Google Cloud Platform (GCP)
Connect your GCP infrastructure to use Opal to manage and review access.
Opal can quickly get your team up and running with temporary access to Google Cloud. We currently support the following services:
- Organizations
- Projects
- Folders
- Cloud Storage buckets
- Cloud SQL instances
- Compute Engine Instances
- Google Kubernetes Engine
Getting Started
Create a service account
We'll need to create a service account with the proper permission scopes.
- Open the Service accounts page. If prompted, select a project.
- Ensure that the selected project has the Cloud Resource Manager API and the IAM API enabled.
- At the top of the page, click "+ Create Service Account". Enter a name and description for the service account. When done, click Create.
- The Service account permissions section that follows is not required. Click Continue.
- On the Grant users access to this service account screen, click Done.
- Select the new service account.
- Click the Keys tab.
- Click the Add key drop-down menu, then select Create new key.
- Select JSON as the Key type and click Create.
- Your new public/private key pair is generated and downloaded to your machine.
- Click Close on the Private key saved to your computer dialog, then return to the table of your service accounts.
- Make a copy of the full email of the service account.
Let's now create a custom role in IAM.
- Select the organization level at the top:
- Click + Create Role.
- Give it a title, ID and set the launch stage to General Availability.
- Click + Add Permissions.
- Add the following permissions:
iam.roles.get
iam.roles.list
resourcemanager.folders.get
resourcemanager.folders.getIamPolicy
resourcemanager.folders.list
resourcemanager.folders.setIamPolicy
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list
resourcemanager.projects.setIamPolicy
resourcemanager.organizations.get
resourcemanager.organizations.getIamPolicy
resourcemanager.organizations.setIamPolicy
storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.list
storage.buckets.setIamPolicy
cloudsql.users.create
cloudsql.users.delete
cloudsql.users.list
cloudsql.instances.get
cloudsql.instances.list
compute.instances.get
compute.instances.getIamPolicy
compute.instances.list
compute.instances.setIamPolicy
iam.serviceAccounts.get
iam.serviceAccounts.getIamPolicy
iam.serviceAccounts.list
iam.serviceAccounts.setIamPolicy
bigquery.datasets.get
bigquery.datasets.update
bigquery.datasets.getIamPolicy
bigquery.tables.get
bigquery.tables.getIamPolicy
bigquery.tables.list
bigquery.tables.setIamPolicy
- Click Create.
Then open the Resource Manager page.
- Select the top level organization:
- On the right side "Info Panel", click Add Principal:
- Enter the service account email, and select the new custom role. Then click Save.
Your service account now has organization wide access to the Google IAM API.
Updating Your Service Account Custom Role
When updating your custom role permissions (e.g. adding organization resource manager permissions), we have noticed a delay before these changes take effect. This is a known GCP issue that you can read about in the note here.
You can wait for the updates to take effect, which may take around a day or more. Alternatively, if your permissions are taking a long time to update or you want to have the new permissions immediately, you can workaround this issue by creating a new custom role from scratch that includes all your desired permissions and assigning it to your service account at the organization level.
Updated about 1 month ago