To setup your Google Security Command Center app in Cobalt for OAuth, you will need the following credentials from your Google Cloud Console dashboard:

  • Client ID
  • Client Secret
  • Scopes

Pre-requisites

  1. Google Cloud Console account. You can create one here.
  2. Your users should have the appropriate roles for the APIs to work correctly.

Learn more about the required IAM Roles here.

Required Settings

  • Mandatory Scopes
  1. https://www.googleapis.com/auth/cloud-platform
If you haven’t already created a project in Google Cloud Console, you’d need to create one.

Creating an app in Google Security Command Center

To create a Google Security Command Center app and acquire the above mentioned credentials, please follow the steps mentioned below:

  1. Log in to your Google Cloud Console dashboard.
  2. Click on the Create Project button in the top right.
  1. Enter the Project Name for your application, select Organization and Location.
  2. In the Google Cloud Console dashboard, navigate to APIs and services > Credentials in the left side menu.

Ensure that the correct app is selected by checking the name of the app in the dropdown in the top navigation bar.

  1. Go to your Apps catalog in Cobalt > Search for Google Security Command Center > Settings > Use your credentials > Callback Url > Copy it.
  2. Click on + Create Credentials button in the top in the Cloud Console app and select OAuth client ID.

Note: You will need to configure Google’s consent screen for access to Client ID and Client Secret if not done previously.

  1. Select Web application from the Application type dropdown > scroll to Authorized redirect URIs section > Click + Add URI button > Paste the Callback Url > Click Create button in the bottom.
  2. Navigate to OAuth consent screen in the left menu under APIs and services > Click on the Edit App button > Scroll down > Click Save and Continue in the OAuth consent screen section > Click Add or Remove Scopes button in the Scopes section.
  3. Enter the mandatory scopes under Manually add scopes > Click on Add To Table > Click on Update > Click on Save and Continue at the bottom of the page.
  1. Go to Enabled APIs and services in the left menu under APIs and services > Click on + Enable APIs and Services > Search for Cloud Resource Manager API & also Security Command Center API > Click on Enable for both.
  1. Navigate to Credentials in the left menu under APIs and services and select the Web Client under OAuth 2.0 Client IDs. Copy the Client ID and Client Secret under Additional information section.

Configuring credentials in Cobalt

App settings page lets you configure the authentication settings for an OAuth2 based application. For your customers to provide you authorization to access their data, they would first need to install your application. This page lets you set up your application credentials.

Provide the acquired Client ID and Client Secret under Settings of the app and save it.

Configuring Scopes

Cobalt lets you configure what permissions to ask from your users while they install your application. The scopes can be added or removed from the App settings page, under Permissions & Scopes section.

For some applications Cobalt sets mandatory scopes which cannot be removed. Additional scopes can be selected from the drop down. Cobalt also has the provision to add any custom scopes supported by the respective platform.

Once the scopes has been added to the project in Cobalt, go to your Google Cloud Console dashboard and update the scopes as added on Cobalt.

Navigate to Cloud Console dashboard > Select the Project created for Cobalt > Follow the steps 8 and 9 mentioned above for adding scopes.

If you are facing scopes missing or invalid scope error. Make sure you are not passing any custom scope not supported by the platform. And, the scopes selected here are identical to the ones selected in the platform.

App Review for Google Security Command Center

Projects configured with a publishing status of In production are available to any user with a Google Account. Projects configured with a publishing status of In production should complete the verification process, including defining scopes actively requested by your project’s OAuth clients, if it meets one or more of the OAuth verification criteria.

To submit app for review

  • In the Project, go to OAuth consent screen in the left menu under APIs and services > Choose the App type as External and click on Publish App button.
  • Click on Prepare for Verification and provide the required information.
  • You will be required to submit justification for the scopes requested and a demo video on YouTube which shows the scopes being used.

Learn more about publishing apps in Google Cloud Console here.

Actions and triggers

Once the above setup is completed, you can create orchestrations of your use-cases using Google Admin actions and triggers. Following are the set of Google Security Command Center actions and triggers supported by Cobalt.