Sync GCP Project Users from GCP Groups

Overview

This article explains how to sync GCP project users from GCP groups into Sprinto. The process uses GCP’s analyseIamPolicy query with specific filters to expand groups and output group edges. This ensures that all inherited project users are detected and kept up to date in Sprinto.

Prerequisites

Before you begin, ensure that:

• You have access to a GCP account with the required permissions.

• The gcp-sync-org-inherited-project-users feature flag is enabled in Sprinto.

• You have the Group Reader role assigned to the GCP service account used for integration.

Procedure

1. Make the analyseIamPolicy query

Run the analyseIamPolicy query using the following filters:

• analysisQuery.options.expandGroups: true

• analysisQuery.options.outputGroupEdges: true

These options ensure that group memberships are expanded and group edge relationships are included in the query results.

2. Use the identityList.identities list

Instead of relying on iamBinding.members, use the identityList.identities list to obtain the full set of users. This ensures that inherited users from groups are also included in the sync.

3. Refactor user parsing logic

Update your user parsing logic to accommodate the new query output format.

4. Test the configuration

Follow these steps to test the setup:

1. Enable the feature flag

   • Set gcp-sync-org-inherited-project-users to active in your Sprinto configuration.

2. Grant group read permission to the GCP service account

   • Go to Google Admin Console → Account → Admin roles → Group reader.

   • Under Admins, select Assign service accounts.

   • Enter the client_email of your GCP service account.

   • Select Add, then Assign role.

3. Refresh Sprinto CAS users

   • In Sprinto, refresh the CAS users list to apply the changes.

4. Verify

   • Confirm that project users from GCP groups are now visible in Sprinto.