See the supported connectors for Application Integration.

Application Integration security guidelines

This document describes the security guidelines and considerations for the Application Integration product. If you are new to Application Integration, we suggest that you start with Application Integration overview.

Service accounts

A service account is a special kind of account used by an application, rather than a person. A service account is identified by a unique email address. For more information, see Service accounts.

Service accounts can be used to provide secure access to the Google Cloud resources without sharing your own login credentials. This prevents unauthorized access to your resources.

The following are some of the best practices that you can follow when using a service account:

  • Create a separate service account for each task or application. This lets you better manage access and keep track of which service accounts are being used for which tasks.
  • Grant the service account only the permissions that it needs to perform its intended tasks.
  • Service account keys are a security risk if not managed correctly. You should choose a more secure alternative to service account keys whenever possible. If you must authenticate with a service account key, you are responsible for the security of the private key and for other operations described by Best practices for managing service account keys. If you are prevented from creating a service account key, service account key creation might be disabled for your organization. For more information, see Managing secure-by-default organization resources.
  • Monitor the usage of your service accounts and review the audit logs to ensure that they are being used as intended. This can help you to detect any unauthorized access or misuse of service accounts.

For more information, see Best practices for working with service accounts.

Custom roles

Custom roles let you create fine-grained permissions that are tailored to your specific needs. For example, you may create a custom role that allows a service account to read and write data to a Cloud Storage bucket, but not delete it. Custom roles are useful in managing access to your Google Cloud resources and ensuring that users and applications have only the permissions required to perform their intended tasks.

You can create custom roles using the Identity and Access Management (IAM) and assign the roles to users, groups, or service accounts. For more information, see Creating a custom role.

Authentication profiles

An authentication profile lets you configure and store the authentication details for the connection in an integration. So, instead of using a hard-coded authentication configuration, you can use the in-built authentication profile configuration which provides enhanced security. Application Integration supports various authentication types depending on the task. For more information, see Compatibility of authentication types with tasks.

To prevent unauthorized access and provide enhanced security, it's recommended to use an authentication profile if a task supports it.