE_DEFAULT_REGION
strongdm True    strongdm@strongdm strongdm

Error Cases

Should you attempt to use a cloud resource without a listener/GUI running, you will see an error such as the following:

ERROR: gcloud crashed (TransportError): HTTPSConnectionPool(host='oauth2.googleapis.com', port=443): Max retries exceeded with url: /token (Caused by ProxyError('Cannot connect to proxy.', NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x10c7c9d30>: Failed to establish a new connection: [Errno 61] Connection refused')))

Logging

In the Cloud Logs section of the Admin UI, you can find all of the activities of the users who accessed the GCP resource. Note that StrongDM makes an attempt to drop the Authorization header of logs for display in the Admin UI.

User Setup Steps and Usage

This section describes general installation and usage for users in your organization. You can follow along by logging in with a User permission level.

In order for your organization’s users to access the GCP cloud resource via StrongDM, users need to install the following:

  • The StrongDM Desktop application
  • The latest version of the StrongDM CLI. If the CLI is already installed, you can run sdm update in the CLI to update it. Alternatively, if any updates are available, you can open the GUI and click the Upgrade button.
  • The gcloud command-line tool

After installation, users must exit and restart the desktop app, and then select the GCP cloud resource to connect to.

Users can then open a terminal and use gcloud through StrongDM, with the base syntax of sdm gcp or sdm gcloud instead of the usual gcloud.

Connection to Multiple Cloud Resources

If your organization has multiple AWS Console resources, and you are connected to both at once, you may specify a --name value in commands in order to specify which you intend to execute the command on. For example, sdm aws --name <YOUR_RESOURCE_NAME> cli. The flag must come before the cli portion of the command in order to preserve the ability to use the command as normal with a single AWS Console resource connected.