Connect Sym with Google Cloud

Sym integrates with Google Cloud using Workload Identity Federation, allowing Sym to access Google Cloud resources and make API calls without a service account key.

Declare a gcp_connector module, which will create the resources necessary for the Sym Runtime to impersonate a service account in your Google Cloud environment.

module "gcp_connector" {
  source  = "symopsio/gcp-connector/google"
  version = "~> 1.0"

  environment = local.environment_name

  # Google recommends using a dedicated project for your Workload Identity Pools. Specify that project's ID here.
  # https://cloud.google.com/iam/docs/best-practices-for-using-workload-identity-federation#dedicated-project
  identity_pool_project_id = "my-identity-pools"
  gcp_org_id               = "123456789"

  # For the Sym Integration to manage Google Groups, the Admin SDK API must be enabled.
  # Note: This only enables the API, and there are still manual steps required to assign the
  # generated service account a custom Admin Role in the Google Workspace Admin Console!
  enable_google_group_management = true
}

Allow Sym to Manage Google Group Memberships

If you wish to integrate with Google Groups, there are some additional manual steps that must be taken after applying the gcp_connector module above.

Create a Custom Google Workspaces Admin Role

For the service account created by the gcp_connector to be able to manage Google Group memberships, it needs to be granted an Admin Role in Google Workspaces with the Adin API privileges:

  • Organization Units > Read
  • Users > Read
  • Groups > Read
  • Groups > Update

In the Google Workspaces Admin Console, create a new Custom Role with the above privileges. Then select "Assign service accounts" and enter the email of the service account created by the gcp_connector module.

The privileges to assign to the custom role

The privileges to assign to the custom role

Select "Assign service accounts" to assign the role to the service account created by the `gcp_connector` module

Select "Assign service accounts" to assign the role to the service account created by the gcp_connector module