Free Privileged Account Discovery Tool: Identify & secure credentials to stop lateral movement. Download Free

BeyondTrust
  • Products
    Privileged Password Management
    Discover, manage, audit, and monitor privileged accounts
    Password Safe DevOps Secrets Safe
    Endpoint Privilege Management
    Manage privileges on Windows, Mac, Linux, and Unix endpoints
    Windows and Mac Unix and Linux Active Directory Bridge
    Secure Remote Access
    Centrally manage and secure remote access for service desks and vendors
    Remote Support Privileged Remote Access
    BeyondInsight Analytics
    See All Solutions
  • Resources

    Universal Privilege Management

    Our innovative Universal Privilege Management approach secures every user, asset, and session across your entire enterprise.

    Watch Video

    Learn

    Case Studies
    Competitor Comparisons
    Datasheets
    Glossary
    Product Demos
    Whitepapers

    Attend

    Events
    Go Beyond
    Training
    Webinars

    Support

    Changelog
    Professional Services
    Technical Documentation
  • Blog
  • Partners
  • Contact
  • Support
  • Services
  • Training
  • Events
  • Company

Cloud Integration: Google Cloud IAM + PowerBroker for Unix & Linux for Authorization and Command Control

July 31, 2018

  • Blog
  • Archive
PowerBroker for Unix & Linux (PBUL), BeyondTrust’s gold-standard solution for Unix/Linux privilege management, comes with a very powerful and flexible Policy Engine that enables organizations to satisfy even the most complex privileged access requirements. In this blog I will explain how that Policy Engine leverages an API for third-party solutions, such as cloud applications and DevOps tools, to enable full orchestration across an environment, in this case, Google Cloud. With PowerBroker, it’s possible to interface with Google Cloud IAM in order to verify that users are properly authorized via a Role, Group, or a specific permission before allowing them to execute a specific command on a specific server. If an administrator wants to issue a command to restart a server instance in Google Cloud, the PBUL Policy Engine can first verify that the user is a member of the appropriate permission Group, and that the user is authorized for the specific server instance. Other conditions can also be included, like time of day, the day of the week, the user’s location, and any other third-party solution scripted through PBUL policy. To see how this works, let’s look at the example below. First, we need to define a couple of sample groups in Google Cloud IAM. Our sample user, Adam Arnold, is a member of the Cloud Container Builder Editor Group. The groups are shown below (not his membership): Google Cloud IAMThen, we use a simple test script (gcloud_test.sh) to our PowerBroker policy:
Policy.conf:
## The following user, adam.arnold, is used to test gcloud query.
 if (user in { "adam.arnold" } && basename(command) in { "gcloud_test.sh","gcloud_test"}) {
 # do not allow these commands to be delegated
 print ("user called gcloud_test.sh");
 if (basename(command) in { "gcloud_test.sh","gcloud_test"}) {
print ("command is gcloud_test.sh");
include '/etc/pb/gcloud_functions.conf';
 RetrieveGCloud_Group();
 DELIM=",";
 gcloudFIELDS=split(gcloudDATA,DELIM);
 print(gcloudFIELDS);
COUNT=0;
COUNTER=0;
TEST=split(gcloudDATA, "\n");
for Lines in TEST {
TEST2=split(Lines, ",");
COUNT=length(TEST2);
COUNT2=( COUNT -1);
 while ( COUNTER <= COUNT2 ) {
 #print(COUNTER);
 #print(TEST2[COUNTER]);
 if ( TEST2[COUNTER] == "roles/cloudbuild.builds.editor" ) {
 print("Congratulations - you are a member of the DevOps Group(roles/cloudbuild.builds.editor), so you are authorized to execute this command");
 COUNTER++;
 }
 else
 {
 COUNTER++;
 }
 } # End while
COUNT=0;
COUNTER=0;
} # End for
}
 accept;
 #reject("This is a restricted command gcloud_test.sh -- '" + basename(command) + "'.");
 }

When you execute the script as a part of a “test” policy, you are able to determine the Google Cloud IAM group membership as shown below: While this is a simplistic sample, it demonstrates:
  1. The power of the PowerBroker for Unix & Linux scripting language to integrate into third-party solutions.
  2. The integration from PowerBroker for Unix & Linux to support group membership of Google Cloud IAM users.
  3. The support of PowerBroker for Unix & Linux in DevOps and Cloud environments in support of next-generation technologies.
If you would like more information on how BeyondTrust can support Google Cloud and next-generation initiatives, contact us today. You can also learn more about our technology partners/partnerships.

Michel Bluteau

Sr. Sales Engineer, BeyondTrust

Michel has been interfacing with many organizations in different verticals around the world, over the last decade, trying to capture Requirements and Use Cases in Identity Management, Compliance, and more recently Privileged Account Management. Michel’s expertise with various platforms including SAP, ServiceNow, .NET and Java, allows him to contribute to integration and share his experience and solutions. Recently, Michel has also been focusing on the User Experience and how to leverage Web Services API made available more and more for both on-premises and cloud based applications and platforms.

Stay Up To Date

Get the latest news, ideas, and tactics from BeyondTrust. You may unsubscribe at any time.

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

You May Also Be Interested In:

Webcasts | February 09, 2021

Customer Webinar: Remote Support 21.1 Released!

Webcasts | February 24, 2021

Your PAM 2021 Blueprint: Securing Privileged Accounts for On-Premises and Cloud Assets

Whitepapers

Evolving Privileged Identity Management (PIM) In The 'Next Normal'

BeyondTrust Logo
  • Facebook
  • Twitter
  • LinkedIn

Keep up with BeyondTrust

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

Customer Support
Contact Sales

Products

  • Endpoint Privilege Management
  • Password Management
  • Privileged Remote Access
  • DevOps Secrets Safe
  • Remote Support

Resources

  • Blog
  • Case Studies
  • Competitor Comparisons
  • Datasheets
  • Glossary
  • Videos
  • Webcasts
  • Whitepapers

About

  • Company
  • Careers
  • Contact
  • Events
  • Leadership Team
  • Partner Program
  • Press

Languages

  • English
  • German
  • French
  • Spanish
  • Korean
  • Portuguese
  • Japanese
  • Privacy
  • Security
  • Manage Cookies
  • WEEE Compliance

Copyright © 1999 — 2020 BeyondTrust Corporation. All rights reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust Corporation is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.