GCP IAM - User Guide

In this article, you will understand step by step how to easily integrate with GCP IAM

Identity and access management (IAM) provides fine-grained access control across all of GCP. Integrating with GCP IAM will allow Scytale to collect users' access information and their access privileges on GCP . This will help to ensure that only authorized users have access to GCP , which is one of the key criteria when testing logical access. Manually collecting this type of evidence can take some time, especially when you need to prove to the auditors that the user listings are complete and accurate.

Automating the collection of user listings and access privileges will streamline the audit's sampling process and provide more assurance over the accuracy and completeness of the evidence collected. By using this integration, human intervention is eliminated, which gives more assurance to the auditors that the evidence can be relied on


All the permissions that are required for the integration with GCP IAM are read-only permissions and do not allow Scytale to perform any actions within your GCP account.

  • iam.roles.get
  • iam.roles.list
  • iam.serviceAccounts.get 
  • iam.serviceAccounts.getIamPolicy
  • iam.serviceAccounts.list
  • resourcemanager.projects.get
  • resourcemanager.projects.getIamPolicy

How to connect GCP IAM integration?

In order to connect to GCP IAM, you need to complete the following two prerequisites:

  1. Connect to Google Workspace integration.
  2. The following links must be enabled in Google API.
    1. https://console.developers.google.com/apis/api/serviceusage.googleapis.com/overview
    2. https://console.developers.google.com/apis/api/cloudresourcemanager.googleapis.com/overview
    3. https://console.developers.google.com/apis/api/sqladmin.googleapis.com/overview


Step 1:
Create a role within the GCP Console

  • Log in to GCP Console
  • Select IAM & Admin
  • Select Roles.
  • Click on "Create Role" - create a custom role for Scytale with the relevant permissions for the integration.

  • Fill in the details:
    Title - IAM Scytale Role
    ID - ScytaleRole
    Role launch stage - you can select all options except Disabled 

  • Select "Add Permissions", click on the specific permissions and add them:

    • iam.roles.get

    • iam.roles.list

    • iam.serviceAccounts.get

    • iam.serviceAccounts.getIamPolicy

    • iam.serviceAccounts.list

    • resourcemanager.projects.get

    • resourcemanager.projects.getIamPolicy

  • As shown in the image below, once all permissions have been added, a list of the assigned permissions will appear.

  • Click on "Create".


Important note:
In the role launch stage section, all options except Disabled are fine. 
If you select the disabled option, we can't collect the data and the connection won't work.

Step 2: Create service account within GCP Console

  • Go to IAM & Admin
  • Select Service Accounts.
  • Click on "Create service account"

  • Fill in the details:

    • Phase 1 - Service account details

      Service account name - Scytale_SA
      Service account ID - scytale-sa (after writing the service account name, this field is automatically filled in)
      Click "Create and continue"

    • Phase 2 - Grant service account access to role 

      Select the role that you created in the previous step above (IAM Scytale Role)
      Click "Continue"

    • Phase 3 - Grant users access to this service account (optional)
      No need to fill

  • Click on "Done"

Step 3: Generate JSON file

  • Go to IAM & Admin, select Service Accounts. You can see the list of all the service accounts that you have.

  • Select the service account that you created in the previous step - Scytale_SA.

  • Go to the "Keys" tab.

  • Click on "Add Key" and select the "Create new key" option.

  • In "Key type", select JSON and "Create".

Copy the following fields from the JSON that was downloaded:

  • client email - Copy without "" 
  • private_key - Verify that you included all key values, including "-----BEGIN PRIVATE KEY-----  n-----END PRIVATE KEY-----\n"
  • project_id - Copy without ""

Step 4: Log in to the Scytale web app

  • Click on the "Integrations" menu screen to the left.
  • Click on the "Connect" button under the GCP IAM icon.
  • Paste the generated keys from the JSON file (see step 3 above) from the GCP Console: Client Email, Private Key, Project ID
  • Connection Name - is used to differentiate between your connections.
    For instance, if you manage multiple accounts or would like to connect multiple times to the integration. It's automatically titled (Connection 1,2,3 etc), but you can change it to a custom name to make it easier to identify.
    For example: scytale-production-env.
  • Click on Connect