Configure GCP Cloud
Last modified on September 16, 2024
This configuration guide explains how to add Google Cloud Platform (GCP) as a cloud resource in StrongDM. After setup is complete, you will be able to manage access to your GCP Cloud environment in the command line via StrongDM.
Limitations
- There is no SDK, Terraform, Ansible, or other such support for GCP.
- The GCP driver does nothing to limit privilege escalation. It is the responsibility of the resource creator not to provide credentials that can be used to create more credentials.
GCP Cloud Properties
- GCP supports the
gcloud
command-line tool andgsutil
Python application. - Port 65112 is used for GCP.
Prerequisites
- In StrongDM, you must have the Admin permission level.
- You must have administrator access to your GCP environment and be familiar with
gcloud
and/orgsutil
.
Steps
Generate credentials
- In the Google cloud console, create a service account.
- Create a service account key (JSON key file) and save it.
CLI setup
To set up the GCP cloud in the CLI, open your terminal. While logged in to StrongDM, use the following command:
sdm admin clouds add gcp
You can view all help text and options by appending --help
or -h
to the same command:
NAME:
sdm admin clouds add gcp - create GCP cloud
USAGE:
sdm admin clouds add gcp [command options] <name>
OPTIONS:
--egress-filter value apply filter to select egress nodes e.g. 'field:name tag:key=value ...'
--port-override value port profile override (default: -1)
--scopes value Space separated scopes that this login should assume into when authenticating (required)
--secret-store-id value secret store id
--svc-keyfile value The service account keyfile to authenticate with (required, secret)
--tags value tags e.g. 'key=value,...'
--template, -t display a JSON template
Admin UI setup
If you would rather set up GCP cloud in the StrongDM Admin UI, go to Resources > Clouds and click the Add cloud button.
gcloud
or gsutil
. If you intend to connect to a specific Google-hosted resource, that resource needs to be set up separately in the appropriate areas of the Admin UI.Set the following properties:
Property | Requirement | Description |
---|---|---|
Display Name | Required | Enter a meaningful name for this resource. This name displays throughout StrongDM. Do not include special characters like quotes (") or angle brackets (< or >). |
Cloud Type | Required | Select GCP. |
Secret Store | Optional | Credential store location; defaults to Strong Vault |
Service Account Keyfile | Required | Either paste the contents of the service account key file (JSON) that you saved when you created the Google Cloud service account, or import the key file. |
Scopes | Required | Enter the access scope(s) (for example, https://www.googleapis.com/auth/cloud-platform ) to allow authentication to Google cloud APIs. If setting multiple scopes, separate them with a space. |
Click Create to save the configuration settings.
CLI usage
After you have generated credentials, created the resources in Google cloud, and added GCP as a cloud type in StrongDM, you should be able to call GCP in the CLI via sdm gcp
or sdm gcloud
.
GCP also supports this via cli
or gsutil
, which will respectively execute gcloud
or gsutil
commands (for example, sdm gcp gsutil ls
or sdm gcp cli iam service-accounts list
).
In addition, GCP supports init
, which will create a StrongDM configuration that you can change into via sdm gcp activate
, which is effectively an alias for gcloud config configurations activate strongdm
. In this state, all gcloud
and gsutil
commands will go through StrongDM until you revert to a different configuration (via gcloud config configurations activate <NAME>
).
You can use sdm gcloud --help
to view example usage and command options:
NAME:
sdm gcloud - gcloud commands
USAGE:
sdm gcloud command [command options] [arguments...]
COMMANDS:
activate Enable gcloud\'s usage of strongdm
cli Call gcloud via the SDM proxy
gsutil Call gsutil via the SDM proxy
init Initialize gcloud to use a SDM proxy
OPTIONS:
--help, -h show help
After running sdm gcloud activate
, we recommend that you run the following command to check that the line with StrongDM has an account and a project:
sdm gcloud config configurations list
You should see output similar to the following:
NAME IS_ACTIVE ACCOUNT PROJECT COMPUTE_DEFAULT_ZONE COMPUTE_DEFAULT_REGION
strongdm True strongdm@strongdm strongdm
Error Cases
Should you attempt to use a cloud resource without a listener/GUI running, you will see an error such as the following:
ERROR: gcloud crashed (TransportError): HTTPSConnectionPool(host='oauth2.googleapis.com', port=443): Max retries exceeded with url: /token (Caused by ProxyError('Cannot connect to proxy.', NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x10c7c9d30>: Failed to establish a new connection: [Errno 61] Connection refused')))
sdm gcp activate
or by setting environment variables in your terminal). In these cases, you will likely see SSL errors, and nothing will happen when you run commands.Logging
In the Cloud Logs section of the Admin UI, you can find all of the activities of the users who accessed the GCP resource. Note that StrongDM makes an attempt to drop the Authorization header of logs for display in the Admin UI.
User Setup Steps and Usage
This section describes general installation and usage for users in your organization. You can follow along by logging in with a User permission level.
In order for your organization’s users to access the GCP cloud resource via StrongDM, users need to install the following:
- The StrongDM Desktop application
- The latest version of the StrongDM CLI. If the CLI is already installed, you can run
sdm update
in the CLI to update it. Alternatively, if any updates are available, you can open the GUI and click the Upgrade button. - The
gcloud
command-line tool
After installation, users must exit and restart the desktop app, and then select the GCP cloud resource to connect to.
Users can then open a terminal and use gcloud
through StrongDM, with the base syntax of sdm gcp
or sdm gcloud
instead of the usual gcloud
.
Connection to Multiple Cloud Resources
If your organization has multiple GCP cloud resources, and you are connected to more than one at once, you may specify a --name
value in commands in order to specify which you intend to execute the command on. For example, sdm gcp --name <RESOURCE_NAME> cli
. The flag must come before the cli
portion of the command in order to preserve the ability to use the command as normal with a single GCP cloud resource connected.