Chariot integrates with Google Cloud Platform using Workload Identity Federation with OIDC tokens to provide secure, temporary access to your GCP resources, i.e., no service account keys or long-term credentials. The integration is supported at an Organization-level as well as Project-level access.
Chariot uses a secure OIDC-based authentication pattern:
- Cognito Authentication: Chariot creates a unique user in its AWS Cognito pool for your integration with a unique subject identifier (UUIDv4)
- OIDC Token Exchange: Chariot authenticates with Cognito to obtain an ID token with your unique subject claim
- Workload Identity Federation: The ID token is exchanged for GCP access tokens through your configured Workload Identity Pool and Provider
- Temporary Credentials: As a result, only short-lived GCP access tokens (1-hour expiration) are used for secure access to your resources
This architecture ensures proper isolation through unique subject claims and eliminates the security risks associated with service account keys.
Integration Options
Chariot provides integrations at both the Organization level and the Project level. Praetorian recommends integrating at the Organization-level for the most comprehensive coverage and experience.
For either integration level, the necessary setup can be performed by deploying infrastructure as code (IaC) in the form of Terraform, or by deploying resources manually through the GCP Console. Praetorian recommends deploying via Terraform.
Refer to the following articles for detailed instructions on each of the deployment methods:
- Infrastructure as Code - Covers Terraform deployments for both integration scopes.
- Manual Deployment - Step-by-step console-based setup instructions.
Requested Access
For GCP integrations, Chariot requires specific permissions according to the integration scope. When integrating at the Organization level, Project-level permissions are inherited automatically.
Organization-Level Integration
Each of the following permissions are requested at the Organization scope:
- Viewer - Provides read access across all Projects and resources within the Organization
- Organization Policy Viewer - Enables review of Organization-wide policies and constraints
- Organization Role Viewer - Allows examination of custom roles and permissions at the Organization level
- Security Reviewer - Provides access to security-related configurations and audit information
- Compute Viewer - Enables review of compute resources across all Projects
- App Engine Viewer - Provides read access to App Engine applications and configurations
- Cloud Asset Viewer - Allows comprehensive asset inventory and configuration review
Project-Level Integration:
Each of the following permissions are requested at the scope of the Project you are integrating:
- Viewer - Provides read access to all resources within the specific Project
- Security Reviewer - Provides access to security-related configurations within the Project
- Compute Viewer - Enables review of compute resources within the Project
- App Engine Viewer - Provides read access to App Engine applications within the Project
- Cloud Asset Viewer - Allows asset inventory and configuration review within the Project
Organization-Level Permissions (for Project-Level Integration): In addition to the Project-level permissions, Chariot needs the following permissions at the Organization scope. These permissions allow Chariot to perform comprehensive analysis for privilege escalation and permission inheritance.
- Organization Policy Viewer - Enables review of Organization policies that may affect the Project
- Organization Role Viewer - Allows examination of Organization-level custom roles
-
Custom Role with Folder Permissions - Includes the following permissions for folder-level visibility:
resourcemanager.folders.getresourcemanager.folders.getIamPolicyresourcemanager.folders.list
Conclusion
The Chariot-GCP integration leverages modern security best practices through Workload Identity Federation and OIDC authentication to provide secure, temporary access to your Google Cloud resources. By eliminating long-term credentials and service account keys, this integration significantly reduces your security attack surface while maintaining comprehensive visibility across your cloud infrastructure.
Whether you choose Organization-level integration for maximum coverage or Project-level integration for targeted analysis, Chariot's robust permission model ensures thorough security assessment capabilities. The Infrastructure as Code deployment option using Terraform provides a repeatable, auditable setup process that aligns with modern DevOps practices.
With short-lived access tokens, unique subject identifiers, and proper resource isolation, this integration establishes a secure foundation for continuous cloud security monitoring and assessment. The carefully scoped permissions enable Chariot to deliver comprehensive security insights while adhering to the principle of least privilege access.
Articles in this section
- Amazon Web Services Integration - Overview
- Amazon Web Services - IaC Deployment (Recommended)
- Amazon Web Services - Manual Deployment
- Google Cloud Platform Integration - Overview
- Google Cloud Platform - IaC Deployment (Recommended)
- Google Cloud Platform - Manual Deployment
- Microsoft Azure Integration - Overview
- Microsoft Azure - IaC Deployment (Recommended)
- Microsoft Azure - Manual Deployment
- Digital Ocean Integration