Google Workspace

About this document

This document gives you the step-by-step procedure to configure Google Workspace in SAFE.

Introduction

SAFE allows you to onboard and assess your Google Workspace account for its configuration assessment. SAFE admins can configure the Google Workspace integration in SAFE from the Google Workspace card available on the SAFE Hooks page. 

Prerequisites

To onboard a Google Workspace account in SAFE, you need the following privileges:

• Users must have the SAFE Admin Role.

• The user must have the Admin Role in the GCP console.

Generate Connection Details

1. Create a new project in the GCP console

1. Login to the GCP console.

2. Click the dropdown menu on the top left of the page, located between the Google Cloud Platform label and the search bar.
   

   

3. The subsequent pop-up lists the hierarchical structure of the organization and all the existing folders and projects within it.
   

   

4. Click the New Project button.

5. Enter a name for the Project.

6. Click the Create button.
   

   

2. Enable API services on the project

1. On the Project’s dashboard, click the options menu at the top left corner to open the navigation bar, 

2. Scroll down and click the APIs & Services option.
   

   

3. On the APIs and Services page, click Enable APIs and Services to go to the APIs Library page.
   

   

4. Search for Admin SDK API in the API Library search bar.
   

   

5. Click on the link of the Admin SDK API in the search results.
   

   

6. Click the Enable button. Once the process is complete, it can be verified by revisiting the page again. The API-enabled label will be available on the page.

7. Repeat the previous two steps to enable the following APIs:

   1. Resource Manager API

   2. Security Token Service API

   3. IAM Service Account Credentials API

8. To verify that all the required APIs have been enabled, go back to the APIs & Services dashboard and check the table at the bottom of the page for the names of these four APIs.
   

   

3. Create a custom role for the Service Account

We need to create a custom IAM role at the organization level that can be assigned to the SAFE Project’s service account to enable SAFE to fetch misconfigurations.

1. On the Project’s dashboard, click the left navigation, scroll down, and click IAM & Admin.

2. On the IAM & Admin page, click the drop-down at the top left and select the parent Organization’s name. This will open the organization-level IAM view and its principal users.
   

   

3. Click Roles in the left navigation bar. All the roles currently assigned to users in the organization will be listed on this page.
   

   

4. Click the Create Role button. 

5. Enter a title for the new custom role.

6.  Scroll down and click the Add Permissions button.
   

   

7. In the add permissions pop-up, search and select the permission resourcemanager.organizations.get, and click the Add button.

8. Similarly, search and add the permission resourcemanager.projects.get.

   

9. Once the permission is added, click the Create button.

10. The new role should now be visible on the IAM Roles page at https://console.cloud.google.com/iam-admin/roles for the Organization’s view.

4. Creating a Service Account

Please note:

Change the project created for SAFE (refer section 1) from the drop-down at the top. The goals of this step in to create a service account under SAFE’s project and link it back to the role created earlier in section 3 at the org level.

1. On the Project’s dashboard, click the left navigation, scroll down, and click IAM & Admin.

2. Click on Service Accounts.

3. Click the Create Service Account button.
   

   

4. Enter a name for the service account, and click the Create and Continue buttons.
   

   

5. Under the "Grant this service account access to the project," select the custom role created earlier from the drop-down menu and click the Continue button.

6. Click the Done button to complete the process of service account creation.
   The new service account should be present under the list of service accounts for the project at https://console.cloud.google.com/iam-admin/serviceaccounts

7. Now, we have to assign the custom role at the Organization level so that the service account can use this role's permissions for all the organisation's projects through inheritance.

8. Click on IAM in the left navigation bar to go to the IAM principals table, then select the Organization view from the drop-down menu.

     

   Please note:

   Change the organization to the parent organization for the next steps.

9. Click on Add, enter the service account’s complete address in the New principal's field, and select it. Subsequently, select the custom role created earlier in the Role drop-down.
   

   

10. Click the Save button. The system displays an entry for the new service account in the table of IAM principals for the Organization at https://console.cloud.google.com/iam-admin/iam.

5. Grant domain-wide access to the Service Account

1. Sign in to the Google Workspace Admin portal.

2. From the left navigation, Go to Account > Admin Roles. 

3. Click the Create new role button.
   

   

4. Enter the name and description, and click the Continue button.
   

   

5. Scroll down to the Admin API privileges section.
   

   

6. Select the checkboxes of the following permissions in the section:

   1. Organization Units: Read

   2. Users: Read

   3. Groups: Read

   4. User Security Management

7. Review the Role permissions and then click on Create Role button.
   

   

8. On the next page, click the Assign service accounts option.
   

   

9. Enter the ID belonging to the service account created in the previous step, and then click the Add button and then the Assign Role button.
   

   

6. Creating a WIF (Workload Identity Federation) Pool and Identity Provider

1. Click the left navigation on the project’s dashboard and go to IAM & Admin.

2.  Click the Workload Identity Federation. 

3. If there are no Identity Pools configured, the below page comes up:
   

   

    

4. Click the Get Started button. 

5. Enter a name and ID for the new Identity Pool and click the Continue button.
   

   

6. Information about the Identity Provider (AWS in this example) must be provided. This includes a user-provided name and the Account ID of the AWS account which will host the external application.
   The AWS Account ID of SAFE's production account needs to be entered here. Contact the SAFE support team to get the AWS Account ID of SAFE's production account.

7. Click the Continue button.
   

   

   
   
   

8. Alter the default attribute mapping under configure provider attributes to change the value of google.subject field to "safe."

9. Once this is done, click the Save button to finish the identity pool creation process.
   

   

10. The system will create a new identity pool with the configured identity provider. On the following page, click the "Grant access to service account" button. This will open a window where you should select the service account created earlier. Choose the subject as the Attribute Name, enter safe as the Attribute Value, and then click on SAVE.
    

    

11. Click the Save button. The system opens a window asking the user to download a Config file.
    

    

12. Click the Download Config button. A config file with all the connection details required to configure Google Workspace in SAFE will be downloaded to your system. Refer to below sample file.

"type": "external_account",
"audience": "//iam.googleapis.com/projects/<project-id>/locations/global/workloadIdentityPools/<pool-name>/providers/<provider-name>",
"token_url": "https://sts.googleapis.com/v1/token",
"subject_token_type": "urn:ietf:params:aws:token-type:aws4_request",
"service_account_impersonation_url": "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/<service-account-id>:generateAccessToken"
"credential_source": {
    "url": "http://169.254.169.254/latest/meta-data/iam/security-credentials",
    "region_url": "http://169.254.169.254/latest/meta-data/placement/availability-zone",
    "environment_id": "aws1",
    "regional_cred_verification_url": "https://sts.{region}.amazonaws.com?Action=GetCallerIdentity&Version=2011-06-15"
}

7. Get the organization ID of the project

As part of the config object, the user needs to send the organization id of the organization whose assets will get pulled into SAFE and assessed. Refer to Google Documents to get the organization ID.

Configuring Google Workspace

1. Navigate to SAFE Hooks and click the Google Workspace card.

2. Enter the following  required fields by referring to the config file downloaded:

   1. Type

   2. Audience

   3. Token URL

   4. Organization Ids

   5. Region URL

   6. Environment Id

   7. Verification URL

   8. Subject Token Type

3. Enter the Auto-Sync Frequency.

4. Click the Test Connection button.

5. Once the connection is verified, click the Save button to save the configuration.
   

   

6. Once the configuration is saved, click the Sync Now button to trigger the on-demand sync outside the scheduled auto sync.

View Result

After a successful sync, the Google Workspace assets are automatically imported into SAFE.

To view the assets pulled from Google Workspace:

1. Navigate to Technology > Assets.

2. Filter the asset list with source as security.safe.saas.googleworkspace. The system displays the Google Workspace asset.

3. Click any asset from the list. The system displays the controls and their status for Google Workspace assets.