Google Cloud IAM

Integration version: 12.0

Use Cases

Manage permissions and service accounts in Google Cloud.

Product Permission

Create a Service Account:

Open your Google Cloud Project portal, on the left pane click IAM & Admin > Roles.
Click Create Roleto create a custom role that will have permissions needed for the integration.
On the opened page provide role Title, Description, ID, Role Launch Stage to General Availability.
Add the following permissions to the created role:
- iam.serviceAccounts.list
- iam.serviceAccounts.create
- iam.serviceAccounts.get
- iam.serviceAccounts.getIamPolicy
- iam.serviceAccounts.setIamPolicy
- iam.serviceAccounts.disable
- iam.serviceAccounts.enable
- iam.serviceAccounts.delete
- iam.roles.list
- iam.roles.get
- iam.roles.create
- iam.roles.delete
Click Createto create a new custom role.
Next go to the Google documentation and follow the procedure in the Creating a Service Account section. After you create a service account, a Service Account Private Key file is downloaded.
Grant the role you previously created to the Service Account so Service Account will have needed permissions for the integration.
Configure Google Cloud IAM integration with the JSON contents of the file you downloaded in step 1.

Configure Google Cloud IAM integration in Google Security Operations

For detailed instructions on how to configure an integration in Google SecOps, see Configure integrations .

Integration parameters

Use the following parameters to configure the integration:

Parameter Display Name	Type	Default Value	Is Mandatory	Description
Account Type	String	service_account	No	Type of the Google Cloud account. Located at the "type" parameter in the authentication JSON file. You need to copy the value and put it in this integration configuration parameter.
Project ID	String	N/A	No	Project ID of the Google Cloud account. Located at the "project_id" parameter in the authentication JSON file. You need to copy the value and put it in this integration configuration parameter.
Private Key ID	Password	N/A	No	Private Key ID of the Google Cloud account. Located at the "private_key_id" parameter in the authentication JSON file. You need to copy the value and put it in this integration configuration parameter.
Private Key	Password	N/A	No	Private Key of the Google Cloud account. Located at the "private_key" parameter in the authentication JSON file. You need to copy the value and put it in this integration configuration parameter.
Client Email	String	N/A	No	Client Email of the Google Cloud account. Located at the "client_email" parameter in the authentication JSON file. You need to copy the value and put it in this integration configuration parameter.
Client ID	String	N/A	No	Client ID of the Google Cloud account. Located at the "client_id" parameter in the authentication JSON file. You need to copy the value and put it in this integration configuration parameter.
Auth URI	String	https://accounts.google.com/o/oauth2/auth	No	Auth URI of the Google Cloud account. Located at the "auth_uri" parameter in the authentication JSON file. You need to copy the value and put it in this integration configuration parameter.
Token URI	String	https://oauth2.googleapis.com/token	No	Token URI of the Google Cloud account. Located at the "token_uri" parameter in the authentication JSON file. You need to copy the value and put it in this integration configuration parameter.
Auth Provider X509 URL	String	https://www.googleapis.com/oauth2/v1/certs	No	Auth Provider X509 URL of the Google Cloud account. Located at the "auth_provider_x509_cert_url" parameter in the authentication JSON file. You need to copy the value and put it in this integration configuration parameter.
Client X509 URL	String	N/A	No	Client X509 URL of the Google Cloud account. Located at the "client_x509_cert_url" parameter in the authentication JSON file. You need to copy the value and put it in this integration configuration parameter.
Service Account Json File Content	String	N/A	No	Optional: Instead of specifying Private Key ID, Private Key and other parameters, specify here the full JSON content of the service account file. Other connection parameters are ignored if this parameter is provided.
Verify SSL	Checkbox	Checked	No	If enabled, the integration verifies that the SSL certificate for the connection to the Google Cloud service is valid.

Actions

Ping

Description

Test connectivity to the Identity and Access Management service with parameters provided at the integration configuration page in the Google Security Operations Marketplace tab.

Parameters

N/A

Run On

This action doesn't run on entities.

Action Results

Script Result

Script Result Name	Value Options
is_success	is_success=False
is_success	is_success=True

Case Wall

Result type

Value/Description

Type

Output message*

The action should not fail nor stop a playbook execution:

if successful:"Successfully connected to the Identity and Access Management service with the provided connection parameters!"

The action should fail and stop a playbook execution:

if critical error, like wrong credentials or lost connectivity:"Failed to connect to the Identity and Access Management service! Error is {0}".format(exception.stacktrace)

General

Enrich Entities

Description

Enrich Google SecOps User entities with service accounts information from Identity and Access Management. Action expects Identity and Access Management service account email as a Google SecOps User entity.

Run On

This action runs on the User entity.

Action Results

Script Result

Script Result Name	Value Options
is_success	is_success=False
is_success	is_success=True

JSON Result

  { 
  
 "name" 
 : 
  
 "projects/silver-shift-275007/serviceAccounts/dmitrystestsa@silver-shift-275007.iam.gserviceaccount.com" 
 , 
  
 "projectId" 
 : 
  
 "silver-shift-275007" 
 , 
  
 "uniqueId" 
 : 
  
 "104627053409757134782" 
 , 
  
 "email" 
 : 
  
 "dmitrystestsa@silver-shift-275007.iam.gserviceaccount.com" 
 , 
  
 "displayName" 
 : 
  
 "dmitrys Test SA displayName" 
 , 
  
 "etag" 
 : 
  
 "MDEwMjE5MjA=" 
 , 
  
 "description" 
 : 
  
 "Service account description" 
 , 
  
 "oauth2ClientId" 
 : 
  
 "104627053409757134782" 
 }

Entity Enrichment

Enrichment Field Name	Logic - When to apply
Google_IAM_name
Google_IAM_project_id	..
Google_IAM_unique_id
Google_IAM_email
Google_IAM_display_name
Google_IAM_description
Google_IAM_oauth2_client_id

Case Wall

Result type

Value/Description

Type

Output message*

The action should not fail nor stop a playbook execution:

if successful and at least one of the provided entities were enriched:"Successfully enriched entities: {0}".format([entity.Identifier]).
If fail to enrich all of the provided entities:"No entities were enriched."
If fail to find data in Identity and Access Management to enrich specific entities:"Action was not able to find a match in Identity and Access Management to enrich provided entities: {0}".format([entity.identifier])

The action should fail and stop a playbook execution:

if fatal error, SDK error, like wrong credentials, no connection to server, other:"Error executing action "Enrich Entities". Reason: {0}''.format(error.Stacktrace)

General

Table (Enrichment)

Table Name:{entity} Enrichment Table

Columns:Key, Value

Entity

List Service Accounts

Description

List Identity and Access Management service accounts based on the specified search criteria. Note that action is not working on Google SecOps entities.

Parameters

Parameter Display Name	Type	Default Value	Is Mandatory	Description
Service Account Display Name	String	N/A	No	Specify service account display name to return. Parameter accepts multiple values as a comma separated string.
Service Account Email	String	N/A	No	Specify service account email to return. Parameter accepts multiple values as a comma separated string.
Max Rows to Return	Integer	50	No	Specify how many roles action should return.

Run On

This action doesn't run on entities.

Action Results

Script Result

Script Result Name	Value Options
is_success	is_success=False
is_success	is_success=True

JSON Result

  { 
  
 "accounts" 
 : 
  
 [ 
  
 { 
  
 "name" 
 : 
  
 "projects/silver-shift-275007/serviceAccounts/dmitrystestsa@silver-shift-275007.iam.gserviceaccount.com" 
 , 
  
 "projectId" 
 : 
  
 "silver-shift-275007" 
 , 
  
 "uniqueId" 
 : 
  
 "104627053409757134782" 
 , 
  
 "email" 
 : 
  
 "dmitrystestsa@silver-shift-275007.iam.gserviceaccount.com" 
 , 
  
 "displayName" 
 : 
  
 "dmitrys Test SA displayName" 
 , 
  
 "etag" 
 : 
  
 "MDEwMjE5MjA=" 
 , 
  
 "description" 
 : 
  
 "Service account description" 
 , 
  
 "oauth2ClientId" 
 : 
  
 "104627053409757134782" 
  
 }

Case Wall

Result type

Value/Description

Type

Output message*

The action should not fail nor stop a playbook execution:

If successfully listed service accounts (is_success = true):
"Successfully fetched Google Cloud service accounts."
If no available values(is_success = false):"No service accounts were returned for the specified input parameters."

The action should fail and stop a playbook execution:

if fatal error, invalid zone, SDK error, like wrong credentials, no connection to server, other:"Error executing action "List Service Accounts". Reason: {0}''.format(error.Stacktrace)

General

Table

Table Name:Google Cloud Service Accounts

Table Columns:

Service Account Name

Service Account Unique ID

Service Account Email

Service Account Display Name

Service Account Description

Service Account Oauth2 Client ID

General

Create Service Account

Description

Create an Identity and Access Management Service Account.

Parameters

Parameter Display Name	Type	Default Value	Is Mandatory	Description
Service Account ID	String	String	Yes	Specify service account id to create.
Service Account Display Name	String	String	No	Specify service account display name to create.
Service Account Description	String	String	No	Specify service account description to create.

Run On

This action doesn't run on entities.

Action Results

Script Result

Script Result Name	Value Options
is_success	is_success=False
is_success	is_success=True

JSON Result

  { 
  
 "name" 
 : 
  
 "projects/silver-shift-275007/serviceAccounts/dmitrystestsa@silver-shift-275007.iam.gserviceaccount.com" 
 , 
  
 "projectId" 
 : 
  
 "silver-shift-275007" 
 , 
  
 "uniqueId" 
 : 
  
 "104627053409757134782" 
 , 
  
 "email" 
 : 
  
 "dmitrystestsa@silver-shift-275007.iam.gserviceaccount.com" 
 , 
  
 "displayName" 
 : 
  
 "dmitrys Test SA displayName" 
 , 
  
 "etag" 
 : 
  
 "MDEwMjE5MjA=" 
 , 
  
 "description" 
 : 
  
 "Service account description" 
 , 
  
 "oauth2ClientId" 
 : 
  
 "104627053409757134782" 
 }

Case Wall

Result type

Value/Description

Type

Output message*

The action should not fail nor stop a playbook execution:

If action run successfully:(is_success=true)
- Google Cloud Service Account was created successfully <unique id>.
If action failed to run because provided service account already exists(is_success =false)
- Provided service account <unique id> already exists.

The action should fail and stop a playbook execution:

if fatal error, SDK error, like wrong credentials, no connection to server, other:"Error executing action "Create Service Account". Reason: {0}''.format(error.Stacktrace)

General

Get Service Account IAM Policy

Description

Gets the access control policy for the service account. Action expects Identity and Access Management service account email as a Google SecOps User entity. Note that policy may be empty if no policy is assigned to the service account.

Run On

This action runs on the User entity.

Action Results

Script Result

Script Result Name	Value Options
is_success	is_success=False
is_success	is_success=True

JSON Result

  { 
  
 "version" 
 : 
  
 1 
 , 
  
 "etag" 
 : 
  
 "BwXBuNg8cMA=" 
 , 
  
 "bindings" 
 : 
  
 [ 
  
 { 
  
 "role" 
 : 
  
 "roles/iam.securityReviewer" 
 , 
  
 "members" 
 : 
  
 [ 
  
 "user:dmitrys@siemplify.co" 
  
 ] 
  
 } 
  
 ] 
 }

Case Wall

Result type

Value/Description

Type

Output message*

The action should not fail nor stop a playbook execution:

If action run successfully:(is_success=true)
- "Successfully fetched Identity and Access Management policy for the following Google Cloud Service Accounts: <email id1, email id 2...>
If action didnt find info for the entity (for example non existent in Google Identity and Access Management email provided:
- Action was not able to fetch Identity and Access Management policy the following Google Cloud Service Accounts: <email id1, email id2 ..>
If fail to find Identity and Access Management policy for all of the provided entities:"Identity and Access Management policy was not found for any of the provided entities."

The action should fail and stop a playbook execution:

if fatal error, SDK error, like wrong credentials, no connection to server, other:"Error executing action "Get Service Account IAM Policy". Reason: {0}''.format(error.Stacktrace)

General

Set Service Account IAM Policy

Description

Sets the access control policy on the specified service account. Action expects Identity and Access Management service account email as a Google SecOps account entity. Note that policy provided in action replaces any existing policy.

Parameters

Parameter Display Name	Type	Default Value	Is Mandatory	Description
Policy	String	N/A	Yes	Specify JSON policy document to set for service account.

Run On

This action runs on the Account entity.

Action Results

Script Result

Script Result Name	Value Options
is_success	is_success=False
is_success	is_success=True

JSON Result

  { 
  
 "version" 
 : 
  
 1 
 , 
  
 "etag" 
 : 
  
 "BwXBuNg8cMA=" 
 , 
  
 "bindings" 
 : 
  
 [ 
  
 { 
  
 "role" 
 : 
  
 "roles/iam.securityReviewer" 
 , 
  
 "members" 
 : 
  
 [ 
  
 "user:dmitrys@siemplify.co" 
  
 ] 
  
 } 
  
 ] 
 }

Case Wall

Result type

Value/Description

Type

Output message*

The action should not fail nor stop a playbook execution:

If some are successful (is_success=True):
- Successfully set Identity and Access Management policy for the following Google Cloud Service Accounts: <email id1, ...>
If some failed:
- Action was not able to set Identity and Access Management policy the following Google Cloud Service Accounts: <email id1, ....>
If all failed:
- No Service Account Identity and Access Management policies were set.
If provided policy JSON is not valid (is_success =false)
- Provided policy JSON document <policy> is not valid.

The action should fail and stop a playbook execution:

if fatal error, SDK error, like wrong credentials, no connection to server, other:"Error executing action "Set Service Account IAM Policy". Reason: {0}''.format(error.Stacktrace)

General

Disable Service Account

Description

Disable service account. Action expects Identity and Access Management service account email as a Google SecOps User entity.

Run On

This action runs on the User entity.

Action Results

Script Result

Script Result Name	Value Options
is_success	is_success=False
is_success	is_success=True

Case Wall

Result type

Value/Description

Type

Output message*

The action should not fail nor stop a playbook execution:

if successful at least one of the provided entities:"Successfully disabled the following service accounts: {0}".format([entity.Identifier]).

If fail to disable all of the provided entities:"No service accounts were disabled."

If fail to find data in Google Cloud Identity and Access Management to disable specific entities:"Action was not able to find a match in Google Cloud Identity and Access Management for the provided entities: {0}".format([entity.identifier])

The action should fail and stop a playbook execution:

if fatal error, SDK error, like wrong credentials, no connection to server, other:"Error executing action "Disable Service Account". Reason: {0}''.format(error.Stacktrace)

General

Enable Service Account

Description

Enable service account. Action expects Identity and Access Management service account email as a Google SecOps User entity.

Run On

This action runs on the User entity.

Action Results

Script Result

Script Result Name	Value Options
is_success	is_success=False
is_success	is_success=True

Case Wall

Result type

Value/Description

Type

Output message*

The action should not fail nor stop a playbook execution:

if successful at least one of the provided entities:"Successfully enabled the following service accounts: {0}".format([entity.Identifier]).

If fail to enable all of the provided entities:"No service accounts were enabled."

If fail to find data in Identity and Access Management to enable specific entities:"Action was not able to find a match in Identity and Access Management for the provided entities: {0}".format([entity.identifier])

The action should fail and stop a playbook execution:

if fatal error, SDK error, like wrong credentials, no connection to server, other:"Error executing action "Enable Service Account". Reason: {0}''.format(error.Stacktrace)

General

Delete Service Account

Description

Delete service account. Action expects Identity and Access Management service account email as a Google SecOps User entity.

Run On

This action runs on the User entity.

Action Results

Script Result

Script Result Name	Value Options
is_success	is_success=False
is_success	is_success=True

Case Wall

Result type

Value/Description

Type

Output message*

The action should not fail nor stop a playbook execution:

if successful at least one of the provided entities:"Successfully deleted the following service accounts: {0}".format([entity.Identifier]).

If fail to delete all of the provided entities:"No service accounts were deleted."

If fail to find data in Identity and Access Management to delete specific entities:"Action was not able to find a match in Identity and Access Management for the provided entities: {0}".format([entity.identifier])

The action should fail and stop a playbook execution:

if fatal error, SDK error, like wrong credentials, no connection to server, other:"Error executing action "Delete Service Account". Reason: {0}''.format(error.Stacktrace)

General

List Roles

Description

List Identity and Access Management roles based on the specified search criteria. Note that action is not working on Google SecOps entities.

Parameters

Parameter Display Name	Type	Default Value	Is Mandatory	Description
View	DDL	Basic	No	Specify which view should be used to return role information.
Max Rows to Return	Integer	50	No	Specify how many roles action should return.
List Project Custom Roles Only?	Checkbox	Unchecked	No	If enabled action will return only custom roles defined for the current project id.
Show Deleted	Checkbox	Unchecked	No	If enabled action will also return deleted roles.

Run On

The action doesn't run on entities.

Action Results

Script Result

Script Result Name	Value Options
is_success	is_success=False
is_success	is_success=True

JSON Result

  { 
  
 "roles" 
 : 
  
 [ 
  
 { 
  
 "name" 
 : 
  
 "roles/accessapproval.approver" 
 , 
  
 "title" 
 : 
  
 "Access Approval Approver" 
 , 
  
 "description" 
 : 
  
 "Ability to view or act on access approval requests and view configuration" 
 , 
  
 "stage" 
 : 
  
 "BETA" 
 , 
  
 "etag" 
 : 
  
 "AA==" 
  
 }, 
  
 { 
  
 "name" 
 : 
  
 "roles/accessapproval.configEditor" 
 , 
  
 "title" 
 : 
  
 "Access Approval Config Editor" 
 , 
  
 "description" 
 : 
  
 "Ability update the Access Approval configuration" 
 , 
  
 "stage" 
 : 
  
 "BETA" 
 , 
  
 "etag" 
 : 
  
 "AA==" 
  
 } 
  
 ] 
 }

Case Wall

Result type

Value/Description

Type

Output message*

The action should not fail nor stop a playbook execution:

If successfully listed roles(is_success = true):"Successfully fetched Identity and Access Management roles."

If no available values(is_success = false):"No roles were returned for the specified input parameters."

The action should fail and stop a playbook execution:

if fatal error, invalid zone, SDK error, like wrong credentials, no connection to server, other:"Error executing action "List Roles". Reason: {0}''.format(error.Stacktrace)

General

Table

Table Name:Google Cloud IAM Roles

Table Columns:

Role Name

Role Title

Role Description

Role Stage

Role Etag

Role Permissions

General

Create Role

Description

Create an Identity and Access Management Role.

Parameters

Parameter Display Name	Type	Default Value	Is Mandatory	Description
Role ID	String	N/A	Yes	Specify role id for newly created Identity and Access Management role.
Role Definition	String	N/A	Yes	Specify JSON policy document to use as the role definition.

Run On

The action doesn't run on entities.

Example For Role Policy JSON

  { 
  
 "name" 
 : 
  
 "projects/silver-shift-275007/roles/iam_test_role_api" 
 , 
  
 "title" 
 : 
  
 "iam_test_role_api" 
 , 
  
 "description" 
 : 
  
 "test role" 
 , 
  
 "includedPermissions" 
 : 
  
 [ 
  
 "storagetransfer.projects.getServiceAccount" 
  
 ], 
  
 "stage" 
 : 
  
 "GA" 
 , 
  
 "etag" 
 : 
  
 "BwXBu1RHiPw=" 
 }

Action Results

Script Result

Script Result Name	Value Options
is_success	is_success=False
is_success	is_success=True

JSON Result

  { 
  
 "name" 
 : 
  
 "projects/silver-shift-275007/roles/iam_test_role_api" 
 , 
  
 "title" 
 : 
  
 "iam_test_role_api" 
 , 
  
 "description" 
 : 
  
 "test role" 
 , 
  
 "includedPermissions" 
 : 
  
 [ 
  
 "storagetransfer.projects.getServiceAccount" 
  
 ], 
  
 "stage" 
 : 
  
 "GA" 
 , 
  
 "etag" 
 : 
  
 "BwXBu1RHiPw=" 
 }

Case Wall

Result type

Value/Description

Type

Output message*

The action should not fail nor stop a playbook execution:

If action run successfully:(is_success=true)
- Identity and Access Management <roleid> was created successfully.
If provided role_id already exists(is_success =false)
- Provided role id<role_id> already exists.
If provided role JSON is not valid (is_success =false)
- Provided role definition JSON document <role json> is not valid.

The action should fail and stop a playbook execution:

if fatal error, SDK error, like wrong credentials, no connection to server, other:"Error executing action "Create Role". Reason: {0}''.format(error.Stacktrace)

General

Delete Role

Description

Delete an Identity and Access Management Role.

Parameters

Parameter Display Name	Type	Default Value	Is Mandatory	Description
Role ID	String	N/A	Yes	Specify role id for newly created Identity and Access Management role.

Run On

This action doesn't run on entities.

Action Results

Script Result

Script Result Name	Value Options
is_success	is_success=False
is_success	is_success=True

JSON Result

  { 
  
 "name" 
 : 
  
 "projects/silver-shift-275007/roles/iam_test_role_api" 
 , 
  
 "title" 
 : 
  
 "iam_test_role_api" 
 , 
  
 "description" 
 : 
  
 "test role" 
 , 
  
 "includedPermissions" 
 : 
  
 [ 
  
 "storagetransfer.projects.getServiceAccount" 
  
 ], 
  
 "stage" 
 : 
  
 "GA" 
 , 
  
 "etag" 
 : 
  
 "BwXDDgKFx7M=" 
 , 
  
 "deleted" 
 : 
  
 true 
 }

Case Wall

Result type

Value/Description

Type

Output message*

The action should not fail nor stop a playbook execution:

If action run successfully:(is_success=true)
- Identity and Access Management <roleid> was successfully deleted.
If provided role_id not exists(is_success =false)
- Provided role id<role_id> does not exist.

The action should fail and stop a playbook execution:

if fatal error, SDK error, like wrong credentials, no connection to server, other:"Error executing action "Delete Role". Reason: {0}''.format(error.Stacktrace)

General

Need more help? Get answers from Community members and Google SecOps professionals.