Connect the Google SecOps Integration with WIF Auth

This guide explains how to configure your Google SecOps instance for secure communication w/ Bindplane using Workload Identity Federation (WIF). Allowing for authentication without having to share long-lived service account keys.

WIF Authentication for the Google SecOps Integration is only supported in Bindplane Cloud. It is not supported for self-hosted Bindplane instances.

Overview

At a high level, you will:

It is highly recommended to use the gcloud CLI to perform these actions.

Prerequisites

You will need:

A Bindplane Cloud project with support for the Google SecOps Integration
- This requires one of the following Bindplane plans:
  - Enterprise
  - Enterprise (Google Edition)
  - Google Edition
The Bindplane Project ID of the project where you want to setup the Google SecOps Integration
- Find this value on the Support page by clicking the blue question mark button on the bottom right of Bindplane
The GCP Project Number of your Google SecOps instance.
- Find this value in Google SecOps at Settings -> Profile -> Organization Details.
Access to create and modify the following resources in the above GCP Project
- Service Accounts
- Workload Identity Pools
- Workload Identity Providers

Perform all the below commands in the same terminal session in order to persist variables

0. Set Up Variables

Replace the placeholder values below with your Bindplane Project ID and GCP Project Number and run the commands to set up variables to be used later.

BP_PROJECT_ID=<YOUR_BINDPLANE_PROJECT_ID>
GCP_PROJECT_NUMBER=<YOUR_GCP_PROJECT_NUMBER>
GCP_PROJECT_ID=$(gcloud projects describe $GCP_PROJECT_NUMBER --format="value(projectId)")

1. Create a Service Account

This service account will be impersonated using Workload Identity Federation.

Replace <YOUR_SA_NAME> below with a descriptive name for your new service account

SA_EMAIL=$(gcloud iam service-accounts create <YOUR_SA_NAME> \
  --project=$GCP_PROJECT_ID \
  --description="Service account for the Bindplane Google SecOps Integration" \
  --display-name="Bindplane Google SecOps Integration WIF" \
  --format="value(email)")

1a. Configure Service Account Permissions

Per Google's Documentation, the service account must be configured with the proper permissions in order to manage Google SecOps resources. This can be done using a custom role, or with the Chronicle API Admin role.

Below are commands for each approach.

Option 1 (Preferred) - Custom Role

Create Custom Role

Replace <YOUR_ROLE_NAME> in the command below with any descriptive name

CUSTOM_SECOPS_ROLE=$(gcloud iam roles create <YOUR_ROLE_NAME> \
  --project=$GCP_PROJECT_ID \
  --title="Custom Bindplane SecOps Integration Role" \
  --permissions="\
chronicle.logProcessingPipelines.associateStreams,\
chronicle.logProcessingPipelines.create,\
chronicle.logProcessingPipelines.delete,\
chronicle.logProcessingPipelines.dissociateStreams,\
chronicle.logProcessingPipelines.fetchAssociatedPipeline,\
chronicle.logProcessingPipelines.fetchSampleLogsByStreams,\
chronicle.logProcessingPipelines.get,\
chronicle.logProcessingPipelines.list,\
chronicle.logProcessingPipelines.testPipeline,\
chronicle.logProcessingPipelines.update,\
chronicle.logTypes.get,\
chronicle.logTypes.list,\
chronicle.feeds.get,\
chronicle.feeds.list,\
chronicle.logs.list" \
  --stage="GA" \
  --format="value(name)")

Bind Custom Role to Service Account

gcloud projects add-iam-policy-binding $GCP_PROJECT_ID \
  --member="serviceAccount:${SA_EMAIL}" \
  --role="${CUSTOM_SECOPS_ROLE}"

Option 2 - Chronicle Admin Role

gcloud projects add-iam-policy-binding $GCP_PROJECT_ID \
  --member="serviceAccount:${SA_EMAIL}" \
  --role="roles/chronicle.admin"

2. Create a Workload Identity Pool

The Workload Identity Pool represents a trust boundary for external identities (Auth0).

3. Create a Workload Identity Provider (OIDC)

The provider validates tokens issued by Bindplane’s Auth0 tenant.

The attribute mapping and condition ensure that only tokens issued for your specific Bindplane project are allowed to impersonate the service account.

Read more about WIF Providers, Attribute Mappings, and Attribute Conditions

Replace <YOUR_PROVIDER_ID> with a descriptive name for your pool that fits the constraints set by Google.

WIF_PROVIDER_ID=<YOUR_PROVIDER_ID>
gcloud iam workload-identity-pools providers create-oidc $WIF_PROVIDER_ID \
  --project=$GCP_PROJECT_ID \
  --location="global" \
  --workload-identity-pool=$WIF_POOL_ID \
  --issuer-uri="https://auth0.app.bindplane.com" \
  --allowed-audiences="https://auth0.app.bindplane.com/secops-wif" \
  --attribute-mapping="google.subject=assertion.sub,attribute.project_id=assertion['https://auth0.app.bindplane.com/project_id']" \
  --attribute-condition="attribute.project_id=='${BP_PROJECT_ID}'"

4. Allow Service Account Impersonation

Grant the Workload Identity Pool permission to impersonate the service account.

gcloud iam service-accounts add-iam-policy-binding $SA_EMAIL \
  --project=$GCP_PROJECT_ID \
  --role="roles/iam.serviceAccountTokenCreator" \
  --member="principalSet://iam.googleapis.com/projects/${GCP_PROJECT_NUMBER}/locations/global/workloadIdentityPools/${WIF_POOL_ID}/attribute.project_id/${BP_PROJECT_ID}"

5. Configure the Google SecOps Integration in Bindplane

Set up the Bindplane Google SecOps Integration to use WIF Authentication

Run the following command to output the values needed to input into Bindplane

echo "\nGCP Project Number: $GCP_PROJECT_NUMBER\nService Account Email: $SA_EMAIL\nWIF Pool ID: $WIF_POOL_ID\nWIF Provider ID: $WIF_PROVIDER_ID"

Ensure you are logged into the same Bindplane project as the Project ID you set in Step 0

Navigate to the Project Settings page in Bindplane using the menu in the top right
Scroll down to find the Integrations section
Press Connect or Edit to configure the integration
Fill out the Region, Customer ID, and Project Number parameters per the instructions in the dialog
Choose Workload Identity Federation (WIF) from the Authentication Method dropdown
Fill out the Service Account Email, WIF Pool ID, and WIF Provider ID with the values in the output from the above command
Press Connect or Save to complete the configuration and connect with Google SecOps.
1. A successful connection means you have correctly completed the setup!
2. In the case of a credentials based error, a descriptive error message will be shown at the bottom of the Google SecOps Integration editor
3. Open the Developer Tools (F12) -> Console to view a raw technical error for further troubleshooting or support

PreviousMigrating from the Deprecated Google Chronicle Forwarder NextKubernetes

Last updated 2 days ago

Was this helpful?

Good afternoon

hashtagOverview

hashtagPrerequisites

hashtag0. Set Up Variables

hashtag1. Create a Service Account

hashtag1a. Configure Service Account Permissions

hashtagOption 1 (Preferred) - Custom Role

hashtagOption 2 - Chronicle Admin Role

hashtag2. Create a Workload Identity Pool

hashtag3. Create a Workload Identity Provider (OIDC)

hashtag4. Allow Service Account Impersonation

hashtag5. Configure the Google SecOps Integration in Bindplane

Overview

Prerequisites

0. Set Up Variables

1. Create a Service Account

1a. Configure Service Account Permissions

Option 1 (Preferred) - Custom Role

Option 2 - Chronicle Admin Role

2. Create a Workload Identity Pool

3. Create a Workload Identity Provider (OIDC)

4. Allow Service Account Impersonation

5. Configure the Google SecOps Integration in Bindplane