Skip to main content

Google

AuthCatalogDiscoveryTeams

Summary

Google is an ownership and cloud resources platform. You can use Google to drive insights into values such as:

  • Authentication
  • Catalog Discovery
  • Service Discovery
  • Ownership
caution

For SSO, read our Google SSO Guide.

Setup

In order to connect Cortex to your Google instance you’ll need to create a Google Service Account and add it under Settings → Google. Additionally, you'll need to enable the Admin SDK API. For Google Cloud resources, you'll need to enable the Cloud Functions, Cloud SQL Admin, Cloud Storage, and Resource Manager APIs in each project.

The service account should also have the following permissions for each project to enable Google Cloud resources:

  • Cloud Functions → Cloud Functions Viewer
  • Cloud Pub/Sub → Pub/Sub Viewer
  • Cloud Resource Manager → Browser
  • Cloud SQL → Cloud SQL Viewer
  • Cloud Storage → Storage Admin
  • Compute Engine → Compute Viewer
  • Cloud Asset -> Cloud Asset Viewer

If you'd like to create a custom role with the minimum permissions required to enable this feature, add the following:

resourcemanager.projects.get
resourcemanager.projects.list

storage.buckets.get
storage.buckets.list

cloudfunctions.functions.get
cloudfunctions.functions.list

cloudsql.instances.get
cloudsql.instances.list

pubsub.topics.get
pubsub.topics.list

compute.urlMaps.list
compute.urlMaps.get

cloudasset.assets.listResource
caution

If you do not see the Settings page you're looking for in the sidebar, you likely don't have the proper permissions and need to contact your admin.

Ownership

Cortex can use Google Groups as an ownership provider, automatically syncing memberships from any Google Group mailing list.

Registration

Entity descriptor

You can define the following block in your Cortex entity descriptor to add your Google group as an owner.
x-cortex-owners:
- type: group
name: my-group-email@getcortexapp.com
provider: GOOGLE
description: This is a description for this owner # optional

The value for name should be the full group email as defined in Google Groups.

Cortex uses the resource name and project ID to look up catalog entities in your Google Cloud account. Function resource names should be of the format location/function

x-cortex-infra:
Google Cloud:
resources:
- resourceName: location/function
projectId: project1
resourceType: function
- resourceName: example-bucket
projectId: project1
resourceType: storage

Dependencies

By default, Cortex will try to automatically discover dependencies between your entities and Google Cloud resources with a matching label. By default the label key that will be matched is service, however you can customize this key value in the Google Cloud Settings page. If you'd like to explicitly define these Google Cloud dependencies, the x-cortex-dependency field should be a map, defined as follows:

x-cortex-dependency:
gcp:
labels:
- key: my-key-1
value: my-value-1
- key: my-key-2
value: my-value-2