Google Cloud Platform as a Host Directory

By following this integration guide, you can add Google Cloud Platform (GCP) as a host directory in PrivX. This allows providing access to your GCP instances via PrivX.

Disclaimers

This document includes instructions regarding third-party products by Google. These instructions are provided for general guidance only.

Documentation involving third-party products include configuring roles and service accounts in GCP. The instructions in this manual were verified against the Google products current in April 2020. These instructions will need to be adapted when using other versions of Google products.

SSH Communications Security Corporation does not make any warranties as to the accuracy, reliability, or usefulness of these instructions, or guarantee that the content related to third-party products is up to date.

SSH Communications Security Corporation does not provide any warranties regarding third-party products, such as GCP, nor provide any support or other services for third- party products.

For instructions about setting up and operating Google products, we always recommend that you consult the official Google documentation intended for the specific version(s) of Google products in your use, and/or directly contact Google representatives or support.

Prerequisites

Check and ensure the following before performing the procedures in this document:

  • Your Google Domain must include a project with instances that are to be added to PrivX.
  • You will need administrative access to the project in GCP.
  • You will need superuser access to PrivX.
  • Optional: Use GCP host tags to specify access rules. Otherwise you will need to manually define access rules after import.

Integration Steps

The high-level workflow for importing GCP instances to PrivX:

  1. Set up a service account with permissions for viewing your GCP instances.
  2. Set up PrivX to use the service account for importing hosts from GCP.

These steps are described in more detail in the following sections.

Service account setup

PrivX needs a GCP service account for fetching host data from GCP.

First, create a GCP Role for providing the required permissions:

  1. Sign into the GCP console at https://console.cloud.google.com.
    Ensure that you have selected the GCP project containing the hosts you want to import. Also note your project ID, required later for configuring PrivX.
  1. On the IAM & Admin→RoleA page, click Create Role.
    Provide the required information for the role.

To add the required permissions, click Add Permissions and add at least the following permissions:
compute.instances.list
compute.zones.list

📘

Tip

To locate permissions more easily, you may use the filter Compute Instance viewer.

You have now created a role for granting the required permissions.

Next, create a service account:

  1. On the IAM & Admin→Service Accounts page, click Create Role.
  2. Provide the required information. When prompted for roles, add the previously-created role.

Also create a key for the service account. The key must be created in JSON format.

Add GCP host directory to PrivX

  1. Access the PrivX GUI. On the Administration→Directories page, click Add Directory.
  2. Provide the required information for the directory, with the following points in mind:
  • The directory Type must be Google Cloud Platform.
  • Set Project IDs to the project ID of your GCP project.
  • Set Config JSON to the service-account key created earlier.
  • Optional: If you have set host tags to your GCP instances, also select Import host instance tags from the directory under Advanced directory settings.
  1. Click Save to create the directory. The directory should now be visible back on the Administration→Directories page. Once PrivX finishes importing hosts, the status of the directory should be OK.

Post integration actions

Unless you have already imported access definitions using host tags, you will need to specify the services and the accounts for accessing the GCP instances.

For more information about setting up connection targets on a host, see the articles under Connection Management.


Did this page help you?