> ## Documentation Index
> Fetch the complete documentation index at: https://www.c1.ai/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Set up a Google Cloud Platform with Google Workspace connector

> C1 provides identity governance and just-in-time provisioning for Google Cloud Platform with Google Workspace. Integrate your Google Cloud Platform with Google Workspace instance with C1 to run user access reviews (UARs) and enable just-in-time access requests.

## Capabilities

| Resource                            | Sync                                                          | Provision                                                     |
| :---------------------------------- | :------------------------------------------------------------ | :------------------------------------------------------------ |
| Accounts                            | <Icon icon="square-check" iconType="solid" color="#c937ae" /> |                                                               |
| Groups                              | <Icon icon="square-check" iconType="solid" color="#c937ae" /> | <Icon icon="square-check" iconType="solid" color="#c937ae" /> |
| Folders                             | <Icon icon="square-check" iconType="solid" color="#c937ae" /> | <Icon icon="square-check" iconType="solid" color="#c937ae" /> |
| Roles                               | <Icon icon="square-check" iconType="solid" color="#c937ae" /> | <Icon icon="square-check" iconType="solid" color="#c937ae" /> |
| Projects                            | <Icon icon="square-check" iconType="solid" color="#c937ae" /> | <Icon icon="square-check" iconType="solid" color="#c937ae" /> |
| Organizations                       | <Icon icon="square-check" iconType="solid" color="#c937ae" /> |                                                               |
| Workforce Identity pools\*          | <Icon icon="square-check" iconType="solid" color="#c937ae" /> |                                                               |
| Workforce Identity pool providers\* | <Icon icon="square-check" iconType="solid" color="#c937ae" /> |                                                               |
| Secrets - API keys                  | <Icon icon="square-check" iconType="solid" color="#c937ae" /> |                                                               |
| Secrets - Service account keys      | <Icon icon="square-check" iconType="solid" color="#c937ae" /> |                                                               |
| Secrets - Secret Manager secrets    | <Icon icon="square-check" iconType="solid" color="#c937ae" /> | <Icon icon="square-check" iconType="solid" color="#c937ae" /> |
| Buckets                             | <Icon icon="square-check" iconType="solid" color="#c937ae" /> | <Icon icon="square-check" iconType="solid" color="#c937ae" /> |

\*Workforce Identity Federation support is optional and must be configured when you set up the connector.

[This connector can sync secrets](/product/admin/inventory) and display them on the **Inventory** page.

## Gather Google Cloud Platform with Google Workspace credentials

Configuring the connector requires credentials from both Google Cloud Platform and the Google Workspace Admin console. You'll complete the following steps:

1. Create a dedicated GCP project for the C1 integration
2. Enable the required APIs
3. Create a service account and assign it the necessary permissions
4. Download the service account's JSON key
5. Grant the service account domain-wide delegation in the Google Workspace Admin console
6. Locate your primary domain and Customer ID

<Warning>
  A user with the **Super Admin** role in Google Cloud Platform with Google
  Workspace must perform this task.
</Warning>

### Create a new project

We recommend creating a dedicated GCP project for the C1 integration. This keeps the integration's permissions and audit logs isolated from your other projects.

<Steps>
  <Step>
    As a Google Cloud Platform with Google Workspace Super Admin, sign in to [https://console.cloud.google.com](https://console.cloud.google.com/).
  </Step>

  <Step>
    In the toolbar, click the project select dropdown, and click **NEW PROJECT**.

    {" "}
  </Step>

  <Step>
    Create a new project for your organization:

    * **Project Name**: Choose a name, such as "C1 Integration"
    * **Organization/Location**: Choose the appropriate Organization/Location
  </Step>

  <Step>
    After the project is created, make sure the correct project is selected in the dropdown at the top.
  </Step>
</Steps>

### Enable the APIs

<Steps>
  <Step>
    In the navigation menu, navigate to **APIs & Services** > **Library**.
  </Step>

  <Step>
    Search for each of the following APIs and click **Enable**:

    * **Cloud Asset API**
    * **Cloud Resource Manager API**
    * **Identity and Access Management API**
    * **Admin SDK API**
  </Step>
</Steps>

### Optional: Sync secrets and buckets

Complete this section only if you want the connector to sync secrets (API keys, service account keys, Secret Manager secrets) or Cloud Storage buckets.

<Warning>
  Secrets and bucket permissions are configured per project in GCP. If the connector is not filtering by project and the service account doesn't have permissions across all projects, the sync will fail. We recommend using the **Project IDs** filter to explicitly specify which projects to sync.
</Warning>

**Required organization-level role:**

Grant the service account the `roles/cloudasset.viewer` role at the organization level. This allows it to search resources across projects.

**Additional APIs to enable:**

Enable these APIs for each project you want to sync (or only for the projects specified in the **Project IDs** filter):

* Secrets - API Keys: **API Keys API**
* Secrets - Service account keys: **IAM API**
* Secrets - Secret Manager secrets: **Secret Manager API**
* Buckets: **Cloud Storage API**

### Create a service account

<Steps>
  <Step>
    In the navigation menu, navigate to **APIs & Services** > **Credentials**.
  </Step>

  <Step>
    Select **CREATE CREDENTIALS** > **Service Account**.
  </Step>

  <Step>
    Under **Service account details**, fill in the following:

    * **Service account name:** C1 Integration
    * **Service account description:** for example, "Service account for C1 Google Cloud Platform with Google Workspace Integration"

    Click **CREATE AND CONTINUE**.
  </Step>

  <Step>
    Under **Grant this service account access to a project**, assign the service account a role at the organization level. You can use the predefined **Editor** role, or create a custom role that includes only the permissions listed below.

    For **READ** access (syncing access data only), the role needs these permissions:

    ```bash theme={"theme":{"light":"css-variables","dark":"css-variables"}}
    cloudasset.assets.analyzeIamPolicy
    cloudasset.assets.searchAllIamPolicies
    cloudasset.assets.searchAllResources
    iam.roles.get
    iam.roles.list
    resourcemanager.folders.getIamPolicy
    resourcemanager.folders.list
    resourcemanager.organizations.get
    resourcemanager.organizations.getIamPolicy
    resourcemanager.projects.get
    resourcemanager.projects.getIamPolicy
    resourcemanager.projects.list
    apikeys.keys.list
    iam.serviceAccounts.list
    iam.serviceAccountKeys.list
    secretmanager.secrets.get
    secretmanager.secrets.list
    secretmanager.secrets.getIamPolicy
    storage.buckets.list
    storage.buckets.getIamPolicy
    ```

    To also provision access (READ/WRITE), add these permissions to the role:

    ```bash theme={"theme":{"light":"css-variables","dark":"css-variables"}}
    resourcemanager.folders.setIamPolicy
    resourcemanager.organizations.setIamPolicy
    resourcemanager.projects.setIamPolicy
    secretmanager.secrets.setIamPolicy
    storage.buckets.setIamPolicy
    ```
  </Step>

  <Step>
    Leave **Grant users access to this service account** blank.
  </Step>

  <Step>
    Click **DONE**.
  </Step>
</Steps>

### Get credentials

<Steps>
  <Step>
    Navigate back to **APIs & Services** > **Credentials**. Under **Service Accounts**, locate and click the service account you just created.
  </Step>

  <Step>
    Click the service account's email address. Locate and save the **Unique ID** — you'll need it when configuring domain-wide delegation in the next section.
  </Step>

  <Step>
    On the **Service Account Details Page**, click **KEYS**.
  </Step>

  <Step>
    Click **ADD KEY** > **Create new key**.
  </Step>

  <Step>
    Choose **JSON** and click **CREATE**. The new key is created and downloaded to your computer.
  </Step>

  <Step>
    Keep the downloaded file safe — you'll upload it when configuring the connector in C1.
  </Step>
</Steps>

### Add the service account to Google Workspace

Domain-wide delegation allows the GCP service account to access Google Workspace data — directory users, groups, roles, and audit logs — on behalf of your organization. You configure this in the Google Workspace Admin console at [https://admin.google.com](https://admin.google.com), which is separate from the Google Cloud console.

<Steps>
  <Step>
    Go to [https://admin.google.com](https://admin.google.com) as a **SUPER ADMIN**.
  </Step>

  <Step>
    In the navigation menu, select **Security** > **Access and data control** > **API Controls**.
  </Step>

  <Step>
    Click **MANAGE DOMAIN WIDE DELEGATION**.
  </Step>

  <Step>
    Click **Add new** and fill out the form:

    * **Client ID**: The **Unique ID** you saved from the service account details page
    * **OAuth Scopes**: Copy and paste in the relevant scopes

      * Use the following scopes to give C1 **READ** access (syncing access data):

        ```bash theme={"theme":{"light":"css-variables","dark":"css-variables"}}
        https://www.googleapis.com/auth/admin.directory.user.alias.readonly,https://www.googleapis.com/auth/admin.directory.rolemanagement.readonly,https://www.googleapis.com/auth/admin.directory.group.member.readonly,https://www.googleapis.com/auth/admin.directory.group.readonly,https://www.googleapis.com/auth/admin.directory.user.readonly,https://www.googleapis.com/auth/admin.directory.domain.readonly,https://www.googleapis.com/auth/admin.reports.audit.readonly
        ```

      * Use the following scopes to give C1 **READ/WRITE** access (syncing access data and provisioning access):

        ```bash theme={"theme":{"light":"css-variables","dark":"css-variables"}}
        https://www.googleapis.com/auth/admin.directory.user.alias.readonly,https://www.googleapis.com/auth/admin.directory.rolemanagement,https://www.googleapis.com/auth/admin.directory.group.member,https://www.googleapis.com/auth/admin.directory.group,https://www.googleapis.com/auth/admin.directory.user.readonly,https://www.googleapis.com/auth/admin.directory.domain.readonly,https://www.googleapis.com/auth/admin.reports.audit.readonly
        ```
  </Step>

  <Step>
    Click **AUTHORIZE**.
  </Step>

  <Step>
    In the navigation menu, select **Account** > **Account Settings**.
  </Step>

  <Step>
    Copy and save the **Customer ID** from this page.
  </Step>
</Steps>

### Locate your primary domain

<Steps>
  <Step>
    In the navigation panel on the left, click **Account** > **Domains**.
  </Step>

  <Step>
    Click **Manage Domains**. Locate and copy the domain labeled as the **Primary Domain** in the **Type** column.
  </Step>
</Steps>

Before moving on, confirm you have the following ready for the connector configuration:

* **Customer ID** (from Account Settings)
* **Primary domain** (from Manage Domains)
* **Administrator email** — the email address of a super admin for your domain
* **JSON credentials file** — the service account key downloaded in the Get credentials section

## Configure the Google Cloud Platform with Google Workspace connector

<Warning>
  To complete this task, you'll need:

  * The **Connector Administrator** or **Super Administrator** role in C1
  * Access to the set of Google Cloud Platform with Google Workspace credentials generated by following the instructions above
</Warning>

<Tabs>
  <Tab title="Cloud-hosted">
    **Follow these instructions to use a built-in, no-code connector hosted by C1.**

    <Steps>
      <Step>
        In C1, navigate to **Integrations** > **Connectors** and click **Add connector**.
      </Step>

      <Step>
        Search for **Google Cloud Platform with Google Workspace** and click **Add**.
      </Step>

      <Step>
        Choose how to set up the new Google Cloud Platform with Google Workspace connector:

        * Add the connector to a currently unmanaged app (select from the list of apps that were discovered in your identity, SSO, or federation provider that aren't yet managed with C1)

        * Add the connector to a managed app (select from the list of existing managed apps)

        * Create a new managed app
      </Step>

      <Step>
        Set the owner for this connector. You can manage the connector yourself, or choose someone else from the list of C1 users. Setting multiple owners is allowed.

        If you choose someone else, C1 will notify the new connector owner by email that their help is needed to complete the setup process.
      </Step>

      <Step>
        Click **Next**.
      </Step>

      <Step>
        Find the **Settings** area of the page and click **Edit**.
      </Step>

      <Step>
        In the **Customer ID** field, enter the customer ID.
      </Step>

      <Step>
        In the **Domain** field, enter the primary domain.
      </Step>

      <Step>
        In the **Administrator email** field, enter the email address of a super admin for your domain.
      </Step>

      <Step>
        In the **Credentials (JSON)** area, click **Choose file** and upload the JSON key file.
      </Step>

      <Step>
        **Optional.** Check the box if you want to skip syncing Google Cloud Platform system accounts.
      </Step>

      <Step>
        **Optional.** Uncheck the box (which is checked by default) if you want to sync Google Cloud Platform default projects.
      </Step>

      <Step>
        **Optional.** In the **Project IDs** field, enter a list of project IDs to limit the connector's sync to only those projects. Be sure to enter project IDs, not project names.
      </Step>

      <Step>
        **Optional.** Check the box to **Enable Workforce Identity Federation**, which allows the connector to sync Workforce Identity pools and pool providers.

        * If you want the connector to provision Workforce Identity pools, enter the relevant **Workforce Identity Pool ID** and **Workforce Identity Pool Provider ID** in the relevant fields.

        <Tip>
          If you enable Workforce Identity Federation, complete the **Shared identity source** configuration in the next step before finishing.
        </Tip>
      </Step>

      <Step>
        By default, the connector only syncs roles that are assigned to an IAM policy. These settings allow you to configure the connector to sync roles regardless of their IAM policy status.

        1. **Optional.** Check the box to **Always sync custom roles**.

        2. **Optional.** In the **List of role IDs to always sync** field, enter a list of role IDs that should be synced. Be sure to enter role IDs, not role names.
      </Step>

      <Step>
        Click **Save**.
      </Step>

      <Step>
        **If you enabled Workforce Identity Federation**, complete this additional configuration:

        1. In the **Shared identity source** area of the page, click **Edit**.

        2. Select the connector from which you want to pull identities.

        3. **Optional.** Limit the identities pulled from the connector you selected to only those with a certain entitlement by setting the entitlement.

        4. Click **Save**.
      </Step>

      <Step>
        The connector's label changes to **Syncing**, followed by **Connected**. You can view the logs to ensure that information is syncing.
      </Step>
    </Steps>

    **Done.** Your Google Cloud Platform with Google Workspace connector is now pulling access data into C1.
  </Tab>

  <Tab title="Self-hosted">
    **Follow these instructions to use the Google Cloud Platform with Google Workspace connector, hosted and run in your own environment.**

    When running in service mode on Kubernetes, a self-hosted connector maintains an ongoing connection with C1, automatically syncing and uploading data at regular intervals. This data is immediately available in the C1 UI for access reviews and access requests.

    ### Resources

    * [Official download center](https://dist.conductorone.com/ConductorOne/baton-google-cloud-platform): For stable binaries (Windows/Linux/macOS) and container images.

    ### Step 1: Set up a new Google Cloud Platform with Google Workspace connector

    <Steps>
      <Step>
        In C1, navigate to **Integrations** > **Connectors** > **Add connector**.
      </Step>

      <Step>
        Search for **Baton** and click **Add**.
      </Step>

      <Step>
        Choose how to set up the new Google Cloud Platform with Google Workspace connector:

        * Add the connector to a currently unmanaged app (select from the list of apps that were discovered in your identity, SSO, or federation provider that aren't yet managed with C1)

        * Add the connector to a managed app (select from the list of existing managed apps)

        * Create a new managed app
      </Step>

      <Step>
        Set the owner for this connector. You can manage the connector yourself, or choose someone else from the list of C1 users. Setting multiple owners is allowed.

        If you choose someone else, C1 will notify the new connector owner by email that their help is needed to complete the setup process.
      </Step>

      <Step>
        Click **Next**.
      </Step>

      <Step>
        In the **Settings** area of the page, click **Edit**.
      </Step>

      <Step>
        Click **Rotate** to generate a new Client ID and Secret.

        Carefully copy and save these credentials. We'll use them in Step 2.
      </Step>
    </Steps>

    ### Step 2: Create Kubernetes configuration files

    Create two Kubernetes manifest files for your Google Cloud Platform with Google Workspace connector deployment:

    #### Secrets configuration

    ```yaml expandable theme={"theme":{"light":"css-variables","dark":"css-variables"}}
    # baton-google-cloud-platform-secrets.yaml
    apiVersion: v1
    kind: Secret
    metadata:
      name: baton-google-cloud-platform-secrets
    type: Opaque
    stringData:
      # C1 credentials
      BATON_CLIENT_ID: <C1 client ID>
      BATON_CLIENT_SECRET: <C1 client secret>

      # Google Cloud Platform with Google Workspace credentials
      BATON_CUSTOMER_ID: <customer ID>
      BATON_DOMAIN: <domain>
      BATON_ADMIN_EMAIL: <admin email>
      BATON_CREDENTIALS_JSON: <service account credentials JSON>

      # Optional: include if you want C1 to provision access using this connector
      BATON_PROVISIONING: true

      # Optional: include to skip Google-managed system accounts
      BATON_SKIP_SYSTEM_ACCOUNTS: true

      # Optional: include to sync Cloud Storage buckets (requires the storage.buckets.list permission)
      BATON_SYNC_BUCKETS: true

      # Optional: include to sync API keys and service account keys
      BATON_SYNC_SECRETS: true

      # Optional: include to sync Secret Manager secrets (requires the Secret Manager API)
      BATON_SYNC_SECRET_MANAGER_SECRETS: true

      # Optional: include to always sync custom roles, even without assignments
      BATON_ALWAYS_SYNC_CUSTOM_ROLES: true

      # Optional: include to enable workforce identity federation support
      BATON_ENABLE_WORKFORCE_IDENTITY_FEDERATION: true
      BATON_WORKFORCE_IDENTITY_POOL_ID: <workforce identity pool ID>
      BATON_WORKFORCE_IDENTITY_POOL_PROVIDER_ID: <workforce identity pool provider ID>

      # Optional: include to limit sync to specific projects (enter project IDs, not names)
      BATON_PROJECT_FILTER: <comma-separated list of project IDs>

      # Optional: Include to always sync specific roles (enter role IDs, not names)
      BATON_ALWAYS_SYNC_ROLES_FILTER: <comma-separated list of role IDs>
    ```

    See the connector's README or run `--help` to see all available configuration flags and environment variables.

    #### Deployment configuration

    ```yaml expandable theme={"theme":{"light":"css-variables","dark":"css-variables"}}
    # baton-google-cloud-platform.yaml
    apiVersion: apps/v1
    kind: Deployment
    metadata:
      name: baton-google-cloud-platform
      labels:
        app: baton-google-cloud-platform
    spec:
      selector:
        matchLabels:
          app: baton-google-cloud-platform
      template:
        metadata:
          labels:
            app: baton-google-cloud-platform
            baton: true
            baton-app: google-cloud-platform
        spec:
          containers:
          - name: baton-google-cloud-platform
            image: ghcr.io/conductorone/baton-google-cloud-platform:latest
            imagePullPolicy: IfNotPresent
            env:
            - name: BATON_HOST_ID
              value: baton-google-cloud-platform
            envFrom:
            - secretRef:
                name: baton-google-cloud-platform-secrets
    ```

    ### Step 3: Deploy the connector

    <Steps>
      <Step>
        Create a namespace in which to run C1 connectors (if desired), then apply the secret config and deployment config files.
      </Step>

      <Step>
        Check that the connector data uploaded correctly. In C1, click **Apps**. On the **Managed apps** tab, locate and click the name of the application you added the Google Cloud Platform with Google Workspace connector to. Data should be found on the **Entitlements** and **Accounts** tabs.
      </Step>
    </Steps>

    **Done.** Your Google Cloud Platform with Google Workspace connector is now pulling access data into C1.
  </Tab>
</Tabs>