Integrate Google Cloud Platform

Use these steps to integrate the Google Cloud Platform.

  1. Launch a Windows Google Compute Instance in GCP and note the Service Account associated with the instance.

  2. Create a new IAM Role for ALM Provisioning. The role needs to be created at the organization level if multiple projects will be used for provisioning accounts. If not, then the role can be created in a single project.
    Define the following permissions on the Permissions tab:

    • iam.roles.list
    • iam.serviceAccountKeys.create
    • iam.serviceAccountKeys.delete
    • iam.serviceAccountKeys.get
    • iam.serviceAccountKeys.list
    • iam.serviceAccounts.create
    • iam.serviceAccounts.delete
    • iam.serviceAccounts.disable
    • iam.serviceAccounts.enable
    • iam.serviceAccounts.get
    • iam.serviceAccounts.getIamPolicy
    • iam.serviceAccounts.list
    • iam.serviceAccounts.setIamPolicy
    • iam.serviceAccounts.undelete
    • iam.serviceAccounts.update
    • resourcemanager.organizations.get
    • resourcemanager.organizations.getIamPolicy
    • resourcemanager.organizations.setIamPolicy
    • resourcemanager.projects.get
    • resourcemanager.projects.getIamPolicy
    • resourcemanager.projects.list
    • resourcemanager.projects.setIamPolicy

  3. At the Organization or Project level, assign the Google Compute Instance Service Account to the ALM Provisioning role created.

    ALM will sync all Service Accounts, Roles, Organizations, and Projects that it has access to. To exclude certain Organizations and Projects from sync, explicitly deny the ALM Role access to them.

  4. Install a certificate on the Windows Google Compute Instance for the Service Account.

    1. Find the Service Account for the engine machine and generate a PK12 access key.
    2. Install the access key on the Windows Google Compute Instance in the Trusted Root Certificate folder.
    3. The Service Account (Active Directory Account or Network Service) used to run the ALM Engine Service needs to be able to access the certificate locally.

  5. Enable Domain Wide Delegation for the Service Account used by the ALM Engine to perform requests:

    1. The scopes required are:

      https://www.googleapis.com/auth/admin.directory.domain.readonly

      https://www.googleapis.com/auth/admin.directory.group.readonly

      https://www.googleapis.com/auth/admin.directory.user.readonly
    2. Enable Admin SDK API (https://developers.google.com/admin-sdk/?hl=en_US).
    3. When creating the GCP IAM Domain in the ALM UI, specify the email of the GCP Admin user to impersonate. The Admin user must have logged into GCP at least one time and accepted the terms and conditions.

  6. Install the ALM Engine on the Google Compute Instance.

  7. Assign the ALM Engine to a Google Cloud Domain and pool in ALM.

  8. Set the Admin email account on the ALM Domain.

  9. Sync the ALM Domain.