This page describes how to enable the data collection of G Suite for processing by Forseti Inventory.
To complete this guide and enable a service account in your G Suite admin control panel, you must have the super admin role in admin.google.com.
To enable collection of G Suite data using your existing Forseti service account, follow the steps below. Read more about domain-wide delegation.
Go to the Google Cloud Platform (GCP) Console
Service accounts
page for the Forseti project and follow the instructions under section To enable G Suite domain-wide delegation, follow these steps:
to enable domain-wide delegation on the Forseti server service account.
Follow the instructions here to grant the Forseti service account the following scopes:
https://www.googleapis.com/auth/admin.directory.group.readonly,https://www.googleapis.com/auth/admin.directory.user.readonly,https://www.googleapis.com/auth/cloudplatformprojects.readonly,https://www.googleapis.com/auth/apps.groups.settings
After you set up your service account above, you may need to edit the
domain_super_admin_email
field in your forseti_conf_server.yaml
.
If you are running Forseti on GCP and made any changes to the above values,
you will need to copy the conf
file to the Cloud Storage bucket. For more
information, see
Moving configuration to Cloud Storage.
Below are the common errors for GSuite configurations and the steps to be taken to resolve the errors.
You can find what errors have happened by running forseti inventory list|get
,
or look at the inventory_index_errors
column in the inventory_index
table.
If you make any changes to the forseti_conf_server.yaml
file, be sure
to update the server by reloading it with forseti server configuration reload
.
Error:
('invalid_grant: Invalid email or User ID', u'{"error" : "invalid_grant", "error_description" : "Invalid email or User ID"}')
Solution:
Double-check the email you entered in the domain_super_admin_email
field of
the forseti_conf_server.yaml
file. Make sure there is no typo and the user
exists.
Error:
GCP API Error: unable to get groups from GCP:
<HttpError 403 when requesting https://www.googleapis.com/admin/directory/v1/groups?customer=C04h01n68&alt=json returned "Not Authorized to access this resource/api">
Solution:
Make sure you specified a super admin user in the domain_super_admin_email
field of the forseti_conf_server.yaml
file.
Error:
('unauthorized_client: Client is unauthorized to retrieve access tokens using this method.', u'{"error" : "unauthorized_client", "error_description" : "Client is unauthorized to retrieve access tokens using this method."}')
Solution: Make sure you entered the correct API scope(s) in the GSuite admin console.
Error:
No GSuite data and no relevant gsuite error reported by
forseti inventory list|get
or in inventory_index_errors
column in the
inventory_index
table.
Solution: Make sure DwD is enabled for the server service account.
Error:
Error calling the IAM signBytes API: {
"error": {
"code": 403,
"message": "Permission iam.serviceAccounts.signBlob is required to perform this operation on service account projects/-/serviceAccounts/forseti-server-gcp-xxxxxx@xyz.iam.gserviceaccount.com.",
"status": "PERMISSION_DENIED"
}
}
Solution:
Make sure roles/iam.serviceAccountTokenCreator
is granted to the server
service account.