Skip to main content
Use Opal’s Google Cloud integration to quickly grant your team temporary access to your Google Cloud resources. With the integration:
  • Users can request time-bounded access to your GCP resources.
  • Auditors can initiate access reviews that assign managers or group admins to periodically review users with long-lived access to GCP resources.
  • All access changes are tracked as events that you can log to Slack or export to your favorite tools.

Supported resources

ResourceReadGrant and revoke accessIncluded in Risk Center
GCP Organizations✔️✔️✔️
GCP Projects✔️✔️✔️
GCP Folders✔️✔️✔️
GCP Buckets✔️✔️✔️
GCP Cloud SQL instances✔️✔️✔️
GCP Compute Engine Instances✔️✔️✔️
GCP BigQuery Datasets✔️✔️✔️
GCP BigQuery Tables✔️✔️✔️
GCP Service Accounts✔️✔️*✔️
GCP GKE✔️✔️✔️
*You can assign give users access to GCP Service Accounts and grant GCP Service accounts access to resources. You cannot yet add GCP Service Accounts to groups.

Create a service account

To get started, create a service account with the proper permission scopes.
  • Open the Service accounts page. If prompted, select a project.
  • At the top of the page, click ”+ Create Service Account”. Enter a name and description for the service account. When done, click Create.
  • The Service account permissions section that follows is not required. Click Continue.
  • On the Grant users access to this service account screen, click Done.
  • Select the new service account.
  • Click the Keys tab.
  • Click the Add key drop-down menu, then select Create new key.
  • Select JSON as the Key type and click Create.
  • Your new public/private key pair is generated and downloaded to your machine.
  • Click Close on the Private key saved to your computer dialog, then return to the table of your service accounts.
  • Make a copy of the full email of the service account.
Let’s now create a custom role in IAM.
  • Select the organization level at the top:
762
  • Click + Create Role.
  • Give it a title, ID and set the launch stage to General Availability.
  • Click + Add Permissions.
1142
  • Add the following permissions. The resourcemanager.organizations.get permission is required, and the rest are optional. Use the Explanation tab to learn which permissions are necessary for your use case.
resourcemanager.organizations.get
iam.roles.get
iam.roles.list
resourcemanager.folders.get
resourcemanager.folders.getIamPolicy
resourcemanager.folders.list
resourcemanager.folders.setIamPolicy
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list
resourcemanager.projects.setIamPolicy
resourcemanager.organizations.getIamPolicy
resourcemanager.organizations.setIamPolicy
storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.list
storage.buckets.setIamPolicy
cloudsql.users.create
cloudsql.users.delete
cloudsql.users.list
cloudsql.instances.get
cloudsql.instances.list
compute.instances.get
compute.instances.getIamPolicy
compute.instances.list
compute.instances.setIamPolicy
iam.serviceAccounts.get
iam.serviceAccounts.getIamPolicy
iam.serviceAccounts.list
iam.serviceAccounts.setIamPolicy
bigquery.datasets.get
bigquery.datasets.update
bigquery.datasets.getIamPolicy
bigquery.tables.get
bigquery.tables.getIamPolicy
bigquery.tables.list
bigquery.tables.setIamPolicy
logging.privateLogEntries.list
  • Click Create.
Then open the Resource Manager page.
  • Select the top level organization:
  • On the right side “Info Panel”, click Add Principal:
  • Enter the service account email, and select the new custom role. Then click Save.
1090 Your service account now has organization wide access to the Google IAM API.

Connect app to Opal and confirm app validations

In Opal, go to the Inventory and select +App, then find the Google Cloud Platform tile. Fill out the form using the above steps. After you save your app, you can view existing sync issues from the Setup tab on the app detail page. Missing permissions and sync issues show in the App Validations section. Select the refresh icon to rerun validation checks. You can hover over the validation icons to learn why Opal needs a given permission. To correctly sync your app to Opal, ensure you address any sync errors, marked with the red ! icon. Inspect warnings on a case-by-case basis: warnings might impact features you’re not using and may be safely ignored, but this depends on your use case.

Usage data and Risk Center

Opal can ingest usage data from your GCP environment to help identify usage patterns and surface unused access grants in the Risk Center. You’ll need to enable data access audit logs in your environment following the GCP documentation. Opal currently ingests primarily read usage events, so the ADMIN_READ and DATA_READ permission types must be enabled. Enable these audit logs for the following services:
  • Identity and Access Management (IAM) API
  • Google Cloud Storage
  • Compute Engine API
  • Cloud Resource Manager API
  • Cloud SQL

Update your Service Account Custom Role

When you update your custom role permissions (e.g., add organization resource manager permissions), you may notice a delay before changes take effect. This is a known GCP issue that you can read about in the GCP documentation. You can wait for the updates to take effect, which may take around a day or more. Alternatively, if your permissions are taking a long time to update or you want to have the new permissions immediately, you can work around this issue by creating a new custom role from scratch that includes all your desired permissions and assigning it to your service account at the organization level.