Overview
Google is an ownership and cloud resources platform. You can use Google to drive insights into values such as:
- Authentication
- Catalog Discovery
- Service Discovery
- Ownership
For SSO, read our Google SSO Guide.
How to configure Google with Cortex
Prerequisites
Before you connect Cortex to your Google instance, you must do the following:
- Create a Google service account and add it in Cortex under Settings → Google.
- See Configure service account permissions below for the list of required service account permissions.
- Enable the Google Admin SDK API.
- For Google Cloud resources, in each project, enable the following:
- App Engine Admin API
- ArtifactRegistry API
- BigQuery API
- BigQuery Connection API
- Cloud Asset API
- Cloud Composer API
- Cloud Functions
- Cloud Storage
- Cloud SQL Admin
- Compute Engine API
- Memorystore for Memcached API
- Memorystore for Redis API
- OS Config API
- Kubernetes Engine API
- Resource Manager API
- Spanner API
- Serverless VPC Access API
- For each project in Vertex AI, enable the following:
Configure service account permissions
The service account should also have the following permissions for each project to enable Google Cloud resources:
- AI Platform → AI Platform Viewer, Dataform Viewer, Cloud Storage for Firebase Viewer, Data Catalog Viewer, Vision AI Viewer, Notebooks Viewer, Dataflow Viewer
- App Engine → App Engine Viewer
- Artifact Registry → Artifact Registry Reader
- BigQuery → BigQuery Metadata Viewer
- BigQuery Connection → BigQuery Connection User
- Cloud Asset → Cloud Asset Viewer
- Cloud Asset → ListResource
- Note: This permission is necessary to run services and jobs.
- Cloud Functions → Cloud Functions Viewer
- Cloud Pub/Sub → Pub/Sub Viewer
- Cloud Resource Manager → Browser
- Cloud Run → Cloud Run Viewer
- Cloud SQL → Cloud SQL Viewer
- Cloud Storage → Storage Admin
- Composer → Composer User
- Compute Engine, VM Instances → Compute Viewer
- Kubernetes Engine → Kubernetes Engine Viewer
- Memorystore Memcached → Cloud Memorystore Memcached Viewer
- Memorystore Redis → Cloud Memorystore Redis Viewer
- Service Accounts → View Service Accounts
- Spanner → Cloud Spanner Viewer
- VM Instances Vulnerabilities → OS VulnerabilityReport Viewer
- VPC Serverless Connector → Serverless VPC Access Viewer
If you'd like to create a custom role with the minimum permissions required to enable this feature, add the following:
resourcemanager.projects.get
resourcemanager.projects.list
storage.buckets.get
storage.buckets.list
cloudfunctions.functions.get
cloudfunctions.functions.list
cloudsql.instances.get
cloudsql.instances.list
pubsub.topics.get
pubsub.topics.list
compute.urlMaps.list
compute.urlMaps.get
compute.instances.list
compute.instances.get
compute.instanceGroups.list
compute.instanceGroups.get
cloudasset.assets.listResource
osconfig.vulnerabilityReports.get
redis.instances.list
redis.instances.get
memcache.instances.list
memcache.instances.get
run.services.list
run.services.get
run.jobs.list
run.jobs.get
bigquery.connections.get
bigquery.connections.list
bigquery.datasets.get
bigquery.routines.get
bigquery.routines.list
aiplatform.datasets.get
aiplatform.datasets.list
aiplatform.endpoints.get
aiplatform.endpoints.list
aiplatform.featurestores.get
aiplatform.featurestores.list
aiplatform.indexEndpoints.get
aiplatform.indexEndpoints.list
aiplatform.batchPredictionJobs.get
aiplatform.batchPredictionJobs.list
aiplatform.modelDeploymentMonitoringJobs.get
aiplatform.modelDeploymentMonitoringJobs.list
aiplatform.trainingPipelines.get
aiplatform.trainingPipelines.list
aiplatform.pipelineJobs.get
aiplatform.pipelineJobs.list
aiplatform.specialistPools.get
aiplatform.specialistPools.list
aiplatform.tensorboardExperiments.get
aiplatform.tensorboardExperiments.list
aiplatform.studies.get
aiplatform.studies.list
aiplatform.apps.get
aiplatform.apps.list
aiplatform.indexes.get
aiplatform.indexes.list
aiplatform.models.get
aiplatform.models.list
aiplatform.tensorboards.get
aiplatform.tensorboards.list
notebooks.instances.get
notebooks.instances.list
visionai.applications.get
visionai.applications.list
visionai.processors.get
visionai.processors.list
visionai.operators.get
visionai.operators.list
visionai.clusters.get
visionai.clusters.list
appengine.services.get
appengine.services.list
container.clusters.get
container.clusters.list
container.operations.get
container.operations.list
composer.environments.get
composer.environments.list
spanner.instances.get
spanner.instances.list
spanner.instanceConfigs.get
spanner.instanceConfigs.list
iam.serviceAccounts.get
iam.serviceAccounts.list
vpcaccess.connectors.get
vpcaccess.connectors.list
artifactregistry.repositories.get
artifactregistry.repositories.list
If you do not see the settings page you're looking for, you likely don't have the proper permissions and need to contact your admin.
Step 1: Configure the integration in Google
- In the G Suite admin console, navigate to Security > API Controls > Manage Domain Wide Delegation. Click Add new.
- Add the client ID you copied during the previous steps, and include the following scopes:
- Navigate to the service account you created for this integration. Click Keys, then generate a key in JSON format.
- Navigate to Admin Roles > Groups Reader and expand the "Admins" panel.
- Click Assign service accounts then enter the email of the service account you created for this integration.
Step 2: Configure the integration in Cortex
- In Cortex, navigate to the Google Cloud & Groups settings page:
- In Cortex, click your avatar in the lower left corner, then click Settings.
- Under "Integrations," click Google Cloud & Groups.
- Configure the Google integration form:
- Domain: Enter your Google domain.
- Service account email: Enter the email address for the service account.
- Credentials JSON: Enter the service account JSON key you created in the previous steps.
- Click Save.
By default, a service will have dependencies on any resource with Google Cloud tag label = "service" and tag value = the service's Cortex tag. After saving your integration, you may customize the tag key name here by entering a new name into the Custom label key field. Leave it blank to use "service" as the key name.
How to connect Cortex entities to Google
Enable automatic discovery of Google entities
You can configure automatic import from Google Cloud:
- In Cortex, navigate to the Entities Settings page.
- Next to Auto import from AWS, Azure, and/or Google Cloud, click the toggle to enable the import.
Automatic ownership of Google entities
Cortex can use Google Groups as an ownership provider, automatically syncing memberships from any Google Group mailing list.
Automatic Google dependency discovery
By default, Cortex will try to automatically discover dependencies between your entities and Google Cloud resources with a matching label. By default the label key that will be matched is service
, however you can customize this key value in the Google Cloud Settings page.
If you'd like to explicitly define these Google Cloud dependencies, the x-cortex-dependency
field should be a map, defined as follows:
x-cortex-dependency:
gcp:
labels:
- key: my-key-1
value: my-value-1
- key: my-key-2
value: my-value-2
Editing the entity descriptor
You can define the following block in your Cortex entity descriptor to add your Google group as an owner.x-cortex-owners:
- type: group
name: my-group-email@getcortexapp.com
provider: GOOGLE
description: This is a description for this owner # optional
The value for name
should be the full group email as defined in Google Groups.
Cortex uses the resource name and project ID to look up catalog entities in your Google Cloud account. Function resource names should be of the format location/function
x-cortex-infra:
Google Cloud:
resources:
- resourceName: location/function
projectId: project1
resourceType: function
- resourceName: example-bucket
projectId: project1
resourceType: storage