Google Cloud IAM

Integration version: 12.0

Use Cases

Manage permissions and service accounts in Google Cloud.

Product Permission

Create a Service Account:

  1. Open your Google Cloud Project portal, on the left pane click IAM & Admin > Roles.
  2. Click Create Role to create a custom role that will have permissions needed for the integration.
  3. On the opened page provide role Title, Description, ID, Role Launch Stage to General Availability.
  4. Add the following permissions to the created role:

    • iam.serviceAccounts.list
    • iam.serviceAccounts.create
    • iam.serviceAccounts.get
    • iam.serviceAccounts.getIamPolicy
    • iam.serviceAccounts.setIamPolicy
    • iam.serviceAccounts.disable
    • iam.serviceAccounts.enable
    • iam.serviceAccounts.delete
    • iam.roles.list
    • iam.roles.get
    • iam.roles.create
    • iam.roles.delete
  5. Click Create to create a new custom role.

  6. Next go to the Google documentation and follow the procedure in the Creating a Service Account section. After you create a service account, a Service Account Private Key file is downloaded.

  7. Grant the role you previously created to the Service Account so Service Account will have needed permissions for the integration.

  8. Configure Google Cloud IAM integration with the JSON contents of the file you downloaded in step 1.

Configure Google Cloud IAM integration in Google Security Operations SOAR

For detailed instructions on how to configure an integration in Google Security Operations SOAR, see Configure integrations.

Integration parameters

Use the following parameters to configure the integration:

Parameter Display Name Type Default Value Is Mandatory Description
Account Type String service_account No Type of the Google Cloud account. Located at the "type" parameter in the authentication JSON file. You need to copy the value and put it in this integration configuration parameter.
Project ID String N/A No Project ID of the Google Cloud account. Located at the "project_id" parameter in the authentication JSON file. You need to copy the value and put it in this integration configuration parameter.
Private Key ID Password N/A No Private Key ID of the Google Cloud account. Located at the "private_key_id" parameter in the authentication JSON file. You need to copy the value and put it in this integration configuration parameter.
Private Key Password N/A No Private Key of the Google Cloud account. Located at the "private_key" parameter in the authentication JSON file. You need to copy the value and put it in this integration configuration parameter.
Client Email String N/A No Client Email of the Google Cloud account. Located at the "client_email" parameter in the authentication JSON file. You need to copy the value and put it in this integration configuration parameter.
Client ID String N/A No Client ID of the Google Cloud account. Located at the "client_id" parameter in the authentication JSON file. You need to copy the value and put it in this integration configuration parameter.
Auth URI String https://accounts.google.com/o/oauth2/auth No Auth URI of the Google Cloud account. Located at the "auth_uri" parameter in the authentication JSON file. You need to copy the value and put it in this integration configuration parameter.
Token URI String

https://oauth2.googleapis.com/token

No Token URI of the Google Cloud account. Located at the "token_uri" parameter in the authentication JSON file. You need to copy the value and put it in this integration configuration parameter.
Auth Provider X509 URL String

https://www.googleapis.com/oauth2/v1/certs

No Auth Provider X509 URL of the Google Cloud account. Located at the "auth_provider_x509_cert_url" parameter in the authentication JSON file. You need to copy the value and put it in this integration configuration parameter.
Client X509 URL String N/A No Client X509 URL of the Google Cloud account. Located at the "client_x509_cert_url" parameter in the authentication JSON file. You need to copy the value and put it in this integration configuration parameter.
Service Account Json File Content String N/A No Optional: Instead of specifying Private Key ID, Private Key and other parameters, specify here the full JSON content of the service account file. Other connection parameters are ignored if this parameter is provided.
Verify SSL Checkbox Checked No If enabled, the integration verifies that the SSL certificate for the connection to the Google Cloud service is valid.

Actions

Ping

Description

Test connectivity to the Identity and Access Management service with parameters provided at the integration configuration page in the Google Security Operations Marketplace tab.

Parameters

N/A

Run On

This action doesn't run on entities.

Action Results

Script Result
Script Result Name Value Options
is_success is_success=False
is_success is_success=True
Case Wall
Result type Value/Description Type
Output message*

The action should not fail nor stop a playbook execution:

  • if successful: "Successfully connected to the Identity and Access Management service with the provided connection parameters!"

The action should fail and stop a playbook execution:

  • if critical error, like wrong credentials or lost connectivity: "Failed to connect to the Identity and Access Management service! Error is {0}".format(exception.stacktrace)
General

Enrich Entities

Description

Enrich Google Security Operations SOAR User entities with service accounts information from Identity and Access Management. Action expects Identity and Access Management service account email as a Google Security Operations SOAR User entity.

Run On

This action runs on the User entity.

Action Results

Script Result
Script Result Name Value Options
is_success is_success=False
is_success is_success=True
JSON Result
{
           "name": "projects/silver-shift-275007/serviceAccounts/dmitrystestsa@silver-shift-275007.iam.gserviceaccount.com",
           "projectId": "silver-shift-275007",
           "uniqueId": "104627053409757134782",
           "email": "dmitrystestsa@silver-shift-275007.iam.gserviceaccount.com",
           "displayName": "dmitrys Test SA displayName",
           "etag": "MDEwMjE5MjA=",
           "description": "Service account description",
           "oauth2ClientId": "104627053409757134782"
}
Entity Enrichment
Enrichment Field Name Logic - When to apply
Google_IAM_name
Google_IAM_project_id ..
Google_IAM_unique_id
Google_IAM_email
Google_IAM_display_name
Google_IAM_description
Google_IAM_oauth2_client_id
Case Wall
Result type Value/Description Type
Output message*

The action should not fail nor stop a playbook execution:

  • if successful and at least one of the provided entities were enriched: "Successfully enriched entities: {0}".format([entity.Identifier]).
  • If fail to enrich all of the provided entities: "No entities were enriched."
  • If fail to find data in Identity and Access Management to enrich specific entities: "Action was not able to find a match in Identity and Access Management to enrich provided entities: {0}".format([entity.identifier])

The action should fail and stop a playbook execution:

if fatal error, SDK error, like wrong credentials, no connection to server, other: "Error executing action "Enrich Entities". Reason: {0}''.format(error.Stacktrace)

General
Table (Enrichment)

Table Name: {entity} Enrichment Table

Columns: Key, Value

Entity

List Service Accounts

Description

List Identity and Access Management service accounts based on the specified search criteria. Note that action is not working on Google Security Operations SOAR entities.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Service Account Display Name String N/A No Specify service account display name to return. Parameter accepts multiple values as a comma separated string.
Service Account Email String N/A No Specify service account email to return. Parameter accepts multiple values as a comma separated string.
Max Rows to Return Integer 50 No Specify how many roles action should return.

Run On

This action doesn't run on entities.

Action Results

Script Result
Script Result Name Value Options
is_success is_success=False
is_success is_success=True
JSON Result
{
   "accounts": [
       {
           "name": "projects/silver-shift-275007/serviceAccounts/dmitrystestsa@silver-shift-275007.iam.gserviceaccount.com",
           "projectId": "silver-shift-275007",
           "uniqueId": "104627053409757134782",
           "email": "dmitrystestsa@silver-shift-275007.iam.gserviceaccount.com",
           "displayName": "dmitrys Test SA displayName",
           "etag": "MDEwMjE5MjA=",
           "description": "Service account description",
           "oauth2ClientId": "104627053409757134782"
       }
Case Wall
Result type Value/Description Type
Output message*

The action should not fail nor stop a playbook execution:

  • If successfully listed service accounts (is_success = true):
    "Successfully fetched Google Cloud service accounts."
  • If no available values(is_success = false): "No service accounts were returned for the specified input parameters."

The action should fail and stop a playbook execution:

if fatal error, invalid zone, SDK error, like wrong credentials, no connection to server, other: "Error executing action "List Service Accounts". Reason: {0}''.format(error.Stacktrace)

General
Table

Table Name: Google Cloud Service Accounts

Table Columns:

Service Account Name

Service Account Unique ID

Service Account Email

Service Account Display Name

Service Account Description

Service Account Oauth2 Client ID

General

Create Service Account

Description

Create an Identity and Access Management Service Account.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Service Account ID String String Yes Specify service account id to create.
Service Account Display Name String String No Specify service account display name to create.
Service Account Description String String No Specify service account description to create.

Run On

This action doesn't run on entities.

Action Results

Script Result
Script Result Name Value Options
is_success is_success=False
is_success is_success=True
JSON Result
{
   "name": "projects/silver-shift-275007/serviceAccounts/dmitrystestsa@silver-shift-275007.iam.gserviceaccount.com",
   "projectId": "silver-shift-275007",
   "uniqueId": "104627053409757134782",
   "email": "dmitrystestsa@silver-shift-275007.iam.gserviceaccount.com",
   "displayName": "dmitrys Test SA displayName",
   "etag": "MDEwMjE5MjA=",
   "description": "Service account description",
   "oauth2ClientId": "104627053409757134782"
}
Case Wall
Result type Value/Description Type
Output message*

The action should not fail nor stop a playbook execution:

  • If action run successfully:(is_success=true)

    • Google Cloud Service Account was created successfully <unique id>.
  • If action failed to run because provided service account already exists(is_success =false)

    • Provided service account <unique id> already exists.

The action should fail and stop a playbook execution:

if fatal error, SDK error, like wrong credentials, no connection to server, other: "Error executing action "Create Service Account". Reason: {0}''.format(error.Stacktrace)

General

Get Service Account IAM Policy

Description

Gets the access control policy for the service account. Action expects Identity and Access Management service account email as a Google Security Operations SOAR User entity. Note that policy may be empty if no policy is assigned to the service account.

Run On

This action runs on the User entity.

Action Results

Script Result
Script Result Name Value Options
is_success is_success=False
is_success is_success=True
JSON Result
{
   "version": 1,
   "etag": "BwXBuNg8cMA=",
   "bindings": [
       {
           "role": "roles/iam.securityReviewer",
           "members": [
               "user:dmitrys@siemplify.co"
           ]
       }
   ]
}
Case Wall
Result type Value/Description Type
Output message*

The action should not fail nor stop a playbook execution:

  • If action run successfully:(is_success=true)

    • "Successfully fetched Identity and Access Management policy for the following Google Cloud Service Accounts: <email id1, email id 2...>
  • If action didnt find info for the entity (for example non existent in Google Identity and Access Management email provided:

    • Action was not able to fetch Identity and Access Management policy the following Google Cloud Service Accounts: <email id1, email id2 ..>
  • If fail to find Identity and Access Management policy for all of the provided entities: "Identity and Access Management policy was not found for any of the provided entities."

The action should fail and stop a playbook execution:

if fatal error, SDK error, like wrong credentials, no connection to server, other: "Error executing action "Get Service Account IAM Policy". Reason: {0}''.format(error.Stacktrace)

General

Set Service Account IAM Policy

Description

Sets the access control policy on the specified service account. Action expects Identity and Access Management service account email as a Google Security Operations SOAR account entity. Note that policy provided in action replaces any existing policy.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Policy String N/A Yes Specify JSON policy document to set for service account.

Run On

This action runs on the Account entity.

Action Results

Script Result
Script Result Name Value Options
is_success is_success=False
is_success is_success=True
JSON Result
{
   "version": 1,
   "etag": "BwXBuNg8cMA=",
   "bindings": [
       {
           "role": "roles/iam.securityReviewer",
           "members": [
               "user:dmitrys@siemplify.co"
           ]
       }
   ]
}
Case Wall
Result type Value/Description Type
Output message*

The action should not fail nor stop a playbook execution:

  • If some are successful (is_success=True):

    • Successfully set Identity and Access Management policy for the following Google Cloud Service Accounts: <email id1, ...>

  • If some failed:

    • Action was not able to set Identity and Access Management policy the following Google Cloud Service Accounts: <email id1, ....>

  • If all failed:

    • No Service Account Identity and Access Management policies were set.

  • If provided policy JSON is not valid (is_success =false)

    • Provided policy JSON document <policy> is not valid.

The action should fail and stop a playbook execution:

if fatal error, SDK error, like wrong credentials, no connection to server, other: "Error executing action "Set Service Account IAM Policy". Reason: {0}''.format(error.Stacktrace)

General

Disable Service Account

Description

Disable service account. Action expects Identity and Access Management service account email as a Google Security Operations SOAR User entity.

Run On

This action runs on the User entity.

Action Results

Script Result
Script Result Name Value Options
is_success is_success=False
is_success is_success=True
Case Wall
Result type Value/Description Type
Output message*

The action should not fail nor stop a playbook execution:

  • if successful at least one of the provided entities: "Successfully disabled the following service accounts: {0}".format([entity.Identifier]).

  • If fail to disable all of the provided entities: "No service accounts were disabled."

  • If fail to find data in Google Cloud Identity and Access Management to disable specific entities: "Action was not able to find a match in Google Cloud Identity and Access Management for the provided entities: {0}".format([entity.identifier])

The action should fail and stop a playbook execution:

if fatal error, SDK error, like wrong credentials, no connection to server, other: "Error executing action "Disable Service Account". Reason: {0}''.format(error.Stacktrace)

General

Enable Service Account

Description

Enable service account. Action expects Identity and Access Management service account email as a Google Security Operations SOAR User entity.

Run On

This action runs on the User entity.

Action Results

Script Result
Script Result Name Value Options
is_success is_success=False
is_success is_success=True
Case Wall
Result type Value/Description Type
Output message*

The action should not fail nor stop a playbook execution:

  • if successful at least one of the provided entities: "Successfully enabled the following service accounts: {0}".format([entity.Identifier]).

  • If fail to enable all of the provided entities: "No service accounts were enabled."

  • If fail to find data in Identity and Access Management to enable specific entities: "Action was not able to find a match in Identity and Access Management for the provided entities: {0}".format([entity.identifier])

The action should fail and stop a playbook execution:

if fatal error, SDK error, like wrong credentials, no connection to server, other: "Error executing action "Enable Service Account". Reason: {0}''.format(error.Stacktrace)

General

Delete Service Account

Description

Delete service account. Action expects Identity and Access Management service account email as a Google Security Operations SOAR User entity.

Run On

This action runs on the User entity.

Action Results

Script Result
Script Result Name Value Options
is_success is_success=False
is_success is_success=True
Case Wall
Result type Value/Description Type
Output message*

The action should not fail nor stop a playbook execution:

  • if successful at least one of the provided entities: "Successfully deleted the following service accounts: {0}".format([entity.Identifier]).

  • If fail to delete all of the provided entities: "No service accounts were deleted."

  • If fail to find data in Identity and Access Management to delete specific entities: "Action was not able to find a match in Identity and Access Management for the provided entities: {0}".format([entity.identifier])

The action should fail and stop a playbook execution:

if fatal error, SDK error, like wrong credentials, no connection to server, other: "Error executing action "Delete Service Account". Reason: {0}''.format(error.Stacktrace)

General

List Roles

Description

List Identity and Access Management roles based on the specified search criteria. Note that action is not working on Google Security Operations SOAR entities.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
View DDL Basic No Specify which view should be used to return role information.
Max Rows to Return Integer 50 No Specify how many roles action should return.
List Project Custom Roles Only? Checkbox Unchecked No If enabled action will return only custom roles defined for the current project id.
Show Deleted Checkbox Unchecked No If enabled action will also return deleted roles.

Run On

The action doesn't run on entities.

Action Results

Script Result
Script Result Name Value Options
is_success is_success=False
is_success is_success=True
JSON Result
{
   "roles": [
       {
           "name": "roles/accessapproval.approver",
           "title": "Access Approval Approver",
           "description": "Ability to view or act on access approval requests and view configuration",
           "stage": "BETA",
           "etag": "AA=="
       },
       {
           "name": "roles/accessapproval.configEditor",
           "title": "Access Approval Config Editor",
           "description": "Ability update the Access Approval configuration",
           "stage": "BETA",
           "etag": "AA=="
       }
   ]
}
Case Wall
Result type Value/Description Type
Output message*

The action should not fail nor stop a playbook execution:

  • If successfully listed roles(is_success = true): "Successfully fetched Identity and Access Management roles."

  • If no available values(is_success = false): "No roles were returned for the specified input parameters."

The action should fail and stop a playbook execution:

if fatal error, invalid zone, SDK error, like wrong credentials, no connection to server, other: "Error executing action "List Roles". Reason: {0}''.format(error.Stacktrace)

General
Table

Table Name: Google Cloud IAM Roles

Table Columns:

Role Name

Role Title

Role Description

Role Stage

Role Etag

Role Permissions

General

Create Role

Description

Create an Identity and Access Management Role.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Role ID String N/A Yes Specify role id for newly created Identity and Access Management role.
Role Definition String N/A Yes Specify JSON policy document to use as the role definition.

Run On

The action doesn't run on entities.

Example For Role Policy JSON

{
   "name": "projects/silver-shift-275007/roles/iam_test_role_api",
   "title": "iam_test_role_api",
   "description": "test role",
   "includedPermissions": [
       "storagetransfer.projects.getServiceAccount"
   ],
   "stage": "GA",
   "etag": "BwXBu1RHiPw="
}

Action Results

Script Result
Script Result Name Value Options
is_success is_success=False
is_success is_success=True
JSON Result
{
   "name": "projects/silver-shift-275007/roles/iam_test_role_api",
   "title": "iam_test_role_api",
   "description": "test role",
   "includedPermissions": [
       "storagetransfer.projects.getServiceAccount"
   ],
   "stage": "GA",
   "etag": "BwXBu1RHiPw="
}
Case Wall
Result type Value/Description Type
Output message*

The action should not fail nor stop a playbook execution:

  • If action run successfully:(is_success=true)

    • Identity and Access Management <roleid> was created successfully.

  • If provided role_id already exists(is_success =false)

    • Provided role id<role_id> already exists.

  • If provided role JSON is not valid (is_success =false)

    • Provided role definition JSON document <role json> is not valid.

The action should fail and stop a playbook execution:

if fatal error, SDK error, like wrong credentials, no connection to server, other: "Error executing action "Create Role". Reason: {0}''.format(error.Stacktrace)

General

Delete Role

Description

Delete an Identity and Access Management Role.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Role ID String N/A Yes Specify role id for newly created Identity and Access Management role.

Run On

This action doesn't run on entities.

Action Results

Script Result
Script Result Name Value Options
is_success is_success=False
is_success is_success=True
JSON Result
{
   "name": "projects/silver-shift-275007/roles/iam_test_role_api",
   "title": "iam_test_role_api",
   "description": "test role",
   "includedPermissions": [
       "storagetransfer.projects.getServiceAccount"
   ],
   "stage": "GA",
   "etag": "BwXDDgKFx7M=",
   "deleted": true
}
Case Wall
Result type Value/Description Type
Output message*

The action should not fail nor stop a playbook execution:

  • If action run successfully:(is_success=true)

    • Identity and Access Management <roleid> was successfully deleted.

  • If provided role_id not exists(is_success =false)

    • Provided role id<role_id> does not exist.

The action should fail and stop a playbook execution:

if fatal error, SDK error, like wrong credentials, no connection to server, other: "Error executing action "Delete Role". Reason: {0}''.format(error.Stacktrace)

General