By following this integration guide, you can add Google Cloud Platform (GCP) as a host directory in PrivX. This allows providing access to your GCP instances via PrivX.

Disclaimers

This document includes instructions regarding third-party products by Google. These instructions are provided for general guidance only.

Documentation involving third-party products include configuring roles and service accounts in GCP. The instructions in this manual were verified against the Google products current in April 2020. These instructions will need to be adapted when using other versions of Google products.

SSH Communications Security Corporation does not make any warranties as to the accuracy, reliability, or usefulness of these instructions, or guarantee that the content related to third-party products is up to date.

SSH Communications Security Corporation does not provide any warranties regarding third-party products, such as GCP, nor provide any support or other services for third- party products.

For instructions about setting up and operating Google products, we always recommend that you consult the official Google documentation intended for the specific version(s) of Google products in your use, and/or directly contact Google representatives or support.

Prerequisites

Check and ensure the following before performing the procedures in this document:

  • Your G Suite domain must include a project with instances that are to be added to PrivX

  • You will need administrative access to the project in GCP.

  • You will need superuser access to PrivX.

  • Optional: Use GCP host tags to specify access rules. Otherwise you will need to manually define access rules after import.

Integration Steps

The high-level workflow for importing GCP instances to PrivX:

  1. Set up a service account with permissions for viewing your GCP instances.

  2. Set up PrivX to use the service account for importing hosts from GCP.

These steps are described in more detail in the following sections.

Service-Account Setup

PrivX needs a GCP service account for fetching host data from GCP.

First, create a GCP Role for providing the required permissions:

  1. Sign into the GCP console at https://console.cloud.google.com.
    Ensure that you have selected the GCP project containing the hosts you want to import. Also note your project ID, required later for configuring PrivX.

  2. On the IAM & Admin → Roles page, click Create Role.
    Provide the required information for the role.


    To add the required permissions, click Add Permissions and add at least the following permissions:
    compute.instances.list
    compute.zones.list
    Tip: To locate the permissions more easily, you may use the filter Compute Instance viewer.

    You have now created a role for granting the required permissions.

Next, create a service account:

  1. On the IAM & Admin → Service Accounts page, click Create Role.

  2. Provide the required information. When prompted for roles, add the previously-created role.

    Also create a key for the service account. The key must be created in JSON format.