Docs
Configuration
Discover
How to Configure a Google Data Source

How to Configure a Google Data Source

The Hydden Google collectors integrate with the Google Cloud Platform and the Workspace modules.

GCP ModuleGoogle Workspace Module
Data collected:
Service AccountsUser Accounts
RolesRoles
GroupsGroups
APIs to enable:
Cloud Resource Manager APIAdmin SDK API
Identity and Access Management (IAM) API

Setting Up Google Service Account Credential

  1. Navigate to https://console.cloud.google.com/iam-admin
  2. Setup a new service account in your project for Hydden.
  3. Add a key and save the json file that is generated.

Grant Directory Admin Role in Google Admin Console

  1. Navigate to admin.google.com and sign in with a super administrator account
  2. Navigate to Roles and Privileges, click Account | Admin Roles.
  3. Create or Edit a Role.
    • If a custom role for the service account does NOT exist:
      • Click Create New Role.
      • Name the role (e.g., Directory Admin API).
    • If a role already exists, select it.
  4. Assign Privileges under role settings, check the boxes for:
    • User Management
    • Group Management
    • Organization Units
    • Any additional privileges required for your use case.
  5. Assign the Role, under Admins | Role Settings.
  6. Click Assign Admins and enter the service account email.

Verify Domain-wide Delegation

If the service account is assigned via Admin Console, ensure domain-wide delegation is properly set up.

  1. Navigate to Security | API Controls | Manage Domain-wide Delegation.
  2. Add the Client ID of the service account and the necessary scopes.

Grant Roles in Google Cloud Console

If needed, grant the Directory Admin role in the Google Cloud Console.

  1. Navigate to the IAM & Admin Page.
  2. Select your service account’s project.
  3. At the top of the IAM table, click Add.
  4. Enter the service account email.
  5. Assign the role Directory Admin.

Roles Required

https://www.googleapis.com/auth/admin.directory.customer, https://www.googleapis.com/auth/admin.directory.domain, https://www.googleapis.com/auth/admin.directory.group, https://www.googleapis.com/auth/admin.directory.group.member, https://www.googleapis.com/auth/admin.directory.orgunit, https://www.googleapis.com/auth/admin.directory.rolemanagement, https://www.googleapis.com/auth/admin.directory.user, https://www.googleapis.com/auth/admin.directory.user.alias, https://www.googleapis.com/auth/admin.directory.user.security, https://www.googleapis.com/auth/cloud-platform

Configuring the Data Source

  1. Navigate to Configuration | Discover and select the Data Sources tab.

  2. Click + Add Data Source.

    img
    Add Data Source modal

  3. On the Add Data Source modal, from the Data Source drop-down select the Google collector you wish to configure. The options are:

    • Google Cloud
    • Google Workspace

    Depending on your data collection needs, one or the other or both might be required for your organization. Repeat the steps in this procedure for both collectors if needed.

  4. Enter a Name for your data source.

  5. Depending on the collector selected you have to provide either detail:

    • a Provider ID for the Google Cloud collector.
    • a Domain for the Google Workspace collector.

  6. You may ignore Preset and Schedule for now. The first time you will use a manual run action to use the collector.

  7. To the right of Credentials, click +.

    1. The Add credential modal opens and the drop-down selection should shows JSON Credential credential, if not, change it to JSON Credential.
    2. Enter a name for your Google credential.
    3. Copy and paste your JSON Object as previously saved/vaulted.
    4. Click Add.

  8. A Site entry is not needed for the Google Data Sources.

  9. Under the Select Account Mapping Rule Set drop-down, select from the following options:

    • Default Rules Only
    • Add All Rules
    • Add All Default Rules
    • Add All Custom Rules
    • Manual Selection: Rules need to be selected from a drop-down menu.

    Any rules added, can be removed by clicking on the x on the rule name label.

    NOTE: Rules need to be set to enabled on the rule add/edit modal to work in your tenant, refer to Account Mapping.

  10. To enable account mapping or identity creation, select the Enable Automatic Account Mapping and Enable Automatic Identity Creation checkboxes respectively. Both options can be enabled at the same time.

  11. In the Automatic Mapping Rules (Match Account to Identity using) field, rules are either automatically populated based on your selection under the Automatic Account Mapping Rules step or you have to manually add rules from the drop-down menu. Any rules added, can be removed by clicking on the x on the rule name label.

  12. From the Automatic Identity Creation Rules (Create New Identity when) drop-down, select which rules you want to use in your environment. Custom rules are listed first. Any rules added, can be removed by clicking on the x on the rule name label.

  13. Click Add to save the data source. You have an option to manually run the data collection via the Run Now button.

At this point, you can run a collection from the Data Sources page and shortly after, you will see your Google data listed on the Identity Posture dashboard, in Global Search and the Search Library.

How to Configure a GitHub Data SourceHow to Configure an Okta Data Source