Google Cloud IAM
Integration version: 12.0
Use Cases
Manage permissions and service accounts in Google Cloud.
Product Permission
Create a Service Account:
- Open your Google Cloud Project portal, on the left pane click IAM & Admin > Roles.
- Click Create Role to create a custom role that will have permissions needed for the integration.
- On the opened page provide role Title, Description, ID, Role Launch Stage to General Availability.
Add the following permissions to the created role:
- iam.serviceAccounts.list
- iam.serviceAccounts.create
- iam.serviceAccounts.get
- iam.serviceAccounts.getIamPolicy
- iam.serviceAccounts.setIamPolicy
- iam.serviceAccounts.disable
- iam.serviceAccounts.enable
- iam.serviceAccounts.delete
- iam.roles.list
- iam.roles.get
- iam.roles.create
- iam.roles.delete
Click Create to create a new custom role.
Next go to the Google documentation and follow the procedure in the Creating a Service Account section. After you create a service account, a Service Account Private Key file is downloaded.
Grant the role you previously created to the Service Account so Service Account will have needed permissions for the integration.
Configure Google Cloud IAM integration with the JSON contents of the file you downloaded in step 1.
Configure Google Cloud IAM integration in Google Security Operations SOAR
For detailed instructions on how to configure an integration in Google Security Operations SOAR, see Configure integrations.
Integration parameters
Use the following parameters to configure the integration:
Parameter Display Name | Type | Default Value | Is Mandatory | Description |
---|---|---|---|---|
Account Type | String | service_account | No | Type of the Google Cloud account. Located at the "type" parameter in the authentication JSON file. You need to copy the value and put it in this integration configuration parameter. |
Project ID | String | N/A | No | Project ID of the Google Cloud account. Located at the "project_id" parameter in the authentication JSON file. You need to copy the value and put it in this integration configuration parameter. |
Private Key ID | Password | N/A | No | Private Key ID of the Google Cloud account. Located at the "private_key_id" parameter in the authentication JSON file. You need to copy the value and put it in this integration configuration parameter. |
Private Key | Password | N/A | No | Private Key of the Google Cloud account. Located at the "private_key" parameter in the authentication JSON file. You need to copy the value and put it in this integration configuration parameter. |
Client Email | String | N/A | No | Client Email of the Google Cloud account. Located at the "client_email" parameter in the authentication JSON file. You need to copy the value and put it in this integration configuration parameter. |
Client ID | String | N/A | No | Client ID of the Google Cloud account. Located at the "client_id" parameter in the authentication JSON file. You need to copy the value and put it in this integration configuration parameter. |
Auth URI | String | https://accounts.google.com/o/oauth2/auth | No | Auth URI of the Google Cloud account. Located at the "auth_uri" parameter in the authentication JSON file. You need to copy the value and put it in this integration configuration parameter. |
Token URI | String | https://oauth2.googleapis.com/token |
No | Token URI of the Google Cloud account. Located at the "token_uri" parameter in the authentication JSON file. You need to copy the value and put it in this integration configuration parameter. |
Auth Provider X509 URL | String | https://www.googleapis.com/oauth2/v1/certs |
No | Auth Provider X509 URL of the Google Cloud account. Located at the "auth_provider_x509_cert_url" parameter in the authentication JSON file. You need to copy the value and put it in this integration configuration parameter. |
Client X509 URL | String | N/A | No | Client X509 URL of the Google Cloud account. Located at the "client_x509_cert_url" parameter in the authentication JSON file. You need to copy the value and put it in this integration configuration parameter. |
Service Account Json File Content | String | N/A | No | Optional: Instead of specifying Private Key ID, Private Key and other parameters, specify here the full JSON content of the service account file. Other connection parameters are ignored if this parameter is provided. |
Verify SSL | Checkbox | Checked | No | If enabled, the integration verifies that the SSL certificate for the connection to the Google Cloud service is valid. |
Actions
Ping
Description
Test connectivity to the Identity and Access Management service with parameters provided at the integration configuration page in the Google Security Operations Marketplace tab.
Parameters
N/A
Run On
This action doesn't run on entities.
Action Results
Script Result
Script Result Name | Value Options |
---|---|
is_success | is_success=False |
is_success | is_success=True |
Case Wall
Result type | Value/Description | Type |
---|---|---|
Output message* | The action should not fail nor stop a playbook execution:
The action should fail and stop a playbook execution:
|
General |
Enrich Entities
Description
Enrich Google Security Operations SOAR User entities with service accounts information from Identity and Access Management. Action expects Identity and Access Management service account email as a Google Security Operations SOAR User entity.
Run On
This action runs on the User entity.
Action Results
Script Result
Script Result Name | Value Options |
---|---|
is_success | is_success=False |
is_success | is_success=True |
JSON Result
{
"name": "projects/silver-shift-275007/serviceAccounts/dmitrystestsa@silver-shift-275007.iam.gserviceaccount.com",
"projectId": "silver-shift-275007",
"uniqueId": "104627053409757134782",
"email": "dmitrystestsa@silver-shift-275007.iam.gserviceaccount.com",
"displayName": "dmitrys Test SA displayName",
"etag": "MDEwMjE5MjA=",
"description": "Service account description",
"oauth2ClientId": "104627053409757134782"
}
Entity Enrichment
Enrichment Field Name | Logic - When to apply |
---|---|
Google_IAM_name | |
Google_IAM_project_id | .. |
Google_IAM_unique_id | |
Google_IAM_email | |
Google_IAM_display_name | |
Google_IAM_description | |
Google_IAM_oauth2_client_id |
Case Wall
Result type | Value/Description | Type |
---|---|---|
Output message* | The action should not fail nor stop a playbook execution:
The action should fail and stop a playbook execution: if fatal error, SDK error, like wrong credentials, no connection to server, other: "Error executing action "Enrich Entities". Reason: {0}''.format(error.Stacktrace) |
General |
Table (Enrichment) | Table Name: {entity} Enrichment Table Columns: Key, Value |
Entity |
List Service Accounts
Description
List Identity and Access Management service accounts based on the specified search criteria. Note that action is not working on Google Security Operations SOAR entities.
Parameters
Parameter Display Name | Type | Default Value | Is Mandatory | Description |
---|---|---|---|---|
Service Account Display Name | String | N/A | No | Specify service account display name to return. Parameter accepts multiple values as a comma separated string. |
Service Account Email | String | N/A | No | Specify service account email to return. Parameter accepts multiple values as a comma separated string. |
Max Rows to Return | Integer | 50 | No | Specify how many roles action should return. |
Run On
This action doesn't run on entities.
Action Results
Script Result
Script Result Name | Value Options |
---|---|
is_success | is_success=False |
is_success | is_success=True |
JSON Result
{
"accounts": [
{
"name": "projects/silver-shift-275007/serviceAccounts/dmitrystestsa@silver-shift-275007.iam.gserviceaccount.com",
"projectId": "silver-shift-275007",
"uniqueId": "104627053409757134782",
"email": "dmitrystestsa@silver-shift-275007.iam.gserviceaccount.com",
"displayName": "dmitrys Test SA displayName",
"etag": "MDEwMjE5MjA=",
"description": "Service account description",
"oauth2ClientId": "104627053409757134782"
}
Case Wall
Result type | Value/Description | Type |
---|---|---|
Output message* | The action should not fail nor stop a playbook execution:
The action should fail and stop a playbook execution: if fatal error, invalid zone, SDK error, like wrong credentials, no connection to server, other: "Error executing action "List Service Accounts". Reason: {0}''.format(error.Stacktrace) |
General |
Table | Table Name: Google Cloud Service Accounts Table Columns: Service Account Name Service Account Unique ID Service Account Email Service Account Display Name Service Account Description Service Account Oauth2 Client ID |
General |
Create Service Account
Description
Create an Identity and Access Management Service Account.
Parameters
Parameter Display Name | Type | Default Value | Is Mandatory | Description |
---|---|---|---|---|
Service Account ID | String | String | Yes | Specify service account id to create. |
Service Account Display Name | String | String | No | Specify service account display name to create. |
Service Account Description | String | String | No | Specify service account description to create. |
Run On
This action doesn't run on entities.
Action Results
Script Result
Script Result Name | Value Options |
---|---|
is_success | is_success=False |
is_success | is_success=True |
JSON Result
{
"name": "projects/silver-shift-275007/serviceAccounts/dmitrystestsa@silver-shift-275007.iam.gserviceaccount.com",
"projectId": "silver-shift-275007",
"uniqueId": "104627053409757134782",
"email": "dmitrystestsa@silver-shift-275007.iam.gserviceaccount.com",
"displayName": "dmitrys Test SA displayName",
"etag": "MDEwMjE5MjA=",
"description": "Service account description",
"oauth2ClientId": "104627053409757134782"
}
Case Wall
Result type | Value/Description | Type |
---|---|---|
Output message* | The action should not fail nor stop a playbook execution:
The action should fail and stop a playbook execution: if fatal error, SDK error, like wrong credentials, no connection to server, other: "Error executing action "Create Service Account". Reason: {0}''.format(error.Stacktrace) |
General |
Get Service Account IAM Policy
Description
Gets the access control policy for the service account. Action expects Identity and Access Management service account email as a Google Security Operations SOAR User entity. Note that policy may be empty if no policy is assigned to the service account.
Run On
This action runs on the User entity.
Action Results
Script Result
Script Result Name | Value Options |
---|---|
is_success | is_success=False |
is_success | is_success=True |
JSON Result
{
"version": 1,
"etag": "BwXBuNg8cMA=",
"bindings": [
{
"role": "roles/iam.securityReviewer",
"members": [
"user:dmitrys@siemplify.co"
]
}
]
}
Case Wall
Result type | Value/Description | Type |
---|---|---|
Output message* | The action should not fail nor stop a playbook execution:
The action should fail and stop a playbook execution: if fatal error, SDK error, like wrong credentials, no connection to server, other: "Error executing action "Get Service Account IAM Policy". Reason: {0}''.format(error.Stacktrace) |
General |
Set Service Account IAM Policy
Description
Sets the access control policy on the specified service account. Action expects Identity and Access Management service account email as a Google Security Operations SOAR account entity. Note that policy provided in action replaces any existing policy.
Parameters
Parameter Display Name | Type | Default Value | Is Mandatory | Description |
---|---|---|---|---|
Policy | String | N/A | Yes | Specify JSON policy document to set for service account. |
Run On
This action runs on the Account entity.
Action Results
Script Result
Script Result Name | Value Options |
---|---|
is_success | is_success=False |
is_success | is_success=True |
JSON Result
{
"version": 1,
"etag": "BwXBuNg8cMA=",
"bindings": [
{
"role": "roles/iam.securityReviewer",
"members": [
"user:dmitrys@siemplify.co"
]
}
]
}
Case Wall
Result type | Value/Description | Type |
---|---|---|
Output message* | The action should not fail nor stop a playbook execution:
The action should fail and stop a playbook execution: if fatal error, SDK error, like wrong credentials, no connection to server, other: "Error executing action "Set Service Account IAM Policy". Reason: {0}''.format(error.Stacktrace) |
General |
Disable Service Account
Description
Disable service account. Action expects Identity and Access Management service account email as a Google Security Operations SOAR User entity.
Run On
This action runs on the User entity.
Action Results
Script Result
Script Result Name | Value Options |
---|---|
is_success | is_success=False |
is_success | is_success=True |
Case Wall
Result type | Value/Description | Type |
---|---|---|
Output message* | The action should not fail nor stop a playbook execution:
The action should fail and stop a playbook execution: if fatal error, SDK error, like wrong credentials, no connection to server, other: "Error executing action "Disable Service Account". Reason: {0}''.format(error.Stacktrace) |
General |
Enable Service Account
Description
Enable service account. Action expects Identity and Access Management service account email as a Google Security Operations SOAR User entity.
Run On
This action runs on the User entity.
Action Results
Script Result
Script Result Name | Value Options |
---|---|
is_success | is_success=False |
is_success | is_success=True |
Case Wall
Result type | Value/Description | Type |
---|---|---|
Output message* | The action should not fail nor stop a playbook execution:
The action should fail and stop a playbook execution: if fatal error, SDK error, like wrong credentials, no connection to server, other: "Error executing action "Enable Service Account". Reason: {0}''.format(error.Stacktrace) |
General |
Delete Service Account
Description
Delete service account. Action expects Identity and Access Management service account email as a Google Security Operations SOAR User entity.
Run On
This action runs on the User entity.
Action Results
Script Result
Script Result Name | Value Options |
---|---|
is_success | is_success=False |
is_success | is_success=True |
Case Wall
Result type | Value/Description | Type |
---|---|---|
Output message* | The action should not fail nor stop a playbook execution:
The action should fail and stop a playbook execution: if fatal error, SDK error, like wrong credentials, no connection to server, other: "Error executing action "Delete Service Account". Reason: {0}''.format(error.Stacktrace) |
General |
List Roles
Description
List Identity and Access Management roles based on the specified search criteria. Note that action is not working on Google Security Operations SOAR entities.
Parameters
Parameter Display Name | Type | Default Value | Is Mandatory | Description |
---|---|---|---|---|
View | DDL | Basic | No | Specify which view should be used to return role information. |
Max Rows to Return | Integer | 50 | No | Specify how many roles action should return. |
List Project Custom Roles Only? | Checkbox | Unchecked | No | If enabled action will return only custom roles defined for the current project id. |
Show Deleted | Checkbox | Unchecked | No | If enabled action will also return deleted roles. |
Run On
The action doesn't run on entities.
Action Results
Script Result
Script Result Name | Value Options |
---|---|
is_success | is_success=False |
is_success | is_success=True |
JSON Result
{
"roles": [
{
"name": "roles/accessapproval.approver",
"title": "Access Approval Approver",
"description": "Ability to view or act on access approval requests and view configuration",
"stage": "BETA",
"etag": "AA=="
},
{
"name": "roles/accessapproval.configEditor",
"title": "Access Approval Config Editor",
"description": "Ability update the Access Approval configuration",
"stage": "BETA",
"etag": "AA=="
}
]
}
Case Wall
Result type | Value/Description | Type |
---|---|---|
Output message* | The action should not fail nor stop a playbook execution:
The action should fail and stop a playbook execution: if fatal error, invalid zone, SDK error, like wrong credentials, no connection to server, other: "Error executing action "List Roles". Reason: {0}''.format(error.Stacktrace) |
General |
Table | Table Name: Google Cloud IAM Roles Table Columns: Role Name Role Title Role Description Role Stage Role Etag Role Permissions |
General |
Create Role
Description
Create an Identity and Access Management Role.
Parameters
Parameter Display Name | Type | Default Value | Is Mandatory | Description |
---|---|---|---|---|
Role ID | String | N/A | Yes | Specify role id for newly created Identity and Access Management role. |
Role Definition | String | N/A | Yes | Specify JSON policy document to use as the role definition. |
Run On
The action doesn't run on entities.
Example For Role Policy JSON
{
"name": "projects/silver-shift-275007/roles/iam_test_role_api",
"title": "iam_test_role_api",
"description": "test role",
"includedPermissions": [
"storagetransfer.projects.getServiceAccount"
],
"stage": "GA",
"etag": "BwXBu1RHiPw="
}
Action Results
Script Result
Script Result Name | Value Options |
---|---|
is_success | is_success=False |
is_success | is_success=True |
JSON Result
{
"name": "projects/silver-shift-275007/roles/iam_test_role_api",
"title": "iam_test_role_api",
"description": "test role",
"includedPermissions": [
"storagetransfer.projects.getServiceAccount"
],
"stage": "GA",
"etag": "BwXBu1RHiPw="
}
Case Wall
Result type | Value/Description | Type |
---|---|---|
Output message* | The action should not fail nor stop a playbook execution:
The action should fail and stop a playbook execution: if fatal error, SDK error, like wrong credentials, no connection to server, other: "Error executing action "Create Role". Reason: {0}''.format(error.Stacktrace) |
General |
Delete Role
Description
Delete an Identity and Access Management Role.
Parameters
Parameter Display Name | Type | Default Value | Is Mandatory | Description |
---|---|---|---|---|
Role ID | String | N/A | Yes | Specify role id for newly created Identity and Access Management role. |
Run On
This action doesn't run on entities.
Action Results
Script Result
Script Result Name | Value Options |
---|---|
is_success | is_success=False |
is_success | is_success=True |
JSON Result
{
"name": "projects/silver-shift-275007/roles/iam_test_role_api",
"title": "iam_test_role_api",
"description": "test role",
"includedPermissions": [
"storagetransfer.projects.getServiceAccount"
],
"stage": "GA",
"etag": "BwXDDgKFx7M=",
"deleted": true
}
Case Wall
Result type | Value/Description | Type |
---|---|---|
Output message* | The action should not fail nor stop a playbook execution:
The action should fail and stop a playbook execution: if fatal error, SDK error, like wrong credentials, no connection to server, other: "Error executing action "Delete Role". Reason: {0}''.format(error.Stacktrace) |
General |