You can add an asset for Google Cloud Secret Manager and have SPP directly manage the secrets using a standard check and change password profile. However, this functionality is meant for DevOps scenarios, during which the Google Cloud Secret Manager secret is used as a dependent account of an existing on-premises asset account that SPP is already managing, but must be accessible from Google Cloud. For more information on dependent accounts, see Adding account dependencies.
Example: Using the Google Cloud Secret Manager asset type in a DevOps scenario
If SPP manages an account for a PostgreSQL database that is used as part of your CI/CD pipeline in the cloud, the cloud can access the secret from its system-provided secrets vault using the tools built into the cloud provider. Whenever SPP changes the password of the PostgreSQL database, SPP will also change the secret value of the dependent account associated with the Google Cloud Secret Manager asset.
You can create and configure an asset in SPP to manage secrets in Google Cloud Secret Manager, if you meet the following prerequisites and perform the following steps.
To create a service account in Google Cloud
NOTE: Consider the following when configuring a service account in Google Cloud:
-
The service account that is associated with an asset cannot be part of a password profile that attempts to change the password. In other words, the service account cannot have its password rotated.
-
In Google Cloud Secret Manager, the names of secrets are case sensitive. Make sure that any account created in SPP has a name that exactly matches the names of the secrets in Google Cloud Secret Manager.
-
Create a service account in Google Cloud. For more information, see Create service accounts in the Google Cloud IAM documentation.
-
Create a service account key with JSON as the key type. For more information, see Create a service account key in the Google Cloud IAM documentation.
-
In SPP, when creating the asset for Google Cloud Secret Manager, upload the JSON service account key to SPP.
NOTE: After creating the asset in SPP, delete the downloaded JSON file from your computer.
-
To give access to the service account to any of the Google Cloud Secret Manager secrets you want SPP to manage, in Google Cloud, grant the Secret Manager Secret Version Adder role to the service account that SPP uses. For more information, see Access control with IAM in the Secret Manager IAM documentation.
-
(Optional) If you also want to perform Check Password operations on the Google Cloud Secret, you must grant the Google Cloud Secret Manager service account the Secret Manager Secret Accessor role. For more information, see Access control with IAM in the Secret Manager IAM documentation.
To configure an asset for Google Cloud Secret Manager
-
Navigate to Asset Management > Assets and click 
(New Asset).
-
In the General tab, enter a Name for your asset.
-
In the Connection tab, for Platform, select 
Google Cloud Secret Manager.
-
(Optional) Enter any additional information in the Version field.
-
(Optional) Enter any additional information in the Architecture field.
-
For Authentication Type, select API Key.
-
For API Key, click Browse, and on your computer, select the API Key JSON file that you downloaded from Google Cloud as a prerequisite.
-
(Optional) To have SPP verify the connection to Google Cloud, click Test Connection.
-
To save your changes, click OK.
To manage secrets in Google Cloud Secret Manager
-
Navigate to Asset Management > Accounts, and click (New Account).
-
In the Select the asset for the account dialog, select the Google Secret Manager asset to associate with this account, then click Select Asset.
-
In the General tab, enter a Name for the account.
NOTE: The account associated with the Google Cloud Secret Manager asset must have the exact same name as the secret that you created in Google Cloud as a prerequisite.
-
In the Management tab, depending on the data you have stored in the Google Cloud Secret, select the applicable option for your secret:
-
Enable Password Request
-
Enable SSH Key Request
-
Enable File Request
-
In the Secrets tab, set or change to one of the following secret types:
-
Password
-
SSH Key
-
File
-
API Keys
-
(Optional) To verify the secret type is in sync with the One Identity Safeguard for Privileged Passwords database, click Check.
NOTE: To do so, you must grant the Google Cloud Secret Manager service account the Secret Manager Secret Accessor role. For more information, see Access control with IAM in the Secret Manager IAM documentation.
-
To set or reset (change) a secret type, click Set or Change, respectively.
TIP: Consider the following:
-
You can add an account dependency between the managed Google Cloud Secret Manager account and any other account that SPP manages. For more information, see Adding account dependencies.
-
You can add an asset account to a password-based access request policy for an account that is tied to the Google Cloud Secret Manager asset. For more information, see Creating an access request policy.
Use the Asset Management > Assets > Management tab to add the partition and profile to which the asset is assigned. An asset can only be in one partition at a time. When you add an asset to a partition, all accounts associated with that asset are automatically added to that partition. All assets must be governed by a profile. New assets are automatically governed by the default profile unless otherwise specified.
The settings for an asset are shown below.
Table 113: Asset: Management tab properties
| Partition |
Browse to select a partition for this asset. You can set a specific partition as the default, see Setting a default partition. |
| Password Profile |
Browse to select a password profile to manage this asset's accounts.
You must assign all assets to a profile. All new assets are assigned to the default profile unless you specify another. You can set a specific profile as the default. For more information, see Setting a default profile..
Click Reset to set the profile to the current default.
The Reset button only becomes active when the asset has been explicitly assigned to the profile. If the asset is only implicitly assigned to the profile, the Reset button is not activated. If you do not explicitly assign an asset to a profile, it is always assigned to the current default profile. |
| SSH Key Profile |
Browse to select an SSH key profile to manage this asset's accounts.
You must assign all assets to a profile. All new assets are assigned to the default profile unless you specify another. You can set a specific profile as the default. For more information, see Setting a default profile..
Click Reset to set the profile to the current default.
The Reset button only becomes active when the asset has been explicitly assigned to the profile. If the asset is only implicitly assigned to the profile, the Reset button is not activated. If you do not explicitly assign an asset to a profile, it is always assigned to the current default profile. |
| Enable Session Request |
If applicable, this check box is selected by default, indicating that authorized users can request session access for this asset.
Clear this check box if you do not want to allow session requests for this asset. If an asset is disabled for sessions and an account on the asset is enabled for sessions, sessions are not available because the asset does not allow sessions. |
|
Available for discovery across all partitions |
Available for LDAP, Red Hat Directory Server and eDirectory LDAP assets; select this check box to allow the asset to be discovered across all partitions. |
|
Manage using hashed password |
Available for LDAP, Red Hat Directory Server and eDirectory LDAP assets; selecting this check box indicates password encryption will be performed by Safeguard when performing a Change Password operation. |
|
Managed Network |
The managed network that is assigned for work load balancing. For more information, see Managed Networks.. |
NOTE: The Attributes tab only appears after you have successfully added a new asset and is accessed by editing the asset.
In the web client, the Attributes tab is used to add attributes to directory assets (including Active Directory and LDAP). For more information, see Adding identity and authentication providers.
IMPORTANT: Some Active Directory attributes are fixed and cannot be changed.
Table 114: Active Directory and LDAP: Attributes tab
| User |
| ObjectClass |
Default: user for Active Directory, inetOrgPerson for LDAP
Click Browse to select a class definition that defines the valid attributes for the user object class. |
| Username |
sAMAccountName for Active Directory, cn for LDAP |
| Password |
userPassword for LDAP |
| Description |
description |
|
MemberOf |
Blank by default, this attribute can be set to a directory schema attribute that contains the list of directory groups of which the user is a member. |
|
Alternate Login Name |
userPrincipalName
NOTE:
By default the Alternate Login Name attribute for directories is set to userPrincipalName, however another directory attribute containing a UPN type account name can be used.
This attribute can be used in conjunction with the API's UseAltLoginName setting (disabled by default) which will instead use the Alternate Login Name as the account name. The API is PUT https://<host>/service/core/v4/AccessPolicies/{id} where the {id} is the id of the accessPolicy where you'll set the UseAltLoginName to true. UseAltLoginName is a boolean field on the asset data object. |
| Group |
| ObjectClass |
Default: group for Active Directory, groupOfNames for LDAP
Click Browse to select a class definition that defines the valid attributes for the computer object class. |
| Name |
sAMAccountName for Active Directory, cn for LDAP |
| Member |
member |
| Computer |
|
|
ObjectClass |
Default: computer for Active Directory, ipHost for LDAP
Click Browse to select a class definition that defines the valid attributes for the computer object class. |
| Name |
cn |
|
Network Address |
dNSHostName for Active Directory, ipHostNumber for LDAP |
|
Operating System |
operatingSystem for Active Directory |
|
Operating System Version |
operatingSystemVersion for Active Directory |
|
Description |
description |
After you add an asset you can verify that Safeguard for Privileged Passwords can log in to it using the Test Connection option.
NOTE: When you run Test Connection from the asset's Connection tab (such as when you add the asset initially), you must enter the service account credentials. Once you add the asset to Safeguard for Privileged Passwords it saves these credentials.
The Test Connection option does not require that you enter the service account credentials because it uses the saved credentials to verify that it can log in to that asset.
To check an asset's connectivity
-
Navigate to Asset Management > Assets.
-
Select an asset.
-
Click the 
Test Connection button.
Safeguard for Privileged Passwords displays a task pane that shows the results.
