Documentation

Google Cloud Platform (GCP)

Connect your GCP infrastructure to use Opal to manage and review access.

Suggest Edits

Opal can quickly get your team up and running with temporary access to Google Cloud. We currently support the following services:

  • Organizations
  • Projects
  • Folders
  • Cloud Storage buckets
  • Cloud SQL instances
  • Compute Engine Instances
  • Google Kubernetes Engine

Create a service account

To get started, create a service account with the proper permission scopes.

  • Open the Service accounts page. If prompted, select a project.
  • At the top of the page, click "+ Create Service Account". Enter a name and description for the service account. When done, click Create.
  • The Service account permissions section that follows is not required. Click Continue.
  • On the Grant users access to this service account screen, click Done.
  • Select the new service account.
  • Click the Keys tab.
  • Click the Add key drop-down menu, then select Create new key.
  • Select JSON as the Key type and click Create.
  • Your new public/private key pair is generated and downloaded to your machine.
  • Click Close on the Private key saved to your computer dialog, then return to the table of your service accounts.
  • Make a copy of the full email of the service account.

Let's now create a custom role in IAM.

  • Select the organization level at the top:
762
  • Click + Create Role.
  • Give it a title, ID and set the launch stage to General Availability.
  • Click + Add Permissions.
1142
  • Add the following permissions:
iam.roles.get
iam.roles.list
resourcemanager.folders.get
resourcemanager.folders.getIamPolicy
resourcemanager.folders.list
resourcemanager.folders.setIamPolicy
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list
resourcemanager.projects.setIamPolicy
resourcemanager.organizations.get
resourcemanager.organizations.getIamPolicy
resourcemanager.organizations.setIamPolicy
storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.list
storage.buckets.setIamPolicy
cloudsql.users.create
cloudsql.users.delete
cloudsql.users.list
cloudsql.instances.get
cloudsql.instances.list
compute.instances.get
compute.instances.getIamPolicy
compute.instances.list
compute.instances.setIamPolicy
iam.serviceAccounts.get
iam.serviceAccounts.getIamPolicy
iam.serviceAccounts.list
iam.serviceAccounts.setIamPolicy
bigquery.datasets.get
bigquery.datasets.update
bigquery.datasets.getIamPolicy
bigquery.tables.get
bigquery.tables.getIamPolicy
bigquery.tables.list
bigquery.tables.setIamPolicy
  • Click Create.

Then open the Resource Manager page.

  • Select the top level organization:

  • On the right side "Info Panel", click Add Principal:

  • Enter the service account email, and select the new custom role. Then click Save.
1090

Your service account now has organization wide access to the Google IAM API.

Connect app to Opal and confirm app validations

In Opal, go to the Inventory and select +App, then find the Google Cloud Platform tile. Fill out the form using the above steps.

After you save your app, you can view existing sync issues from the Setup tab on the app detail page. Missing permissions and sync issues show in the App Validations section. Select the refresh icon to rerun validation checks.

You can hover over the validation icons to learn why Opal needs a given permission. To correctly sync your app to Opal, ensure you address any sync errors, marked with the red ! icon. Inspect warnings on a case-by-case basis: warnings might impact features you’re not using and may be safely ignored, but this depends on your use case.

Update your Service Account Custom Role

When you update your custom role permissions (e.g., add organization resource manager permissions), you may notice a delay before changes take effect. This is a known GCP issue that you can read about in the GCP documentation.

You can wait for the updates to take effect, which may take around a day or more. Alternatively, if your permissions are taking a long time to update or you want to have the new permissions immediately, you can work around this issue by creating a new custom role from scratch that includes all your desired permissions and assigning it to your service account at the organization level.

Updated about 1 month ago