Lineamientos de seguridad de Application Integration
En este documento, se describen los lineamientos y las consideraciones de seguridad del producto Integration. Si es la primera vez que usas
Application Integration, te sugerimos que comiences con la
descripción general de Application Integration.
Cuentas de servicio
Una cuenta de servicio es un tipo especial de cuenta que usa una aplicación, no una persona.
Una cuenta de servicio se identifica por una dirección de correo electrónico única. Para obtener más información, consulta Cuentas de servicio.
Las cuentas de servicio se pueden usar para proporcionar acceso seguro a los recursos de Google Cloud sin compartir tus propias credenciales de acceso. Esto evita el acceso no autorizado a tus recursos.
A continuación, se indican algunas de las prácticas recomendadas que puedes seguir cuando usas una cuenta de servicio:
Crea una cuenta de servicio independiente para cada tarea o aplicación. Esto te permite administrar mejor el acceso y hacer un seguimiento de qué cuentas de servicio se usan para qué tareas.
Otórgale a la cuenta de servicio solo los permisos que necesita para realizar las tareas previstas.
Supervisa el uso de tus cuentas de servicio y revisa los registros de auditoría para asegurarte de que se usen según lo previsto. Esto puede ayudarte a detectar cualquier acceso no autorizado o
uso inadecuado de las cuentas de servicio.
Los roles personalizados te permiten crear permisos detallados que se adaptan a tus necesidades
específicas. Por ejemplo, puedes crear un rol personalizado que permita que una cuenta de servicio lea y escriba datos en un bucket de Cloud Storage, pero no los borre.
Los roles personalizados son útiles para administrar el acceso a tus recursos de Google Cloud y garantizar que los usuarios y las aplicaciones tengan solo los permisos necesarios para realizar las tareas previstas.
Un perfil de autenticación te permite configurar y almacenar los detalles de autenticación para la conexión en una integración. Por lo tanto, en lugar de usar una configuración de autenticación hard-coded, puedes usar la configuración del perfil de autenticación integrada, que proporciona seguridad mejorada. La integración de aplicaciones admite varios tipos de autenticación según la tarea. Para obtener más información, consulta Compatibilidad de tipos de autenticación con tareas.
Para evitar el acceso no autorizado y proporcionar una seguridad mejorada, se recomienda
usar un perfil de autenticación si una tarea lo admite.
[[["Fácil de comprender","easyToUnderstand","thumb-up"],["Resolvió mi problema","solvedMyProblem","thumb-up"],["Otro","otherUp","thumb-up"]],[["Difícil de entender","hardToUnderstand","thumb-down"],["Información o código de muestra incorrectos","incorrectInformationOrSampleCode","thumb-down"],["Faltan la información o los ejemplos que necesito","missingTheInformationSamplesINeed","thumb-down"],["Problema de traducción","translationIssue","thumb-down"],["Otro","otherDown","thumb-down"]],["Última actualización: 2025-09-03 (UTC)"],[[["\u003cp\u003eApplication Integration uses service accounts, which are special accounts used by applications for secure access to Google Cloud resources, preventing unauthorized access.\u003c/p\u003e\n"],["\u003cp\u003eBest practices for using service accounts include creating separate accounts for each task, granting minimal permissions, and choosing more secure alternatives to service account keys whenever possible.\u003c/p\u003e\n"],["\u003cp\u003eCustom roles in Application Integration provide tailored permissions, allowing for fine-grained control over access to Google Cloud resources for users and service accounts.\u003c/p\u003e\n"],["\u003cp\u003eAuthentication profiles offer enhanced security by storing connection authentication details, which is recommended over hard-coded configurations, and varies across the tasks.\u003c/p\u003e\n"],["\u003cp\u003eValidation of service account keys is critical if they were acquired externally.\u003c/p\u003e\n"]]],[],null,["# Application Integration security guidelines\n\nSee the [supported connectors](/integration-connectors/docs/connector-reference-overview) for Application Integration.\n\nApplication Integration security guidelines\n===========================================\n\n\nThis document describes the security guidelines and considerations for the\nApplication Integration product. If you are new to\nApplication Integration, we suggest that you start with\n[Application Integration overview](/application-integration/docs/overview).\n\nService accounts\n----------------\n\nA service account is a special kind of account used by an application, rather than a person.\nA service account is identified by a unique email address. For more information, see\n[Service accounts](/iam/docs/service-accounts).\n\n\nService accounts can be used to provide secure access to the Google Cloud resources without\nsharing your own login credentials. This prevents unauthorized access to your resources.\n\nThe following are some of the best practices that you can follow when using a service account:\n\n- Create a separate service account for each task or application. This lets you better manage access and keep track of which service accounts are being used for which tasks.\n- Grant the service account only the permissions that it needs to perform its intended tasks.\n- Service account keys are a security risk if not managed correctly. You should [choose a more secure alternative to service account keys](/docs/authentication#auth-decision-tree) whenever possible. If you must authenticate with a service account key, you are responsible for the security of the private key and for other operations described by [Best practices for managing service account keys](/iam/docs/best-practices-for-managing-service-account-keys). If you are prevented from creating a service account key, service account key creation might be disabled for your organization. For more information, see [Managing secure-by-default organization resources](/resource-manager/docs/secure-by-default-organizations).\n\n\n If you acquired the service account key from an external source, you must validate it before use.\n For more information, see [Security requirements for externally sourced credentials](/docs/authentication/external/externally-sourced-credentials).\n- Monitor the usage of your service accounts and review the audit logs to ensure that they are being used as intended. This can help you to detect any unauthorized access or misuse of service accounts.\n\nFor more information, see [Best practices for working with service accounts](/iam/docs/best-practices-service-accounts).\n\nCustom roles\n------------\n\nCustom roles let you create fine-grained permissions that are tailored to your specific\nneeds. For example, you may create a custom role that allows a service account to read\nand write data to a Cloud Storage bucket, but not delete it.\nCustom roles are useful in managing access to your Google Cloud resources and ensuring that\nusers and applications have only the permissions required to perform their intended tasks.\n\n\nYou can create custom roles using the [Identity and Access Management (IAM)](/iam/docs)\nand assign the roles to users, groups, or service accounts. For more information,\nsee [Creating a custom role](/iam/docs/creating-custom-roles#creating_a_custom_role).\n\nAuthentication profiles\n-----------------------\n\nAn authentication profile lets you configure and store the authentication details\nfor the connection in an integration. So, instead of using a hard-coded authentication\nconfiguration, you can use the in-built authentication profile configuration which provides\nenhanced security. Application Integration supports various\nauthentication types depending on the task. For more information, see\n[Compatibility\nof authentication types with tasks](/application-integration/docs/configure-authentication-profiles#compatibleTasks).\n\nTo prevent unauthorized access and provide enhanced security, it's recommended\nto use an authentication profile if a task supports it."]]