Google Cloud Identity

Cloud Identity is an Identity as a Service (IDaaS) solution that centrally manages users and groups. You can configure Cloud Identity to federate identities between Google and other identity providers, such as Active Directory and Microsoft Entra ID (formerly Azure AD). For more information refer to Google Cloud Identity official documentation.

Integration Method: API

Tables: Device Inventory Info (5001)

This integration supports the following events.

This integration supports the following versions.

Note:

Google Cloud Identity doesn’t follow a traditional versioning system. As of this document preparation, latest release was on September 25, 2024.

Prerequisites

• The user should have a Google Cloud Platform (GCP) project created in their deployment.

• The user should have a Google Cloud Service Account created from the Google Developers Console.

• The user should have granted Domain-Wide Delegation and added the necessary scopes for the service account.

• The user should have access to the DataBee console.

Configuration Overview

1. Generate a service account with the required scopes and its private key.

2. Add the Google Cloud Identity data feed in the DataBee console with the following parameters.

   DataBee Parameter	Google Cloud Identity Parameter
   Client Email	Service account email id
   Admin Email	Domain admin email id
   Private Key	Private Key

Google Cloud Identity Configuration

Setting Up the New Project

1. Login to your Google Cloud Platform console.

2. On your console, click on your organization name in the Navigation bar.
    

3. On “Select a resource” window click on NEW PROJECT.
    

4. On the “New Project” window, enter your ‘Project name’ and click on Create.
    

Setting Up the service account

Perform the following steps to set up Google Workspace credentials on your Google console:

1. Navigate to console.cloud.google.com, and log into the Google account where you want to set up your Google Workspace credentials.
    
   

2. Navigate to IAM & Admin > Service Accounts.
    

3. In the Service Accounts, select CREATE SERVICE ACCOUNT > Service Accounts.
    

4. In “Create service account” page, perform the following steps:

   1. Name your service account and select CREATE AND CONTINUE.

   2. Grant your service account access to a project.

   3. Select Continue.

   4. Grant users access to your service account.

   5. Select DONE.

   

Getting Client ID and Private Key

1. In Credentials, navigate to your new service account name, and select your new service account name.

2. In the “Service account details” page for your new service account, perform the following steps:

   1. Navigate to the Unique ID, and copy the contents of the Unique ID.

   2. This is also your Client ID.
       

   3. Navigate to the KEYS tab.

   4. Select ADD KEY > Create new key.
       

   5. Select the JSON key type and click CREATE.
       

   6. Save the key type as JSON file to your selected directory. Below is the sample private key.
       
      

      Note:

      Your new public/private key pair is generated and downloaded to your machine, and it serves as the only copy of this key. Please/Kindly store it in a secure place.

Setting Up Domain Wide Delegation

1. Navigate to admin.google.com.

2. Log in to your administrator Google account.

3. On the Google Admin Home Page, navigate to Security > Access and data control > API controls.
    

4. In “API Controls” page, navigate to Domain wide delegation, and select MANAGE DOMAIN WIDE DELEGATION.
    

5. In “Domain-wide Delegation” page, select Add new to add a new client ID.
    

6. In the “Add a new client ID” window, perform the following steps:

   1. In the ‘Client ID’ field, paste the Unique ID that you copied from the Service account details page.

   2. In the ‘OAuth scopes (comma-delimited)’ field, add the following read-only scope to fetch users, deleted users, roles, and mobile devices data:

      1. https://www.googleapis.com/auth/cloud-identity.devices.readonly

   3. Select AUTHORIZE.
       

   

DataBee Configuration

1. Login to the DataBee UI, navigate to Data > Data Feeds and click the Add New Data Feed button.
    

2. Search for the Google Cloud Identity option using the search bar in the “Add new data feed” page.

    

3. Click on the API Ingest option for the collection method.
    

4. Enter feed contact information and click Next.
    

5. In the configuration details dialog, enter the following:

   • Authorization Method: Google OAuth2

   • API Base URL: replace the <instance> placeholder with value based on the location of your GCP account as listed below.

     • global: securitycenter

     • me-central-2: securitycenter.me-central2.rep

   • Token URL: enter https://oauth2.googleapis.com/token.

   • Private Key: paste the private key inside the Service Account JSON file downloaded earlier.

   • Client Email: enter the email address during the service account creation process

     Example:

     • Correct Format: MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAA

     • Incorrect Format: -----BEGIN PRIVATE KEY----\nMIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAA\n-----END PRIVATE KEY-----\n

   • Admin Email: enter the email address of the user for which the application is requesting delegated access. If there is no domain-wide authority delegated to the service account, enter the same email as entered in the Client Email field.

   

6. Click Submit.

Troubleshooting Tips

• If you’re facing invalid_client or unauthorized_client issues, this might be due to incorrect service account credentials. Ensure the private key is pasted correctly. Since you cannot view the key after the first time, re-create the service account key, paste it into a text editor to verify there are no spaces or unexpected characters, and reconfigure the Google Cloud Identity integration.

• If you are facing a response code 403, this might be due to missing permissions. Ensure that the service account has the required Cloud Identity roles and permissions as per the steps mentioned above.