Google Workspace
  • 6 Minutes to read
  • PDF

Google Workspace

  • PDF

About this document


This document gives you the step-by-step procedure to configure Google Workspace in SAFE.

Introduction


SAFE allows you to onboard and assess your Google Workspace account for its configuration assessment. SAFE admins can configure the Google Workspace integration in SAFE from the Google Workspace card available on the SAFE Hooks page. 

Prerequisites


To onboard a Google Workspace account in SAFE, you need the following privileges:

  • Users must have the SAFE Admin Role.
  • The user must have the Admin Role in the GCP console.

Generate Connection Details


1. Creating a new project in the GCP console

  1. Login to the GCP console.
  2. Click the dropdown menu on the top left of the page, located between the Google Cloud Platform label and the search bar.
    GW1
  3. The subsequent pop-up lists the hierarchical structure of the organization and all the existing folders and projects within it.
    GW2
  4. Click the New Project button.
  5. Enter a name for the Project.
  6. Click the Create button.
    GW3

2. Enable API services on the project

  1. On the Project’s dashboard, click the options menu at the top left corner to open the navigation bar, 
  2. Scroll down and click the APIs & Services option.
    GW4
  3. On the APIs and Services page, click Enable APIs and Services to go to the APIs Library page.
    GW5
  4. Search for Admin SDK API in the API Library search bar.
    GW6
  5. Click on the link of the Admin SDK API in the search results.
    GW7
  6. Click the Enable button. Once the process is complete, it can be verified by revisiting the page again. The API Enabled label will be available on the page.
  7. Repeat the previous two steps to enable the following APIs:
    1. Resource Manager API
    2. Security Token Service API
    3. IAM Service Account Credentials API
  8. To verify that all the required APIs have been enabled, go back to the APIs & Services dashboard and check the table at the bottom of the page for the names of these four APIs.
    GW9

3. Create a custom role for the Service Account

We need to create a custom IAM role at the organization level that can be assigned to the SAFE Project’s service account to enable SAFE to fetch misconfigurations.

  1. On the Project’s dashboard, click the left navigation, scroll down, and click IAM & Admin.
  2. On the IAM & Admin page, click the drop-down at the top left and select the parent Organization’s name. This will open the Organization level IAM view and the principal users on it.
    GW10
  3. Click on Roles in the left navigation bar. All the roles currently assigned to users in the organization will be listed on this page.
    GW11
  4. Click the Create Role button. 
  5. Enter a name to the new custom role and then scroll down to click on Add Permissions.
    GW12
  6. In the add permissions pop-up, enter permission resourcemanager.organizations.get in the filter box, select the checkbox in the search result for the same permission name, and then click the Add button.
    GW13
  7. Once the permission is added, click the Create button.
  8. The new role should now be visible under the list of roles on the IAM Roles page at https://console.cloud.google.com/iam-admin/roles for the Organization’s view.

4. Creating a Service Account

  1. On the Project’s dashboard, click the left navigation, scroll down, and click IAM & Admin.
  2. Click on Service Accounts.
  3. Click the Create Service Account button.
    GW16
  4. Enter a name for the service account, and click the Create and Continue button.
    GW17
  5. Under the "Grant this service account access to the project," select the custom role created earlier from the drop-down menu and then click the Continue button.
  6. Click the Done button to complete the process of service account creation.
    The new service account should be present under the list of service accounts for the project at https://console.cloud.google.com/iam-admin/serviceaccounts
  7. Now, we have to assign the custom role at the Organization level so that the service account can use the permissions of this role for all the projects in the organization through inheritance.
  8. Click on IAM in the left navigation bar to go to the IAM principals table, then select the Organization view from the drop-down menu.
  9. Click on Add, then enter the service account’s complete address in the New principal's field, and then select it. Subsequently, select the custom role created earlier in the Role drop-down.
    GW18
  10. Click the Save button. The system displays an entry for the new service account in the table of IAM principals for the Organization at https://console.cloud.google.com/iam-admin/iam.

5. Grant domain-wide access to the Service Account

  1. Sign in to the Google Workspace Admin portal.
  2. From the left navigation, Go to Account > Admin Roles. 
  3. Click the Create new role button.
    GW19
  4. Enter the name and description, and click the Continue button.
    GW20
  5. Scroll down to the Admin API privileges section.
    GW21
  6. Select the checkboxes of the following permissions in the section:
    1. Organization Units: Read
    2. Users: Read
    3. Groups: Read
    4. User Security Management
  7. Review the Role permissions and then click on Create Role button.
    GW31
  8. On the next page, click the Assign service accounts option.
    GW32
  9. Enter the ID belonging to the service account created in the previous step, and then click the Add button, and then the Assign Role button.
    GW33

6. Creating a WIF (Workload Identity Federation) Pool and Identity Provider

  1. On the project’s dashboard, click the left navigation and, go to IAM & Admin.
  2.  Click on Workload Identity Federation. 
  3. If there are no Identity Pools configured, the below page comes up:
    GW41 
  4. Click the Get Started button. 
  5. Enter a name and ID for the new Identity Pool and click the Continue button.
    GW42
  6. Information about the Identity Provider (AWS in this example) must be provided. This includes a user-provided name and the Account ID of the AWS account which will host the external application.
    Here, the AWS Account ID of SAFE's production account needs to be entered. Contact the SAFE support team to get the AWS Account ID of SAFE's production account.
  7. Click the Continue button.
    GW43(1)

  8. Alter the default attribute mapping under configure provider attributes to change the value of google.subject field to "safe."
  9. Once this is done, click the Save button to finish the identity pool creation process.
    GW44
  10. The system creates a new identity pool with the identity provider configured. On the next page, Click the Grant Access button. It will open a window where the service account which was created earlier should be selected.
    GW45
  11. Click the Save button. The system pops up a window asking the user to download a Config file.
    GW46
  12. Click the Download Config button. A config file will be downloaded to your system with all the connection details required to configure Google Workspace in SAFE. Refer to below sample file.
"type": "external_account",
"audience": "//iam.googleapis.com/projects/<project-id>/locations/global/workloadIdentityPools/<pool-name>/providers/<provider-name>",
"token_url": "https://sts.googleapis.com/v1/token",
"subject_token_type": "urn:ietf:params:aws:token-type:aws4_request",
"service_account_impersonation_url": "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/<service-account-id>:generateAccessToken"
"credential_source": {
    "url": "http://169.254.169.254/latest/meta-data/iam/security-credentials",
    "region_url": "http://169.254.169.254/latest/meta-data/placement/availability-zone",
    "environment_id": "aws1",
    "regional_cred_verification_url": "https://sts.{region}.amazonaws.com?Action=GetCallerIdentity&Version=2011-06-15"
}

7. Get the organization ID of the project

As part of the config object, the user needs to send the organization id of the organization whose assets will get pulled into SAFE and assessed. Refer to Google Documents to get the organization ID.

Configuring Google Workspace


  1. Navigate to SAFE Hooks and click the Google Workspace card.
  2. Enter the following  required fields by referring to the config file downloaded:
    1. Type
    2. Audience
    3. Token URL
    4. Organization Ids
    5. Region URL
    6. Environment Id
    7. Verification URL
    8. Subject Token Type
  3. Enter the Auto-Sync Frequency.
  4. Click the Test Connection button.
  5. Once the connection is verified, click the Save button to save the configuration.
    GW51
  6. Once the configuration is saved, click the Sync Now button to trigger the on-demand sync outside of the scheduled auto sync.

View Result


After a successful sync, the Google Workspace assets are automatically imported into SAFE.

To view the assets pulled from Google Workspace:

  1. Navigate to Technology > Assets.
  2. Filter the asset list with Asset Type in Google Workspace.
  3. Click on the Asset name.
  4. The system displays all the controls and their status for Google Workspace.

GW52

To view the results for an asset:

  1. Navigate to Technology > Inside-out.
  2. Go to the Cloud - SaaS Applications page
  3. Scroll down to the Asset List and click a Google Workspace asset.
  4. The system displays all the controls and their status for Google Workspace. 

Was this article helpful?

What's Next