GCP Principal User Password

Rotating Google Workspace user account passwords with Keeper

Overview

In this guide, you will learn how to rotate passwords for Google Workspace users. In Keeper, the PAM Configuration contains all of the information needed to rotate passwords. The record containing the Google Principal user accounts to be rotated are stored in the PAM User record.

Prerequisites

This guide assumes the following tasks have already taken place:

  • Keeper Secrets Manager is enabled for your role

  • Keeper Rotation is enabled for your role

  • A Keeper Secrets Manager application has been created

  • A Keeper Rotation gateway is already installed and running

  • Your Google Cloud environment is configured per our documentation

The Keeper Gateway uses Google Admin APIs to rotate the credentials defined in the PAM User records.

1. Create Shared Folder

In this folder, you’ll create records for the Google Principal accounts that you’ll rotate. You will create a PAM User record for each user that will be rotated.

PAM User Records for IAM Users
Shared Folder containing PAM User records

Note: The target user to be rotated must be in a domain that the Google Workspace Administrator whose email is set on the PAM Configuration can manage.

Keeper Rotation uses the Google Admin API to rotate the PAM User records in your Google Workspace environment. The PAM User records need to be in a shared folder that is shared to the KSM application created in the prerequisites.

The following table lists all the required fields on the PAM User record:

Field
Description

Title

Keeper record title i.e. AWS user: TestUser

Login

Complete email address of the account being rotated.

Password

Providing a password is optional. Performing a rotation will set one if this field is left blank.

PAM User records for IAM Users

3. Set up PAM Configuration

Note: You can skip this step if you already have a PAM Configuration set up for this environment.

In the left menu of the vault, select "Secrets Manager", then select the "PAM Configurations" tab, and click on "New Configuration". The following table lists all the required fields on the PAM Configuration Record:

Field
Description

Title

Configuration name, example: GCP Workspace Configuration

Environment

Select: Google Cloud

Gateway

Select the Gateway that is configured on the Keeper Secrets Manager application.

Application Folder

Select the Shared folder where the PAM Configuration will be stored. We recommend placing this in a shared folder with the PAM User records.

GCP ID

A unique ID for this instance of Google Cloud. This is only for your reference and can be anything, but its recommended to be kept short Ex: GCP-DepartmentName

Service Account Key

Copy the JSON text of the service account key of the Gateway

Google Workspace Administrator Email

The email address for a Workspace administrator account that can be used to manage passwords for GCP Principals.

For more details on all the configurable fields in the PAM Configuration record, visit this page.

PAM Configuration for Google Cloud Environment

4. Configure Rotation on the PAM User Records

Select the PAM User record(s) from Step 2, edit the record and open the "Password Rotation Settings".

  • Select "IAM User" as the rotation method, since this uses Google Admin APIs.

  • The "Rotation Settings" should use the PAM Configuration setup previously.

  • Select the desired schedule and password complexity.

  • Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.

Google Cloud IAM User Password

Any user with edit rights to a PAM User record has the ability to setup rotation for that record.

PreviousGoogle CloudNextManaged Microsoft AD User

Last updated

Was this helpful?