Capabilities
*Workforce Identity Federation support is optional and must be configured when you set up the connector.
**IAM Role Assignments use the Sparse ACL (RBAC) model. This resource type is opt-in and requires enabling the Use RBAC option when configuring the connector. When enabled, IAM role assignments are synced as scope binding resources instead of flat grants on projects, folders, and organizations.
This connector can sync secrets and display them on the Inventory page.
Gather Google Cloud Platform with Google Workspace credentials
Configuring the connector requires credentials from both Google Cloud Platform and the Google Workspace Admin console. You’ll complete the following steps:- Create a dedicated GCP project for the C1 integration
- Enable the required APIs
- Create a service account and assign it the necessary permissions
- Download the service account’s JSON key
- Grant the service account domain-wide delegation in the Google Workspace Admin console
- Locate your primary domain and Customer ID
Create a new project
We recommend creating a dedicated GCP project for the C1 integration. This keeps the integration’s permissions and audit logs isolated from your other projects.1
As a Google Cloud Platform with Google Workspace Super Admin, sign in to https://console.cloud.google.com.
2
In the toolbar, click the project select dropdown, and click NEW PROJECT.
3
Create a new project for your organization:
- Project Name: Choose a name, such as “C1 Integration”
- Organization/Location: Choose the appropriate Organization/Location
4
After the project is created, make sure the correct project is selected in the dropdown at the top.
Enable the APIs
1
In the navigation menu, navigate to APIs & Services > Library.
2
Search for each of the following APIs and click Enable:
- Cloud Asset API
- Cloud Resource Manager API
- Identity and Access Management API
- Admin SDK API
Optional: Sync secrets and buckets
Complete this section only if you want the connector to sync secrets (API keys, service account keys, Secret Manager secrets) or Cloud Storage buckets. Required organization-level role: Grant the service account theroles/cloudasset.viewer role at the organization level. This allows it to search resources across projects.
Additional APIs to enable:
Enable these APIs for each project you want to sync (or only for the projects specified in the Project IDs filter):
- Secrets - API Keys: API Keys API
- Secrets - Service account keys: IAM API
- Secrets - Secret Manager secrets: Secret Manager API
- Buckets: Cloud Storage API
Create a service account
1
In the navigation menu, navigate to APIs & Services > Credentials.
2
Select CREATE CREDENTIALS > Service Account.
3
Under Service account details, fill in the following:
- Service account name: C1 Integration
- Service account description: for example, “Service account for C1 Google Cloud Platform with Google Workspace Integration”
4
Under Grant this service account access to a project, assign the service account a role at the organization level. You can use the predefined Editor role, or create a custom role that includes only the permissions listed below.For READ access (syncing access data only), the role needs these permissions:To also provision access (READ/WRITE), add these permissions to the role:
5
Leave Grant users access to this service account blank.
6
Click DONE.
Get credentials
1
Navigate back to APIs & Services > Credentials. Under Service Accounts, locate and click the service account you just created.
2
Click the service account’s email address. Locate and save the Unique ID — you’ll need it when configuring domain-wide delegation in the next section.
3
On the Service Account Details Page, click KEYS.
4
Click ADD KEY > Create new key.
5
Choose JSON and click CREATE. The new key is created and downloaded to your computer.
6
Keep the downloaded file safe — you’ll upload it when configuring the connector in C1.
Add the service account to Google Workspace
Domain-wide delegation allows the GCP service account to access Google Workspace data — directory users, groups, roles, and audit logs — on behalf of your organization. You configure this in the Google Workspace Admin console at https://admin.google.com, which is separate from the Google Cloud console.1
Go to https://admin.google.com as a SUPER ADMIN.
2
In the navigation menu, select Security > Access and data control > API Controls.
3
Click MANAGE DOMAIN WIDE DELEGATION.
4
Click Add new and fill out the form:
- Client ID: The Unique ID you saved from the service account details page
-
OAuth Scopes: Copy and paste in the relevant scopes
-
Use the following scopes to give C1 READ access (syncing access data):
-
Use the following scopes to give C1 READ/WRITE access (syncing access data and provisioning access):
-
Use the following scopes to give C1 READ access (syncing access data):
5
Click AUTHORIZE.
6
In the navigation menu, select Account > Account Settings.
7
Copy and save the Customer ID from this page.
Locate your primary domain
1
In the navigation panel on the left, click Account > Domains.
2
Click Manage Domains. Locate and copy the domain labeled as the Primary Domain in the Type column.
- Customer ID (from Account Settings)
- Primary domain (from Manage Domains)
- Administrator email — the email address of a super admin for your domain
- JSON credentials file — the service account key downloaded in the Get credentials section
Configure the Google Cloud Platform with Google Workspace connector
- Cloud-hosted
- Self-hosted
Follow these instructions to use a built-in, no-code connector hosted by C1.Done. Your Google Cloud Platform with Google Workspace connector is now pulling access data into C1.
1
In C1, navigate to Integrations > Connectors and click Add connector.
2
Search for Google Cloud Platform with Google Workspace and click Add.
3
Choose how to set up the new Google Cloud Platform with Google Workspace connector:
- Add the connector to a currently unmanaged app (select from the list of apps that were discovered in your identity, SSO, or federation provider that aren’t yet managed with C1)
- Add the connector to a managed app (select from the list of existing managed apps)
- Create a new managed app
4
Set the owner for this connector. You can manage the connector yourself, or choose someone else from the list of C1 users. Setting multiple owners is allowed.If you choose someone else, C1 will notify the new connector owner by email that their help is needed to complete the setup process.
5
Click Next.
6
Find the Settings area of the page and click Edit.
7
In the Customer ID field, enter the customer ID.
8
In the Domain field, enter the primary domain.
9
In the Administrator email field, enter the email address of a super admin for your domain.
10
In the Credentials (JSON) area, click Choose file and upload the JSON key file.
11
Optional. Check the box if you want to skip syncing Google Cloud Platform system accounts.
12
Optional. Uncheck the box (which is checked by default) if you want to sync Google Cloud Platform default projects.
13
Optional. In the Project IDs field, enter a list of project IDs to limit the connector’s sync to only those projects. Be sure to enter project IDs, not project names.
14
Optional. Check the box to Enable Workforce Identity Federation, which allows the connector to sync Workforce Identity pools and pool providers.
- If you want the connector to provision Workforce Identity pools, enter the relevant Workforce Identity Pool ID and Workforce Identity Pool Provider ID in the relevant fields.
15
By default, the connector only syncs roles that are assigned to an IAM policy. These settings allow you to configure the connector to sync roles regardless of their IAM policy status.
- Optional. Check the box to Always sync custom roles.
- Optional. In the List of role IDs to always sync field, enter a list of role IDs that should be synced. Be sure to enter role IDs, not role names.
16
Optional. Check the box to Use RBAC (Sparse ACL) to enable the RBAC model for IAM role assignments. When enabled, role assignments are synced as scope binding resources (IAM Role Assignments) instead of flat grants on projects, folders, and organizations. This also enables provisioning of IAM role assignments via the scope binding model.
Enabling this option changes how IAM access data is represented in C1. Flat grants on projects, folders, and organizations will no longer be synced — only the IAM Role Assignment resources will carry that data. Enable this only if your C1 configuration is set up to use the Sparse ACL model.
17
Click Save.
18
If you enabled Workforce Identity Federation, complete this additional configuration:
- In the Shared identity source area of the page, click Edit.
- Select the connector from which you want to pull identities.
- Optional. Limit the identities pulled from the connector you selected to only those with a certain entitlement by setting the entitlement.
- Click Save.
19
The connector’s label changes to Syncing, followed by Connected. You can view the logs to ensure that information is syncing.