GCP CLI/SDK (Service Account)

Configure and manage Google Cloud (GCP) resources in StrongDM, including service account key, workload identity federation, and console access workflows.

Overview

This guide explains what capabilities StrongDM can provide for managing access to the Google Cloud Platform (GCP) Cloud Console via a service account. It also provides setup and configuration instructions to add GCP as a resource in StrongDM and begin using StrongDM to control access for users who wish to access your GCP console via a CLI application such as gcloud. StrongDM users are authenticated with GCP and granted the level of access that you configure on the GCP side.

In addition to access control and auditing, GCP access through StrongDM can be a part of a variety of use cases and access control methodologies:

Least Privilege: For GCP CLI/SDK (Service Account) clouds, least privilege can be accomplished by setting up multiple instances of the console as StrongDM resources. Each resource would connect to GCP using a different service account with different permissions granted to it.
Just-in-Time Access: StrongDM users are able to use any access workflows you set up to request access to GCP, allowing you the choice between granting Just-in-Time (JIT) access with requests, or providing standing access to particular users or roles within your StrongDM organization. For more details, see the Access Workflows section.

To avoid confusion during access requests, if there are multiple GCP cloud resources in StrongDM, it may be useful to name them in such a way that indicates the level of access, so that users know the name of the resource to request.

Context-Based Policy: StrongDM policies that restrict or enable users' ability to connect to GCP resources based on their context can be used to limit availability of your GCP console to users in particular geographic locations or with good device trust scores. Policies can also be used to provide an MFA challenge prior to connection, and help solve for many more use cases. For more details, see the Policies section.

Note that this is a method by which to set up your GCP cloud, and manage it with gcloud. If you intend to connect to a specific Google-hosted resource, that resource needs to be set up separately in the appropriate areas of the Admin UI.

Limitations

There is no SDK, Terraform, Ansible, or other such support for GCP.
The GCP driver does nothing to limit privilege escalation. It is the responsibility of the resource creator not to provide credentials that can be used to create more credentials.

GCP Cloud Properties

GCP supports the gcloud command-line tool.

Prerequisites

In StrongDM, you must have the Admin permission level.
You must have administrator access to your GCP environment and be familiar with gcloud.

Resource Configuration in Google

Generate credentials

In the Google cloud console, create a service account.
Create a service account key (JSON key file) and save it.

Resource Configuration in StrongDM

This section provides instructions for adding the resource in either the StrongDM Admin UI, CLI, Terraform provider, or SDKs.

Set up and Manage With the Admin UI

If using the Admin UI to add the resource to StrongDM, use the following steps.

Log in to the Admin UI and go to Resources > Clouds.
Click Add cloud. Note that there are two types and they have different properties.
For Cloud Type, set GCP CLI/SDK (Service Account).
Set all other required resource properties.
Click create to save the resource.
Click the resource name to view status, diagnostic information, and setting details. After the server is created, the Admin UI displays that resource as unhealthy until the health checks run successfully. When the resource is ready, the Health icon indicates a positive, green status.

Set up and Manage With the CLI

This section provides general steps on how to configure and manage the resource using the StrongDM CLI. For more information and examples, please see the CLI Reference documentation.

In your terminal or Command Prompt, log in to StrongDM:
```
sdm login
```

Run sdm admin clouds add gcp --help to view the help text for the command, which shows you how to use the command and what options (properties) are available. Note which properties are required and collect the values for them.\

NAME:
   sdm admin clouds add gcp - create GCP CLI/SDK (Service Account) cloud

USAGE:
   sdm admin clouds add gcp [command options] <name>

OPTIONS:
   --bind-interface value                     IP address on which to listen for connections to this resource on clients. Specify "default", "loopback", or "vnm" to automatically allocate an available address from the corresponding IP range configured in the organization. (default: "default")
   --egress-filter value                      apply filter to select egress nodes e.g. 'field:name tag:key=value ...'
   --port-override value                      Port on which to listen for connections to this resource on clients. Specify "-1" to automatically allocate an available port. (default: -1)
   --proxy-cluster-id value                   proxy cluster id
   --scopes value                             Space separated scopes that this login should assume into when authenticating (required)
   --secret-store-id value                    secret store id
   --subdomain value, --bind-subdomain value  DNS subdomain through which this resource may be accessed on clients (e.g. "app-prod" allows the resource to be accessed as "app-prod.<your-org-name>.<sdm-proxy-domain>"). Only applicable to HTTP-based resources or resources using virtual networking mode.
   --svc-keyfile value                        The service account keyfile to authenticate with (required, secret)
   --tags value                               tags e.g. 'key=value,...'
   --template, -t                             display a JSON template
   --timeout value                            set time limit for command

Then run sdm admin clouds add gcp <RESOURCE_NAME> and set all required properties with their values. For example:

$ sdm admin clouds add gcp "gcp-cli-sdk-prod"
  --svc-keyfile "/etc/strongdm/keys/gcp-service-account.json"
  --scopes "https://www.googleapis.com/auth/cloud-platform https://www.googleapis.com/auth/userinfo.email"
  --bind-interface "default"
  --port-override -1
  --egress-filter 'field:name tag:env=prod tag:region=us-central'
  --proxy-cluster-id "plc_0123456789abcdef"
  --secret-store-id "ss_abcdef0123456789"
  --subdomain "gcp-cli-prod01"
  --tags "env=prod,cloud=gcp,auth=service-account,team=platform"
  --timeout 30

Check that the resource has been added. The output of the following command should show the resource's name:
```
sdm admin clouds list
```

Set up and Manage With Terraform

This section provides an example of how to configure and manage the resource using the Terraform provider. For more information and examples, please see the Terraform provider documentation.

# Install StrongDM provider
terraform {
  required_providers {
    sdm = {
      source  = "strongdm/sdm"
      version = "5.1.0"
    }
  }
}

# Configure StrongDM provider
provider "sdm" {
  # Add API access key and secret key from the Admin UI
  api_access_key = "njjSn...5hM"
  api_secret_key = "ziG...="
}

# Create GCP CLI/SDK (Service Account) cloud
resource "sdm_resource" "gcp_cli_sdk_prod" {
  gcp {
    # Required
    name         = "gcp-cli-sdk-prod"                            # <name>
    svc_keyfile  = file("/etc/strongdm/keys/gcp-service-account.json")  # --svc-keyfile (use secret store in production)
    scopes       = "https://www.googleapis.com/auth/cloud-platform https://www.googleapis.com/auth/userinfo.email"  # --scopes

    # Common networking options
    bind_interface = "default"                                   # --bind-interface ("default" | "loopback" | "vnm")
    port_override  = -1                                          # --port-override (-1 = auto-allocate)
    egress_filter  = "field:name tag:env=prod tag:region=us-central"  # --egress-filter
    subdomain      = "gcp-cli-prod01"                            # --subdomain / --bind-subdomain (optional, VN access)

    # Optional integrations
    proxy_cluster_id = "plc_0123456789abcdef"                    # --proxy-cluster-id
    secret_store_id  = "ss_abcdef0123456789"                     # --secret-store-id (recommended for keyfiles)

    # Tags
    tags = {                                                     # --tags
      env   = "prod"
      cloud = "gcp"
      auth  = "service-account"
      team  = "platform"
    }
  }
}

Resource Properties

The GCP CLI/SDK (Service Account) cloud type has the following properties.

Property

Requirement

Description

Display Name

Required

Enter a meaningful name for this resource; this name displays throughout StrongDM; do not include special characters like quotes (") or angle brackets (< or >)

Cloud Type

Required

GCP CLI/SDK (Service Account)

Proxy Cluster

Required

Defaults to "None (use gateways)"; if using proxy clusters, select the appropriate cluster to proxy traffic to this resource

Connectivity Mode

Required

Select either Virtual Networking Mode, which lets users connect to the resource with a software-defined, IP-based network; or Loopback Mode, which allows users to connect to the resource using the local loopback adapter in their operating system; this field is shown if Virtual Networking Mode and/or multi-loopback mode is enabled for your organization; this field is shown if Virtual Networking Mode enabled for your organization

IP Address

Optional

If Virtual Networking Mode is the selected connectivity mode, an IP address value in the configured Virtual Networking Mode subnet in the organization network settings; if Loopback Mode is the selected connectivity mode, an IP address value in the configured Loopback IP range in the organization network settings (by default, 127.0.0.1); if not specified, an available IP address in the configured IP address space for the selected connectivity mode will be automatically assigned; this field is shown if Virtual Networking Mode and/or multi-loopback mode is enabled for your organization; this field is shown if Virtual Networking Mode and/or multi-loopback mode is enabled for your organization

Port Override

Optional

If Virtual Networking Mode is the selected connectivity mode, a port value between 1 and 65535 that is not already in use by another resource with the same IP address; if Loopback Mode is the selected connectivity mode, a port value between 1024 to 64999 that is not already in use by another resource with the same IP address; when left empty with Virtual Networking Mode, the system assigns the default port to this resource; when left empty for Loopback Mode, an available port that is not already in use by another resource is assigned; preferred port also can be modified later from the Port Overrides settings

DNS

Optional

If Virtual Networking Mode is the selected connectivity mode, a unique hostname alias for this resource; when set, causes the desktop app to display this resource's human-readable DNS name (for example, k8s.my-organization-name) instead of the bind address that includes IP address and port (for example, 100.64.100.100:5432)

Secret Store

Optional

Credential store location; defaults to none (credentials are stored in StrongDM resource configuration)

Service Account Keyfile (JSON)

Required

Either paste the contents of the service account key file (JSON) that you saved when you created the Google Cloud service account, or import the key file

Scopes

Required

Enter the access scope(s) (for example, https://www.googleapis.com/auth/cloud-platform) to allow authentication to Google cloud APIs. If setting multiple scopes, separate them with a space

Resource Tags

Optional

Enter Tags consisting of key-value pairs <KEY>=<VALUE> (for example, env=dev)

Logs

In the Cloud logs section of the Admin UI (Logs > Cloud), you can find all of the activities of the users who accessed the GCP resource. Note that StrongDM makes an attempt to drop the Authorization header of logs for display in the Admin UI. Note that any secrets displayed in the cloud logs are placeholder values. No actual keys or secrets are ever exposed in plaintext in the Admin UI.

CLI Usage

When the resource is created and configured, you are ready for users to connect to the resource. In order for your organization's users to access the GCP cloud resource via StrongDM, users need to install the following:

The StrongDM Desktop application
The latest version of the StrongDM CLI. If the CLI is already installed, you can run sdm update in the CLI to update it. Alternatively, if any updates are available, you can open the desktop app and click the Upgrade button.
The gcloud command-line tool

After installation, users must exit and restart the desktop app, and then select the GCP cloud resource to connect to.

Click to connect to the resource in the desktop app, or run sdm connect <RESOURCE> in the CLI. Once connected, users can use gcloud through StrongDM at their terminal, with the base syntax of sdm gcp or sdm gcloud instead of the usual gcloud.

You can use sdm gcp --help (or sdm gcloud --help) to view example usage and command options:

NAME:
   sdm gcp - gcp commands

USAGE:
   sdm gcp command [command options] [arguments...]

COMMANDS:
   cli  Execute a gcloud CLI command against a GCP resource.
   env  Print environment variables required to access a GCP resource.
   run  Execute an external command with environment variables configured to access a GCP resource.

OPTIONS:
   --name value     The name of the GCP resource to access. By default if there is only one connected GCP resource, that resource is used. [$SDM_GCP_NAME]
   --project value  The ID of the GCP project to access for project commands. By default, the project configured in the GCP resource is used. (default: "strongdm") [$SDM_GCP_PROJECT]
   --help, -h       show help

gcp cli

The gcp cli command is followed by a gcloud CLI command that you wish to run against your connected GCP resource. For more information about gcloud CLI commands, see the Google Cloud CLI documentation.

gcp env

The gcp env command outputs the environment variables that are required in order to access a GCP resource. This output is a similar format of the output of the standard env command, but only contains the relevant environment variables for connecting to GCP.

gcp run

The gcp run command is followed by a command that you wish to run against the connected resource, which is sent along with the necessary environment variables. An example of a use for gcp run would be if you have a pre-existing script for managing GCP resources that uses gcloud commands. Instead of altering the script to work with StrongDM, you could use gcp run shellscript.sh and run the script.

--name

If your organization has multiple GCP cloud resources, and you are connected to more than one at once, you may specify a --name value in commands in order to specify which you intend to execute the command on. For example, sdm gcp --name <RESOURCE_NAME> cli. The flag must come before the cli portion of the command in order to preserve the ability to use the command as normal with a single GCP cloud resource connected.

--project

As a convenience to users, administrators can set a GCP Project ID on a resource during configuration. This enables users to skip the --project flag when running commands against a GCP CLI/SDK (Workforce Identity Federation) resource. If the Project ID field is not filled out during resource configuration, users still need to specify a project in the situations that they normally would when running GCP commands. Either the project number (95464132584) or an actual Project ID (example-favorite-project-1411) can be used, but Google recommends the Project ID for most cases as the best practice.

Error Cases

Should you attempt to use a cloud resource without the client running, you encounter an error such as the following:

ERROR: gcloud crashed (TransportError): HTTPSConnectionPool(host='oauth2.googleapis.com', port=443): Max retries exceeded with url: /token (Caused by ProxyError('Cannot connect to proxy.', NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x10c7c9d30>: Failed to establish a new connection: [Errno 61] Connection refused')))

Should you attempt to use a cloud resource when you are not connected to it, StrongDM's CLI commands warn you. You can get around this warning in some contexts (for example, by setting environment variables in your terminal). In these cases, you may encounter SSL errors, and nothing happens when you run commands.

Last updated 18 days ago

Was this helpful?

Overview

Limitations

GCP Cloud Properties

Prerequisites

Resource Configuration in Google

Generate credentials

Resource Configuration in StrongDM

Set up and Manage With the Admin UI

Set up and Manage With the CLI

Set up and Manage With Terraform

Set up and Manage With SDKs

Resource Properties

Logs

CLI Usage

gcp cli

gcp env

gcp run

--name

--project

Error Cases