Google Cloud

Overview

In this section, you will learn how to rotate user credentials within the Google Cloud environment across various target systems and services.

KeeperPAM Record Types

Configurations for your GCP environment are defined in the PAM Configuration section of Keeper Secrets Manager. Keeper will use the inherited service account where the Gateway is installed to authenticate with the GCP system and perform rotation.

Configurations for managed resources like Compute Engine, Cloud SQL, and Managed Microsoft AD are defined in the PAM Machine, PAM Database, and PAM Directory record types. The following table shows the supported AWS managed resources with KeeperPAM and their corresponding PAM Record Type:

Configurations for directory users, database users, or VM users are defined in the PAM User record type.

Prerequisites

To successfully rotate Compute Cloud Resource User accounts or Google Workspace Principal accounts, the Keeper Gateway needs to have the necessary service account with the permissions for performing the password rotation.

• See the Google Cloud environment setup guide for more information.

Setup Steps

At a high level, the following steps are needed to successfully rotate passwords on your Google Cloud network:

1. Create Shared Folders to hold the PAM records involved in rotation

2. Create PAM Machine, PAM Database and PAM Directory records representing each resource

3. Create PAM User records that contain the necessary account credentials for each resource

4. Link the PAM User record to the PAM Resource record.

5. Assign a Secrets Manager Application to all of the shared folders that hold the PAM records

6. Install a Keeper Gateway and add it to the Secrets Manager application

7. Create a PAM Configuration with the AWS environment setting

8. Configure Rotation settings on the PAM User records

Use Cases

• IAM User Password

• Managed Microsoft AD User

• EC2 Instance local user

• IAM User Access Key

• Managed Database