PingOne Privilege

Onboarding GCP accounts

You can onboard a Google Cloud Platform (GCP) organization, folder, or project to manage its resources in PingOne Privilege with Just-In-Time (JIT) access. The process involves creating a service account with the necessary permissions in GCP, and then adding the account to PingOne Privilege.

Step 1: Create a service account in GCP

  1. In the GCP console, create a new service account.

  2. Grant the service account the required IAM permissions.

    These permissions allow PingOne Privilege to discover resources and manage access. The necessary permissions depend on whether you are onboarding an organization, folder, or project:

    Onboarding level Required Permissions

    Organization

    • Browser

    • Cloud SQL Admin

    • Cloud SQL Client

    • Role Administrator

    • Security Admin

    • Viewer

    • Service Account Key Admin

    • Service Account Admin

    • Service Account Token Creator

    • Kubernetes Engine Admin

    • IAM Recommender Admin

    • AlloyDB Admin

    • BigQuery Data Owner

    Folder

    • Browser

    • Cloud SQL Admin

    • Cloud SQL Client

    • Security Admin

    • Viewer

    • Service Account Key Admin

    • Service Account Admin

    • Service Account Token Creator

    • Kubernetes Engine Admin

    • IAM Recommender Admin

    • AlloyDB Admin

    • BigQuery Data Owner

    For each project in the folder, include "Role Administrator" or include "owner" permission at the top folder level.

    Project

    • Browser

    • Cloud SQL Admin

    • Cloud SQL Client

    • Role Administrator

    • Security Admin

    • Viewer

    • Service Account Key Admin

    • Service Account Admin

    • Service Account Token Creator

    • Kubernetes Engine Admin

    • IAM Recommender Admin

    • AlloyDB Admin

    • BigQuery Data Owner

  3. Create a service account key for the service account and download it in JSON format. You will need this file later.

  4. Enable the Cloud Resource Manager API in the project that contains the service account.

Step 2: Add the GCP account to PingOne Privilege

  1. In the PingOne Privilege admin console, go to Cloud > Clouds.

  2. Click Add Account Wizard.

  3. Click the GCP icon.

  4. Select whether you are onboarding an Organization, Folder, or Project. Click Next.

  5. Enter the Provider ID (this is your Organization ID, Folder ID, or Project ID). Click Next.

  6. Upload or paste the content of the JSON service account key file you downloaded earlier. Click Next.

  7. Verify the account details are correct and click Verify And Add.

Validation

After adding the account, go to the Cloud > Clouds page in the PingOne Privilege admin console. Your new GCP account should be listed with a Verified status. You can click on the account to see the discovered resources.