Onboarding GCP accounts

An admin can onboard an entire organization or a selected folder or project on the PingOne Privilege platform. When an organization is onboarded, all the resources within that organization, including folders and projects, become available on the PingOne Privilege platform for Just-In-Time (JIT) access.

At a high level, there are two steps to onboard a Google Cloud Platform (GCP) account:

Creating a service account
Add GCP to PingOne Privilege

Creating a service account

To create a service account:

In the GCP console, create a service account and create its key in JSON format.

The necessary permissions depend on whether an organization, folder, or project is being onboarded.

Onboard	Permissions required
Organization	Browser Cloud SQL Admin Cloud SQL Client Organization Role Administrator Security Admin Viewer Service Account Key Admin Service Account Admin Service Account Token Creator Kubernetes Engine Admin Deployment Manager Editor Cloud AlloyDB Admin BigQuery Data Owner
Folder	Browser Cloud SQL Admin Cloud SQL Client Security Admin Viewer Service Account Key Admin Service Account Admin Service Account Token Creator Kubernetes Engine Admin Deployment Manager Editor Cloud AlloyDB Admin BigQuery Data Owner For each project in the folder, include "Role Administrator" or include "owner" permission at the top folder level.
Project	Browser Cloud SQL Admin Cloud SQL Client Role Administrator Security Admin Viewer Service Account Key Admin Service Account Admin Service Account Token Creator Kubernetes Engine Admin Deployment Manager Editor Cloud AlloyDB Admin BigQuery Data Owner

Onboard

Permissions required

Organization

Browser

Cloud SQL Admin

Cloud SQL Client

Organization Role Administrator

Security Admin

Viewer

Service Account Key Admin

Service Account Admin

Service Account Token Creator

Kubernetes Engine Admin

Deployment Manager Editor

Cloud AlloyDB Admin

BigQuery Data Owner

Folder

Browser

Cloud SQL Admin

Cloud SQL Client

Security Admin

Viewer

Service Account Key Admin

Service Account Admin

Service Account Token Creator

Kubernetes Engine Admin

Deployment Manager Editor

Cloud AlloyDB Admin

BigQuery Data Owner

For each project in the folder, include "Role Administrator" or include "owner" permission at the top folder level.

Project

Browser

Cloud SQL Admin

Cloud SQL Client

Role Administrator

Security Admin

Viewer

Service Account Key Admin

Service Account Admin

Service Account Token Creator

Kubernetes Engine Admin

Deployment Manager Editor

Cloud AlloyDB Admin

BigQuery Data Owner

Enable the Cloud Resource Manager API in the service account’s project.

Adding a GCP account

To add a GCP account:

In PingOne Privilege admin console, go to Cloud > Clouds.
Click Add Account Wizard.
Click the GCP icon in the list at the bottom of the modal window.
Select the account type from the provided list. Click Next.
Verify the required permissions. Click Next.
Upload or paste the service account key file into the wizard. Click Next.
Verify the account details are correct. Click Verify And Add.