Connect the Google SecOps Integration with WIF Auth
This guide explains how to configure your Google SecOps instance for secure communication w/ Bindplane using Workload Identity Federation (WIF). Allowing for authentication without having to share long-lived service account keys.
Read more about Workload Identity Federation
WIF Authentication for the Google SecOps Integration is only supported in Bindplane Cloud. It is not supported for self-hosted Bindplane instances.
Overview
At a high level, you will:
It is highly recommended to use the gcloud CLI to perform these actions.
Prerequisites
You will need:
A Bindplane Cloud project with support for the Google SecOps Integration
This requires one of the following Bindplane plans:
Enterprise
Enterprise (Google Edition)
Google Edition
Your Google SecOps instance must be enabled for the "Data Processing Preview"
Contact your Google SecOps Account Manager for more information or to get enabled
The Bindplane Project ID of the project where you want to setup the Google SecOps Integration
Find this value on the Support page by clicking the blue question mark button on the bottom right of Bindplane
The GCP Project Number of your Google SecOps instance.
Find this value in Google SecOps at Settings -> Profile -> Organization Details.
Access to create and modify the following resources in the above GCP Project
Service Accounts
Workload Identity Pools
Workload Identity Providers
Perform all the below commands in the same terminal session in order to persist variables
0. Set Up Variables
Replace the placeholder values below with your Bindplane Project ID and GCP Project Number and run the commands to set up variables to be used later.
1. Create a Service Account
This service account will be impersonated using Workload Identity Federation.
Replace <YOUR_SA_NAME> below with a descriptive name for your new service account
1a. Configure Service Account Permissions
Per Google's Documentation, the service account must be configured with the proper permissions in order to manage Google SecOps resources. This can be done using a custom role, or with the Chronicle API Admin role.
Below are commands for each approach.
Option 1 (Preferred) - Custom Role
Create Custom Role
Replace <YOUR_ROLE_NAME> in the command below with any descriptive name
Bind Custom Role to Service Account
Option 2 - Chronicle Admin Role
2. Create a Workload Identity Pool
The Workload Identity Pool represents a trust boundary for external identities (Auth0).
Replace <YOUR_POOL_ID> with a descriptive name for your pool that fits the constraints set by Google.
3. Create a Workload Identity Provider (OIDC)
The provider validates tokens issued by Bindplane’s Auth0 tenant.
The attribute mapping and condition ensure that only tokens issued for your specific Bindplane project are allowed to impersonate the service account.
Read more about WIF Providers, Attribute Mappings, and Attribute Conditions
Replace <YOUR_PROVIDER_ID> with a descriptive name for your pool that fits the constraints set by Google.
4. Allow Service Account Impersonation
Grant the Workload Identity Pool permission to impersonate the service account.
Read more about Service Account Impersonation
5. Configure the Google SecOps Integration in Bindplane
Set up the Bindplane Google SecOps Integration to use WIF Authentication
Run the following command to output the values needed to input into Bindplane
Ensure you are logged into the same Bindplane project as the Project ID you set in Step 0
Navigate to the Project Settings page in Bindplane using the menu in the top right
Scroll down to find the Integrations section
Press Connect or Edit to configure the integration
Fill out the Region, Customer ID, and Project Number parameters per the instructions in the dialog
Choose Workload Identity Federation (WIF) from the Authentication Method dropdown
Fill out the Service Account Email, WIF Pool ID, and WIF Provider ID with the values in the output from the above command
Press Connect or Save to complete the configuration and connect with Google SecOps.
A successful connection means you have correctly completed the setup!
In the case of a credentials based error, a descriptive error message will be shown at the bottom of the Google SecOps Integration editor
Open the Developer Tools (F12) -> Console to view a raw technical error for further troubleshooting or support
Troubleshooting
If you're having issues setting up WIF Auth, first validate the following:
You created all the GCP resources (service account, WIF pool, etc) in the GCP project associated with your Google SecOps Tenant
Your Google SecOps Tenant is enabled for the "Data Processing Pipelines Preview"
Contact your Google SecOps Account Manager for more information or to get enabled
You are setting up the Google SecOps Integration in the correct Bindplane Project. Your Bindplane Project ID should be the one used to create the WIF Provider in Step 3.
Find this value on the Support page by clicking the blue question mark button on the bottom right of Bindplane
Below are some commands to validate your resources have been created correctly.
Set Up Variables
For streamlined commands, set up the variables that will be referenced. Replace the placeholders below with the values you've generated from the above process.
Verify Service Account Exists
Expected response
Validate Service Account Permissions
Expected response
Or if you used the "Chronicle API Admin" role approach
Validate Custom Role Permissions
If you have used a custom role approach for your service account permissions, run the following command to validate the proper permissions are set. Replace the placeholder for <CUSTOM_SECOPS_ROLE> with the value from the previous command.
Expected response
Validate the list of
includedPermissionsmatches accordingly
Validate WIF Pool
Expected response
Ensure your pool is listed and is active
Validate WIF Provider
Expected response
Ensure your provider is active, and configured correctly
Validate Service Account Impersonation
Expected response
Last updated
Was this helpful?