Integrate Google Cloud IAM with Google SecOps

This document explains how to integrate Google Cloud Identity and Access Management with Google Security Operations.

Use cases

The Google Cloud IAM integration supports the following use cases:

  • Automated service account lifecycle management: Automatically create, enable, or disable service accounts during onboarding and offboarding processes to ensure access is granted only when necessary.

  • Rapid identity incident response: Immediately delete or disable compromised service accounts and roles during a security incident to prevent unauthorized access to cloud resources.

  • Identity governance and enrichment: Enrich User entities in Google SecOps with detailed service account metadata, such as display names and project IDs, to provide analysts with immediate context during investigations.

  • Policy auditing and enforcement: Retrieve and audit access control policies to ensure they align with the principle of least privilege, and programmatically set new policies to remediate unauthorized changes.

  • Role-based access control (RBAC) management: Create and manage custom IAM roles with specific permission sets across your organization to maintain granular control over cloud environment access.

Before you begin

Before you configure the Google Cloud IAM integration in Google SecOps, complete the following prerequisite steps:

  1. Create a custom IAM role: Define a role with the specific permissions required to manage service accounts and roles.

  2. Create a service account: Create the identity that the integration uses to perform actions.

  3. Select an authentication method: Choose between the recommended Workload Identity or a service account JSON key.

Create and configure a custom IAM role

To maintain the principle of least privilege, complete the following steps to create a custom role containing only the specific permissions necessary for this integration:

  1. In the Google Cloud console, go to IAM & Admin > Roles.

  2. Click Create Role.

  3. Provide a Title, Description, and ID.

  4. Set the Role launch stage to General Availability.

  5. Click Add Permissions and add the following specific permissions:

    • iam.serviceAccounts.list
    • iam.serviceAccounts.create
    • iam.serviceAccounts.get
    • iam.serviceAccounts.getIamPolicy
    • iam.serviceAccounts.setIamPolicy
    • iam.serviceAccounts.disable
    • iam.serviceAccounts.enable
    • iam.serviceAccounts.delete
    • iam.roles.list
    • iam.roles.get
    • iam.roles.create
    • iam.roles.delete

  6. Click Create.

Create a service account

The integration uses a service account to authenticate and execute IAM actions within your project.

To create a service account, complete the following steps:

  1. In the Google Cloud console, go to IAM & Admin > Service Accounts.

  2. Click Create Service Account.

  3. Enter a name and description, then click Create and Continue.

  4. In the Grant this service account access to project section, assign the custom role you created in the previous step to this service account. Click Done.

Select an authentication method

Google SecOps supports two authentication paths for this integration:

  • Option 1: Workload Identity (recommended): This method uses short-lived tokens using service account impersonation. It is more secure as it eliminates the need for long-lived JSON keys.

  • Option 2: Service account JSON key: This method uses a static key file. Use this only if a Workload Identity is not available in your environment.

Authenticate using a Workload Identity (recommended)

To use a Workload Identity, you must authorize your Google SecOps instance to impersonate the service account you created.

  1. In Google SecOps, go to Content Hub > Response Integrations.

  2. Select the Google Cloud IAM integration.

  3. Enter your service account email in the Workload Identity Email field.

  4. Click Save and then click Test. The test is expected to fail initially.

  5. Click close_small next to the failed test to view the error message.

  6. Search for the unique email address (formatted as gke-init-python@... or soar-python@...) found near the end of the error message. Copy this address.

Grant impersonation permissions

Once you have retrieved the unique identity for your Google SecOps instance, you must authorize it to access your Google Cloud resources. This step enables service account impersonation, allowing the platform to generate short-lived tokens and act on your behalf without the need for static keys.

  1. In the Google Cloud console, go to IAM & Admin > Service Accounts.

  2. Select the service account you created for this integration.

  3. Go to the Permissions tab and click Grant Access.

  4. Paste the unique email address you copied into the New principals field.

  5. Assign the Service Account Token Creator role (roles/iam.serviceAccountTokenCreator). Click Save.

Authenticate using a JSON key

If using a Workload Identity isn't available in your environment, you can authenticate the integration using a service account JSON key. This method relies on a static, long-lived secret file to establish the connection between the platform and your Google Cloud resources.

  1. In the Google Cloud console, go to IAM & Admin > Service Accounts and select your service account.

  2. Go to the Keys tab.

  3. Click Add Key > Create new key.

  4. Select JSON as the key type and click Create. The file downloads to your computer.

  5. Copy the entire content of the JSON file.

  6. When you configure this integration in the platform, paste the content into the Service Account Json File Content field.

Integration parameters

The Google Cloud IAM integration requires the following parameters:

Parameter Description
API Root

Optional.

The base URL of the Google Cloud IAM instance.

The default value is https://iam.googleapis.com.
Account Type

Optional.

The type of the Google Cloud account.

This value corresponds to the type parameter in the authentication JSON file.

The default value is service_account.
Project ID

Optional.

The project ID of the Google Cloud account.

This value corresponds to the project_id parameter in the authentication JSON file.
Quota Project ID

Optional.

The project ID used for quota and billing purposes when making API requests.
Private Key ID

Optional.

The private key ID of the Google Cloud account.

This value corresponds to the private_key_id parameter in the authentication JSON file.
Private Key

Optional.

The private key of the Google Cloud account.

This value corresponds to the private_key parameter in the authentication JSON file.
Client Email

Optional.

The client email of the Google Cloud account.

This value corresponds to the client_email parameter in the authentication JSON file.
Client ID

Optional.

The client ID of the Google Cloud account.

This value corresponds to the client_id parameter in the authentication JSON file.
Auth URI

Optional.

The authentication URI for the Google Cloud account.

This value corresponds to the auth_uri parameter in the authentication JSON file.

The default value is https://accounts.google.com/o/oauth2/auth.
Token URI

Optional.

The token URI for the Google Cloud account.

This value corresponds to the token_uri parameter in the authentication JSON file.

The default value is https://oauth2.googleapis.com/token.
Auth Provider X509 URL

Optional.

The auth provider X.509 certificate URL.

This value corresponds to the auth_provider_x509_cert_url parameter in the authentication JSON file.

The default value is https://www.googleapis.com/oauth2/v1/certs.
Client X509 URL

Optional.

The client X.509 certificate URL.

This value corresponds to the client_x509_cert_url parameter in the authentication JSON file.
Organization ID

Optional.

The unique identifier for your Google Cloud organization.
Service Account Json File Content

Optional.

The full JSON content of the service account key file.

If this parameter is provided, individual connection parameters (such as Private Key ID and Private Key) are ignored.
Workload Identity Email

Optional.

The email address associated with the Workload Identity service account.
Verify SSL

Optional.

If selected, the integration validates the SSL certificate when connecting to the Google Cloud IAM service.

Enabled by default.

For instructions about how to configure an integration in Google SecOps, see Configure integrations.

You can make changes at a later stage, if needed. After you configure an integration instance, you can use it in playbooks. For more information about how to configure and support multiple instances, see Supporting multiple instances.

Actions

For more information about actions, see Respond to pending actions from Your Workdesk and Perform a manual action.

Ping

Test connectivity to the Identity and Access Management service with parameters provided at the integration configuration page in the Google Security Operations Marketplace tab.

Parameters

N/A

Run On

This action doesn't run on entities.

Action Results

Script Result
Script Result Name Value Options
is_success is_success=False
is_success is_success=True
Case Wall
Result type Value/Description Type
Output message*

The action should not fail nor stop a playbook execution:

  • if successful: "Successfully connected to the Identity and Access Management service with the provided connection parameters!"

The action should fail and stop a playbook execution:

  • if critical error, like wrong credentials or lost connectivity: "Failed to connect to the Identity and Access Management service! Error is {0}".format(exception.stacktrace)
 General

Enrich Entities

Enrich Google SecOps User entities with service accounts information from Identity and Access Management. Action expects Identity and Access Management service account email as a Google SecOps User entity.

Run On

This action runs on the User entity.

Action Results

Script Result
Script Result Name Value Options
is_success is_success=False
is_success is_success=True
JSON Result
{
           "name": "projects/silver-shift-275007/serviceAccounts/dmitrystestsa@silver-shift-275007.iam.gserviceaccount.com",
           "projectId": "silver-shift-275007",
           "uniqueId": "104627053409757134782",
           "email": "dmitrystestsa@silver-shift-275007.iam.gserviceaccount.com",
           "displayName": "dmitrys Test SA displayName",
           "etag": "MDEwMjE5MjA=",
           "description": "Service account description",
           "oauth2ClientId": "104627053409757134782"
}
Entity Enrichment
Enrichment Field Name Logic - When to apply
Google_IAM_name
Google_IAM_project_id ..
Google_IAM_unique_id
Google_IAM_email
Google_IAM_display_name
Google_IAM_description
Google_IAM_oauth2_client_id
Case Wall
Result type Value/Description Type
Output message*

The action should not fail nor stop a playbook execution:

  • if successful and at least one of the provided entities were enriched: "Successfully enriched entities: {0}".format([entity.Identifier]).
  • If fail to enrich all of the provided entities: "No entities were enriched."
  • If fail to find data in Identity and Access Management to enrich specific entities: "Action was not able to find a match in Identity and Access Management to enrich provided entities: {0}".format([entity.identifier])

The action should fail and stop a playbook execution:

if fatal error, SDK error, like wrong credentials, no connection to server, other: "Error executing action "Enrich Entities". Reason: {0}''.format(error.Stacktrace)

 General
Table (Enrichment)

Table Name: {entity} Enrichment Table

Columns: Key, Value

 Entity

List Service Accounts

List Identity and Access Management service accounts based on the specified search criteria. Note that action is not working on Google SecOps entities.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Service Account Display Name String N/A No Specify service account display name to return. Parameter accepts multiple values as a comma separated string.
Service Account Email String N/A No Specify service account email to return. Parameter accepts multiple values as a comma separated string.
Max Rows to Return Integer 50 No Specify how many roles action should return.

Run On

This action doesn't run on entities.

Action Results

Script Result
Script Result Name Value Options
is_success is_success=False
is_success is_success=True
JSON Result
{
   "accounts": [
       {
           "name": "projects/silver-shift-275007/serviceAccounts/dmitrystestsa@silver-shift-275007.iam.gserviceaccount.com",
           "projectId": "silver-shift-275007",
           "uniqueId": "104627053409757134782",
           "email": "dmitrystestsa@silver-shift-275007.iam.gserviceaccount.com",
           "displayName": "dmitrys Test SA displayName",
           "etag": "MDEwMjE5MjA=",
           "description": "Service account description",
           "oauth2ClientId": "104627053409757134782"
       }
Case Wall
Result type Value/Description Type
Output message*

The action should not fail nor stop a playbook execution:

  • If successfully listed service accounts (is_success = true):
    "Successfully fetched Google Cloud service accounts."
  • If no available values(is_success = false): "No service accounts were returned for the specified input parameters."

The action should fail and stop a playbook execution:

if fatal error, invalid zone, SDK error, like wrong credentials, no connection to server, other: "Error executing action "List Service Accounts". Reason: {0}''.format(error.Stacktrace)

 General
Table

Table Name: Google Cloud Service Accounts

Table Columns:

Service Account Name

Service Account Unique ID

Service Account Email

Service Account Display Name

Service Account Description

Service Account Oauth2 Client ID

 General

Create Service Account

Create an Identity and Access Management Service Account.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Service Account ID String String Yes Specify service account id to create.
Service Account Display Name String String No Specify service account display name to create.
Service Account Description String String No Specify service account description to create.

Run On

This action doesn't run on entities.

Action Results

Script Result
Script Result Name Value Options
is_success is_success=False
is_success is_success=True
JSON Result
{
   "name": "projects/silver-shift-275007/serviceAccounts/dmitrystestsa@silver-shift-275007.iam.gserviceaccount.com",
   "projectId": "silver-shift-275007",
   "uniqueId": "104627053409757134782",
   "email": "dmitrystestsa@silver-shift-275007.iam.gserviceaccount.com",
   "displayName": "dmitrys Test SA displayName",
   "etag": "MDEwMjE5MjA=",
   "description": "Service account description",
   "oauth2ClientId": "104627053409757134782"
}
Case Wall
Result type Value/Description Type
Output message*

The action should not fail nor stop a playbook execution:

  • If action run successfully:(is_success=true)

    • Google Cloud Service Account was created successfully <unique id>.

  • If action failed to run because provided service account already exists(is_success =false)

    • Provided service account <unique id> already exists.

The action should fail and stop a playbook execution:

if fatal error, SDK error, like wrong credentials, no connection to server, other: "Error executing action "Create Service Account". Reason: {0}''.format(error.Stacktrace)

 General

Get Service Account IAM Policy

Gets the access control policy for the service account. Action expects Identity and Access Management service account email as a Google SecOps User entity. Note that policy may be empty if no policy is assigned to the service account.

Run On

This action runs on the User entity.

Action Results

Script Result
Script Result Name Value Options
is_success is_success=False
is_success is_success=True
JSON Result
{
   "version": 1,
   "etag": "BwXBuNg8cMA=",
   "bindings": [
       {
           "role": "roles/iam.securityReviewer",
           "members": [
               "user:dmitrys@siemplify.co"
           ]
       }
   ]
}
Case Wall
Result type Value/Description Type
Output message*

The action should not fail nor stop a playbook execution:

  • If action run successfully:(is_success=true)

    • "Successfully fetched Identity and Access Management policy for the following Google Cloud Service Accounts: <email id1, email id 2...>

  • If action didnt find info for the entity (for example non existent in Google Identity and Access Management email provided:

    • Action was not able to fetch Identity and Access Management policy the following Google Cloud Service Accounts: <email id1, email id2 ..>
  • If fail to find Identity and Access Management policy for all of the provided entities: "Identity and Access Management policy was not found for any of the provided entities."

The action should fail and stop a playbook execution:

if fatal error, SDK error, like wrong credentials, no connection to server, other: "Error executing action "Get Service Account IAM Policy". Reason: {0}''.format(error.Stacktrace)

 General

Set Service Account IAM Policy

Sets the access control policy on the specified service account. Action expects Identity and Access Management service account email as a Google SecOps account entity. Note that policy provided in action replaces any existing policy.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Policy String N/A Yes Specify JSON policy document to set for service account.

Run On

This action runs on the Account entity.

Action Results

Script Result
Script Result Name Value Options
is_success is_success=False
is_success is_success=True
JSON Result
{
   "version": 1,
   "etag": "BwXBuNg8cMA=",
   "bindings": [
       {
           "role": "roles/iam.securityReviewer",
           "members": [
               "user:dmitrys@siemplify.co"
           ]
       }
   ]
}
Case Wall
Result type Value/Description Type
Output message*

The action should not fail nor stop a playbook execution:

  • If some are successful (is_success=True):

    • Successfully set Identity and Access Management policy for the following Google Cloud Service Accounts: <email id1, ...>

  • If some failed:

    • Action was not able to set Identity and Access Management policy the following Google Cloud Service Accounts: <email id1, ....>

  • If all failed:

    • No Service Account Identity and Access Management policies were set.

  • If provided policy JSON is not valid (is_success =false)

    • Provided policy JSON document <policy> is not valid.

The action should fail and stop a playbook execution:

if fatal error, SDK error, like wrong credentials, no connection to server, other: "Error executing action "Set Service Account IAM Policy". Reason: {0}''.format(error.Stacktrace)

 General

Disable Service Account

Disable service account. Action expects Identity and Access Management service account email as a Google SecOps User entity.

Run On

This action runs on the User entity.

Action Results

Script Result
Script Result Name Value Options
is_success is_success=False
is_success is_success=True
Case Wall
Result type Value/Description Type
Output message*

The action should not fail nor stop a playbook execution:

  • if successful at least one of the provided entities: "Successfully disabled the following service accounts: {0}".format([entity.Identifier]).

  • If fail to disable all of the provided entities: "No service accounts were disabled."

  • If fail to find data in Google Cloud Identity and Access Management to disable specific entities: "Action was not able to find a match in Google Cloud Identity and Access Management for the provided entities: {0}".format([entity.identifier])

The action should fail and stop a playbook execution:

if fatal error, SDK error, like wrong credentials, no connection to server, other: "Error executing action "Disable Service Account". Reason: {0}''.format(error.Stacktrace)

 General

Enable Service Account

Enable service account. Action expects Identity and Access Management service account email as a Google SecOps User entity.

Run On

This action runs on the User entity.

Action Results

Script Result
Script Result Name Value Options
is_success is_success=False
is_success is_success=True
Case Wall
Result type Value/Description Type
Output message*

The action should not fail nor stop a playbook execution:

  • if successful at least one of the provided entities: "Successfully enabled the following service accounts: {0}".format([entity.Identifier]).

  • If fail to enable all of the provided entities: "No service accounts were enabled."

  • If fail to find data in Identity and Access Management to enable specific entities: "Action was not able to find a match in Identity and Access Management for the provided entities: {0}".format([entity.identifier])

The action should fail and stop a playbook execution:

if fatal error, SDK error, like wrong credentials, no connection to server, other: "Error executing action "Enable Service Account". Reason: {0}''.format(error.Stacktrace)

 General

Delete Service Account

Delete service account. Action expects Identity and Access Management service account email as a Google SecOps User entity.

Run On

This action runs on the User entity.

Action Results

Script Result
Script Result Name Value Options
is_success is_success=False
is_success is_success=True
Case Wall
Result type Value/Description Type
Output message*

The action should not fail nor stop a playbook execution:

  • if successful at least one of the provided entities: "Successfully deleted the following service accounts: {0}".format([entity.Identifier]).

  • If fail to delete all of the provided entities: "No service accounts were deleted."

  • If fail to find data in Identity and Access Management to delete specific entities: "Action was not able to find a match in Identity and Access Management for the provided entities: {0}".format([entity.identifier])

The action should fail and stop a playbook execution:

if fatal error, SDK error, like wrong credentials, no connection to server, other: "Error executing action "Delete Service Account". Reason: {0}''.format(error.Stacktrace)

 General

List Roles

List Identity and Access Management roles based on the specified search criteria. Note that action is not working on Google SecOps entities.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
View DDL Basic No Specify which view should be used to return role information.
Max Rows to Return Integer 50 No Specify how many roles action should return.
List Project Custom Roles Only? Checkbox Unchecked No If enabled action will return only custom roles defined for the current project id.
Show Deleted Checkbox Unchecked No If enabled action will also return deleted roles.

Run On

The action doesn't run on entities.

Action Results

Script Result
Script Result Name Value Options
is_success is_success=False
is_success is_success=True
JSON Result
{
   "roles": [
       {
           "name": "roles/accessapproval.approver",
           "title": "Access Approval Approver",
           "description": "Ability to view or act on access approval requests and view configuration",
           "stage": "BETA",
           "etag": "AA=="
       },
       {
           "name": "roles/accessapproval.configEditor",
           "title": "Access Approval Config Editor",
           "description": "Ability update the Access Approval configuration",
           "stage": "BETA",
           "etag": "AA=="
       }
   ]
}
Case Wall
Result type Value/Description Type
Output message*

The action should not fail nor stop a playbook execution:

  • If successfully listed roles(is_success = true): "Successfully fetched Identity and Access Management roles."

  • If no available values(is_success = false): "No roles were returned for the specified input parameters."

The action should fail and stop a playbook execution:

if fatal error, invalid zone, SDK error, like wrong credentials, no connection to server, other: "Error executing action "List Roles". Reason: {0}''.format(error.Stacktrace)

 General
Table

Table Name: Google Cloud IAM Roles

Table Columns:

Role Name

Role Title

Role Description

Role Stage

Role Etag

Role Permissions

 General

Create Role

Create an Identity and Access Management Role.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Role ID String N/A Yes Specify role id for newly created Identity and Access Management role.
Role Definition String N/A Yes Specify JSON policy document to use as the role definition.

Run On

The action doesn't run on entities.

Example For Role Policy JSON

{
   "name": "projects/silver-shift-275007/roles/iam_test_role_api",
   "title": "iam_test_role_api",
   "description": "test role",
   "includedPermissions": [
       "storagetransfer.projects.getServiceAccount"
   ],
   "stage": "GA",
   "etag": "BwXBu1RHiPw="
}

Action Results

Script Result
Script Result Name Value Options
is_success is_success=False
is_success is_success=True
JSON Result
{
   "name": "projects/silver-shift-275007/roles/iam_test_role_api",
   "title": "iam_test_role_api",
   "description": "test role",
   "includedPermissions": [
       "storagetransfer.projects.getServiceAccount"
   ],
   "stage": "GA",
   "etag": "BwXBu1RHiPw="
}
Case Wall
Result type Value/Description Type
Output message*

The action should not fail nor stop a playbook execution:

  • If action run successfully:(is_success=true)

    • Identity and Access Management <roleid> was created successfully.

  • If provided role_id already exists(is_success =false)

    • Provided role id<role_id> already exists.

  • If provided role JSON is not valid (is_success =false)

    • Provided role definition JSON document <role json> is not valid.

The action should fail and stop a playbook execution:

if fatal error, SDK error, like wrong credentials, no connection to server, other: "Error executing action "Create Role". Reason: {0}''.format(error.Stacktrace)

 General

Delete Role

Delete an Identity and Access Management Role.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Role ID String N/A Yes Specify role id for newly created Identity and Access Management role.

Run On

This action doesn't run on entities.

Action Results

Script Result
Script Result Name Value Options
is_success is_success=False
is_success is_success=True
JSON Result
{
   "name": "projects/silver-shift-275007/roles/iam_test_role_api",
   "title": "iam_test_role_api",
   "description": "test role",
   "includedPermissions": [
       "storagetransfer.projects.getServiceAccount"
   ],
   "stage": "GA",
   "etag": "BwXDDgKFx7M=",
   "deleted": true
}
Case Wall
Result type Value/Description Type
Output message*

The action should not fail nor stop a playbook execution:

  • If action run successfully:(is_success=true)

    • Identity and Access Management <roleid> was successfully deleted.

  • If provided role_id not exists(is_success =false)

    • Provided role id<role_id> does not exist.

The action should fail and stop a playbook execution:

if fatal error, SDK error, like wrong credentials, no connection to server, other: "Error executing action "Delete Role". Reason: {0}''.format(error.Stacktrace)

 General

Need more help? Get answers from Community members and Google SecOps professionals.