Onboarding GCP-WIF application

Prev Next

Perform the following steps for adding a GCP-WIF tenant application to Britive:

Before onboarding the application, ensure that you have completed the prerequisites mentioned in the section Prerequisites for GCP onboarding.

  1. Log in to Britive with administrator privileges.

  2. Click Admin -> Tenant Applications.

  3. Click on Create Application.

  4. On the Add Application page, click the Add (+) sign inline to the GCP WIF application.

  5. In the Application tab, enter the following values:

    1. Enter the Application Name.

    2. Enter the Application Description, if required.

    3. Under Account Mapping, you can choose the username or email mapping to map the username or user email with the GCP account, respectively. You can also choose the default setting, No mapping, as per your requirement.

  6. Click Next. The Settings tab is displayed.

  7. In the Settings tab, enter the following values.

    1. Check the Console in the Credential Type.

    2. (Optional) Select Programmatic Access as the Credential Type if CLI credentials need to be generated during profile checkout.

    3. Check the Display programmatic access keys to allow the user to copy the credentials to the clipboard after they check out programmatic access profiles. Users can only access the keys through CLI or scripts if the option is not selected.

    4. Enter the following details in the Connection Properties:

      1. The Organizations Unique Identifier: Organizations Unique Identifier of your Google domain.

      2. Workload Identity Pool ID: ID of the Workload Identity Pool created in Google Cloud IAM. This identifies the federation pool that allows external identities to authenticate and exchange tokens for Google credentials.

      3. Workload Identity Provider ID: ID of the Workload Identity Provider within the selected pool. This provider defines how external identities (e.g., OIDC, AWS, Azure, and CI/CD systems) authenticate and obtain tokens through Workload Identity Federation.

      4. Connected Service Account Email: Email address of the Google Cloud service account that is connected to the Workload Identity Provider. This service account is impersonated by external identities after successful federation.

      5. Project Number For Connected Service Account: Numeric project number of the Google Cloud project where the connected service account resides. This is used to construct the Workload Identity Federation audience and resource paths. (To get the project number for connected service account, go to IAM & Admin → Settings, and select the project in which the service account was created from the selector on the top.)

      6. (Optional) Project ID for creating Service Accounts: Project ID where temporary service accounts (CLI credentials) need to be created.

    5. Enter the following details in the SSO Settings section:

      1. Check Enable SSO to enable SSO.

      2. Replace {domain} with the primary domain from Google Workspace in the Audience field.

      3. Replace {domain} with the primary domain from Google Workspace in the ACS URL field.

    6. Enter the following details in the Account Mapping section:

      1. Select Use another domain for account mapping if the email domain of Britive users is different from the primary domain in Google Workspace.

      2. Enter the domain of the Britive Users in the Email Domain of Britive Users field.

      3. Enter the domain from Google Workspace in the Primary Domain in Google Workspace field.

    7. Select one of the following from the Scan Options:

      • Scan all folders and projects: Select this option if Britive needs to scan all folders and projects at the Organization level.

      • Scan projects only: Select this option if Britive should scan a subset of projects to which it has been granted access.

        Note: Either option Scan all folders and projects or Scan projects only has to be selected.

      • Exclude projects from scan: Enter comma-separated patterns for project names. For example: project,sheet. All projects containing the pattern are not collected during the scan.

      • Include projects in scan: Enter comma-separated patterns for project names. For example: project,sheet. All projects containing the pattern are collected during the scan. Also, the inclusion filter takes precedence over the exclusion one above.

    8. Profile Settings: Configure the maximum session duration for profiles. You can select the duration between 15 minutes and 7 calendar days. This allows you to set up an expiration duration for each profile while creating/updating the profile up to this configured value. If existing profiles are created with more than 12 hours and the above setting is changed, then it cannot be lowered until all profiles are updated with a lower expiration duration.

  8. Click Save and Test. If the GCP application is configured with the correct values, then a success message is displayed.