Skip to main content
Oleria provides identity security and access management teams with visibility and intelligence into who has access to what, where they got that access, how they use it, and whether they should even have it. As part of that promise, we deeply integrate your Google Cloud Platform environment into the Oleria platform. This document provides step-by-step guidance for integrating GCP - at either the organization level or project level - with your Oleria workspace.

Pre-requisites

  • GCP Organization Admin or Project Owner role to grant IAM roles to the connector service account
  • Google Workspace Super Admin role to configure domain-wide delegation
Note: Please use a service account (and not an employee account) with the suggested privileges for the integration to ensure continuity

Steps to Integrate GCP with Oleria Workspace

Oleria supports two integration scopes. Follow the one most appropriate for your organization.
  • Organization (Recommended) - Oleria sees all projects, folders, and resources across your entire GCP org, including org-level IAM policies and cross-project bindings. Recommended for full visibility.
  • Project - Oleria is scoped to IAM bindings, resources, and storage within a single project only. Use this if you don’t have org-level access or only want to connect a specific project.

Integrate GCP Organization

Step 1: Create a Connector Service Account

  1. Log in to the Google Cloud Console and navigate to IAM & AdminService Accounts
  1. Select Create Service Account. Provide a name such as oleria-connector and click Create and Continue
  1. Skip the optional role grant and user access steps. Click Done

Step 2: Grant IAM Roles to the Connector Service Account at the Organization Level

  1. In the Google Cloud Console, click the project selector at the top of the page and select your Organization from the resource picker
  1. Navigate to IAM & AdminIAM and click Grant Access
  1. Enter the connector service account email and assign the following roles:
roles/iam.securityReviewer
roles/resourcemanager.organizationViewer
roles/resourcemanager.folderViewer
roles/storage.objectViewer
roles/logging.viewer
Note: roles/logging.viewer is required for activity sync via Cloud Audit Logs

Step 3: Generate a Service Account Key

  1. In IAM & AdminService Accounts, select the service account you created in Step 1
  2. Navigate to the Keys tab and click Add KeyCreate new key
  1. Select JSON format and click Create. The key file will be downloaded to your machine. Keep this file secure - you will provide it to Oleria in Step 6.

Step 4: Configure Domain-Wide Delegation in Google Workspace

Domain-wide delegation allows the connector service account to enumerate Google Workspace users and groups on behalf of a delegated admin.
  1. Log in to the Google Workspace Admin Console and navigate to SecurityAccess and data controlAPI controls. Under Domain-wide delegation, click Manage Domain Wide Delegation
  1. Click Add new
  2. Provide the Client ID of the service account (found under IAM & AdminService Accounts → select the SA → Details tab → Unique ID) and add the following OAuth scopes: 
https://www.googleapis.com/auth/admin.directory.user.readonly
https://www.googleapis.com/auth/cloud-identity.groups.readonly
  1. Click Authorize
Note: The Google Workspace admin email provided as the Workspace Delegate Email in Step 6 must have at least read access to user and group directories

Step 5: Set Up Audit Log Export for Activity Sync

This step enables Oleria to ingest Cloud Audit Logs for user activity insights.
  1. Open Cloud Shell or your local terminal and create a GCS bucket to receive audit logs:
gsutil mb -p YOUR_PROJECT_ID gs://YOUR_AUDIT_BUCKET
  1. Create a Log Sink that exports organization-wide audit logs to the bucket:
gcloud logging sinks create oleria-audit-sink \
  storage.googleapis.com/YOUR_AUDIT_BUCKET \
  --log-filter='logName=~"cloudaudit.googleapis.com"' \
  --include-children \
  --organization=YOUR_ORG_ID
  1. Grant the sink’s writer service account write access to the bucket:
SINK_SA=$(gcloud logging sinks describe oleria-audit-sink \
  --organization=YOUR_ORG_ID --format='value(writerIdentity)')

gsutil iam ch ${SINK_SA}:objectCreator gs://YOUR_AUDIT_BUCKET
  1. Grant the connector service account read access to the bucket:
gsutil iam ch serviceAccount:oleria-connector@YOUR_PROJECT_ID.iam.gserviceaccount.com:objectViewer \
  gs://YOUR_AUDIT_BUCKET
Note: Oleria automatically discovers the audit log bucket by inspecting Log Sinks - no additional configuration is needed in the Oleria workspace

Step 6: Integrate GCP with Your Oleria Workspace

  1. Log in to your Oleria workspace, select Integrations → select Google Cloud Platform. A side panel opens. Select Organization (Recommended) from the Connector Scope dropdown
  1. Provide the following and click Authenticate:
  • Organization ID: Your numeric GCP Organization ID (e.g. 123456789012). To find it, navigate to IAM & AdminSettings in the Cloud Console and copy the Organization ID.
  • Workspace Delegate Email: Email address of the Google Workspace admin whose permissions will be used to enumerate users and groups
  • Service Account Credentials: Paste the full contents of the JSON key file downloaded in Step 3
  1. Find the newly integrated GCP Organization in your Oleria workspace connected integrations

Integrate GCP Project

Step 1: Create a Connector Service Account

  1. Log in to the Google Cloud Console, select the target project, and navigate to IAM & AdminService Accounts
  1. Select Create Service Account. Provide a name such as oleria-connector and click Create and Continue
  1. Skip the optional role grant and user access steps. Click Done

Step 2: Grant IAM Roles to the Connector Service Account at the Project Level

  1. In the Google Cloud Console, navigate to IAM & AdminIAM for the target project and click Grant Access
  1. Enter the connector service account email and assign the following roles:
roles/iam.securityReviewer
roles/storage.objectViewer
roles/logging.viewer
Note: roles/logging.viewer is required for activity sync via Cloud Audit Logs

Step 3: Generate a Service Account Key

  1. In IAM & AdminService Accounts, select the service account you created in Step 1
  2. Navigate to the Keys tab and click Add KeyCreate new key
  1. Select JSON format and click Create. The key file will be downloaded to your machine. Keep this file secure - you will provide it to Oleria in Step 6.

Step 4: Configure Domain-Wide Delegation in Google Workspace

Domain-wide delegation allows the connector service account to enumerate Google Workspace users and groups on behalf of a delegated admin.
  1. Log in to the Google Workspace Admin Console and navigate to SecurityAccess and data controlAPI controls. Under Domain-wide delegation, click Manage Domain Wide Delegation
  1. Click Add new
  2. Provide the Client ID of the service account and add the following OAuth scopes: 
https://www.googleapis.com/auth/admin.directory.user.readonly
https://www.googleapis.com/auth/cloud-identity.groups.readonly
  1. Click Authorize
Note: The Google Workspace admin email provided as the Workspace Delegate Email in Step 6 must have at least read access to user and group directories

Step 5: Set Up Audit Log Export for Activity Sync

This step enables Oleria to ingest Cloud Audit Logs for user activity insights.
  1. Open Cloud Shell or your local terminal and create a GCS bucket to receive audit logs:
gsutil mb -p YOUR_PROJECT_ID gs://YOUR_AUDIT_BUCKET
  1. Create a Log Sink that exports project-level audit logs to the bucket:
gcloud logging sinks create oleria-audit-sink \
  storage.googleapis.com/YOUR_AUDIT_BUCKET \
  --log-filter='logName=~"cloudaudit.googleapis.com"' \
  --project=YOUR_PROJECT_ID
  1. Grant the sink’s writer service account write access to the bucket:
SINK_SA=$(gcloud logging sinks describe oleria-audit-sink \
  --project=YOUR_PROJECT_ID --format='value(writerIdentity)')

gsutil iam ch ${SINK_SA}:objectCreator gs://YOUR_AUDIT_BUCKET
  1. Grant the connector service account read access to the bucket:
gsutil iam ch serviceAccount:oleria-connector@YOUR_PROJECT_ID.iam.gserviceaccount.com:objectViewer \
  gs://YOUR_AUDIT_BUCKET
Note: Oleria automatically discovers the audit log bucket by inspecting Log Sinks - no additional configuration is needed in the Oleria workspace

Step 6: Integrate GCP with Your Oleria Workspace

  1. Log in to your Oleria workspace, select Integrations → select Google Cloud Platform. A side panel opens. Select Project from the Connector Scope dropdown
  1. Provide the following and click Authenticate:
  • Project ID: Your GCP Project ID (e.g. my-project). Found in the Cloud Console project selector at the top of the page.
  • Workspace Delegate Email: Email address of the Google Workspace admin whose permissions will be used to enumerate users and groups
  • Service Account Credentials: Paste the full contents of the JSON key file downloaded in Step 3
  1. Find the newly integrated GCP Project in your Oleria workspace connected integrations

Enable Remediations (Optional)

Remediations allow Oleria to take automated or one-click corrective actions - such as revoking an IAM binding, removing a group member, or disabling a service account - directly from the Oleria workspace. To allow Oleria to take remediation actions in your GCP environment, grant the connector service account the following additional roles:
  • To revoke an IAM binding at the project level, grant roles/resourcemanager.projectIamAdmin on the project.
  • To revoke an IAM binding at the organization level, grant roles/resourcemanager.organizationIamAdmin on the organization.
  • To remove a member from a Cloud Identity group, grant roles/cloudidentity.groups.editor.
  • To disable a service account, grant roles/iam.serviceAccountAdmin on the project that owns the service account.

Contact us

For questions about this integration, please contact us at support@oleria.com.