> ## Documentation Index
> Fetch the complete documentation index at: https://conductorone-docs-mcp-bridge-private-server.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

# Set up a Google Cloud Platform connector

> C1 provides identity governance and just-in-time provisioning for Google Cloud Platform. Integrate your Google Cloud Platform instance with C1 to run user access reviews (UARs), enable just-in-time access requests, and automatically provision and deprovision access.

<Tip>
  **A newer version of this connector is available.** If you're setting up a Google Cloud connector with C1 for the first time, use [Google Cloud Platform with Google Workspace](/baton/google-cloud-platform).
</Tip>

<Tip>
  **Which Google connector should I use?**
  Each of the Google connectors offered by C1 varies in what it can sync and what it can provision. Selecting the right connector for you will depend on which Google services your organization uses, and how you want to manage Google resources within C1.

  * [Google Cloud Platform](/baton/v1/google-cloud-platform) can sync accounts, projects, roles, and orgs. It can provision projects.

  * [Google Workspace](/baton/google-workspace) can sync accounts, groups, and roles. It can provision groups and roles.

  * [Google Cloud Platform with Google Workspace](/baton/google-cloud-platform) can do all of the above, and it combines all of the resources and entitlements of the two connectors into a single app within C1.

  Running separate connectors can simplify management and make the apps easier to understand and work with, while the combined app unifies resource management and allows Google Cloud to leverage existing Google Workspace groups for authorization.
</Tip>

## Capabilities

| Resource      | Sync                                                          | Provision                                                     |
| :------------ | :------------------------------------------------------------ | :------------------------------------------------------------ |
| Accounts      | <Icon icon="square-check" iconType="solid" color="#c937ae" /> |                                                               |
| Projects      | <Icon icon="square-check" iconType="solid" color="#c937ae" /> | <Icon icon="square-check" iconType="solid" color="#c937ae" /> |
| Roles         | <Icon icon="square-check" iconType="solid" color="#c937ae" /> |                                                               |
| Organizations | <Icon icon="square-check" iconType="solid" color="#c937ae" /> |                                                               |
| Secrets       | <Icon icon="square-check" iconType="solid" color="#c937ae" /> |                                                               |

<Tip>
  The GCP connector does not sync roles that do not have any grants. As each GCP project contains roughly 1,000 roles by default, removing empty roles from the sync significantly improves the performance of the connector and the usability of the entitlement data it pulls into C1. If you want to include an empty GCP role in your access review, assign a service account to the role before creating the campaign.
</Tip>

## Gather Google Cloud Platform credentials

Configuring the connector requires you to pass in credentials generated in Google Cloud Platform. Gather these credentials before you move on.

<Warning>
  A user with the permission to make a service account in Google Cloud Platform must perform this task.
</Warning>

### Create a new project

<Steps>
  <Step>
    In the Google Cloud console, click the project select dropdown, then click **NEW PROJECT**.
  </Step>

  <Step>
    Create a new project for your organization:

    * **Project Name**: Choose a name such as "C1 Integration"
    * **Organization/Location**: Choose any organization and location

    After the project is created, make sure the correct project is selected in the dropdown at the top.
  </Step>
</Steps>

### Enable APIs

<Steps>
  <Step>
    In the navigation menu, navigate to > **APIs & Services** > **Library**.
  </Step>

  <Step>
    Search for and select the following APIs:

    * Identity and Access Management (IAM) API
    * Cloud Resource Manager API
    * Cloud Asset API
    * Admin SDK API
  </Step>

  <Step>
    Click **Enable**.
  </Step>
</Steps>

### Create a service account

<Steps>
  <Step>
    In the navigation menu, navigate to > **APIs & Services** > **Credentials**.
  </Step>

  <Step>
    Select **CREATE CREDENTIALS** > **Service Account**.
  </Step>

  <Step>
    Under **Service account details**, fill in the following:

    * **Service account name:** C1 Integration
    * **Service account description:** for example, "Service account for C1 Google Cloud Platform Integration"
  </Step>

  <Step>
    Click **CREATE AND CONTINUE**.
  </Step>

  <Step>
    Under **Grant this service account access to a project**, grant the appropriate permission level:

    * **Viewer** to run access reviews on your Google Cloud Platform users
    * **Editor** to provision access via C1 and run access reviews

    Alternatively, you can create and assign a custom role on the org level:

    You'll need these permissions to give C1 **READ** access (for syncing access data):

    ```bash theme={"theme":{"light":"css-variables","dark":"css-variables"}}
    cloudasset.assets.analyzeIamPolicy
    cloudasset.assets.searchAllIamPolicies
    cloudasset.assets.searchAllResources
    iam.roles.get
    resourcemanager.folders.getIamPolicy
    resourcemanager.folders.list
    resourcemanager.organizations.get
    resourcemanager.organizations.getIamPolicy
    resourcemanager.projects.get
    resourcemanager.projects.getIamPolicy
    resourcemanager.projects.list
    ```

    You'll need these permissions to give C1 **READ/WRITE** access (for syncing access data and provisioning access):

    ```bash theme={"theme":{"light":"css-variables","dark":"css-variables"}}
    cloudasset.assets.analyzeIamPolicy
    cloudasset.assets.searchAllIamPolicies
    cloudasset.assets.searchAllResources
    iam.roles.get
    resourcemanager.folders.getIamPolicy
    resourcemanager.folders.list
    resourcemanager.folders.setIamPolicy
    resourcemanager.organizations.get
    resourcemanager.organizations.getIamPolicy
    resourcemanager.projects.get
    resourcemanager.projects.getIamPolicy
    resourcemanager.projects.list
    resourcemanager.projects.setIamPolicy
    ```
  </Step>

  <Step>
    Leave **Grant users access to this service account** blank.
  </Step>

  <Step>
    Click **DONE**.
  </Step>
</Steps>

Before moving on, carefully copy and save the service account ID that Google generated for the service account.

### Grant your service account access to your organization

<Steps>
  <Step>
    Navigate to your organization by selecting your organization from the dropdown.
  </Step>

  <Step>
    Navigate to the **IAM** tab from the left nav and click **ADD** button located at the top of the page.
  </Step>

  <Step>
    For the principal, use the service account ID for the service account you created earlier.
  </Step>

  <Step>
    Select the appropriate roles:

    * **Organization Viewer** and **Viewer** to give C1 **READ** access

    * **Organization Administrator** and **Editor** to give C1 **READ/WRITE** access
  </Step>

  <Step>
    Click **Save**.
  </Step>
</Steps>

### Optional: Enable API token information syncing

If you want to sync information about the API tokens and service account keys created in your Google Cloud Platform instance, follow the instructions below. Otherwise, skip ahead to the **Get credentials** section.

<Steps>
  <Step>
    In the C1 project, search for "API keys" and enable it.
  </Step>

  <Step>
    Next, grant the API Keys Viewer Role to the service account you created for C1. Navigate to **IAM & Admin** > **IAM**.
  </Step>

  <Step>
    On the IAM page, find your Service Account in the list on the Principals tab.
  </Step>

  <Step>
    Click the icon to edit the Service Account, then click **Add another role**.
  </Step>

  <Step>
    Search for and select **API Keys Viewer**.
  </Step>

  <Step>
    Click **Save**.
  </Step>
</Steps>

Next, we'll return to the C1 integration project you created earlier to generate the necessary credentials.

### Get credentials

<Steps>
  <Step>
    Navigate back to **APIs & Services** > **Credentials** and select the service account you just created.
  </Step>

  <Step>
    Click the service account's email address.
  </Step>

  <Step>
    On the **Service Account Details Page**, click **KEYS**.
  </Step>

  <Step>
    Click **ADD KEY** > **Create new key**.
  </Step>

  <Step>
    Choose **JSON** and click **CREATE**. The new key is created and downloaded to your computer.
  </Step>

  <Step>
    Keep the downloaded file safe, you'll use it to set up the connector.
  </Step>
</Steps>

**Done.** Next, move on to the instructions for your chosen setup method.

## Configure the Google Cloud Platform connector

<Warning>
  To complete this task, you'll need:

  * The **Connector Administrator** or **Super Administrator** role in C1
  * Access to the set of Google Cloud Platform credentials generated by following the instructions above
</Warning>

<Tabs>
  <Tab title="Cloud-hosted">
    **Follow these instructions to use a built-in, no-code connector hosted by C1.**

    <Steps>
      <Step>
        In C1, navigate to **Integrations** > **Connectors** and click **Add connector**.
      </Step>

      <Step>
        Search for **Google Cloud Platform** and click **Add**.
      </Step>

      <Step>
        Choose how to set up the new Google Cloud Platform connector:

        * Add the connector to a currently unmanaged app (select from the list of apps that were discovered in your identity, SSO, or federation provider that aren't yet managed with C1)

        * Add the connector to a managed app (select from the list of existing managed apps)

        * Create a new managed app
      </Step>

      <Step>
        Set the owner for this connector. You can manage the connector yourself, or choose someone else from the list of C1 users. Setting multiple owners is allowed.

        If you choose someone else, C1 will notify the new connector owner by email that their help is needed to complete the setup process.
      </Step>

      <Step>
        Click **Next**.
      </Step>

      <Step>
        Find the **Settings** area of the page and click **Edit**.
      </Step>

      <Step>
        Upload the JSON file in the **Credentials (JSON)** field.
      </Step>

      <Step>
        Click **Save**.
      </Step>

      <Step>
        The connector's label changes to **Syncing**, followed by **Connected**. You can view the logs to ensure that information is syncing.
      </Step>
    </Steps>

    **Done.** Your Google Cloud Platform connector is now pulling access data into C1.
  </Tab>

  <Tab title="Self-hosted">
    **Follow these instructions to use a connector, hosted and run in your own environment.**

    *Self-hosted connector not currently available.*
  </Tab>
</Tabs>