G
Identity Provider

GCP Cloud Identity

Sync Google Cloud Identity users and groups to Gateco for identity-aware RAG access control on GCP workloads.

GCP Cloud Identity is Google's enterprise identity service managing users, groups, and devices for Google Workspace and GCP organizations. Gateco integrates via the Admin SDK, syncing users and groups to power principal-based retrieval policies.

Cloud Identity group membership is synced to Gateco's principal groups array. Google group email addresses (e.g. engineering@company.com) become group identifiers in policy conditions.

The GCP adapter requires Domain-Wide Delegation (DWD) on a service account with the Admin SDK scope. The service_account_json must include credentials for a service account that has been granted DWD in the Google Admin console.

For GCP-stack deployments, combining GCP Cloud Identity (IDP) with Vertex AI connectors (vector DB) is the natural path. One service account can cover both the Admin SDK and the Vertex AI Platform API if granted appropriate roles.

Sample policy

{
  "name": "Google group access",
  "effect": "allow",
  "rules": [{
    "conditions": [
      {"field": "principal.groups", "operator": "contains", "value": "engineering@company.com"},
      {"field": "resource.classification", "operator": "in", "value": ["internal", "public"]}
    ]
  }],
  "selectors": [{}]
}

Policy conditions reference resource.* and principal.* fields. Policy reference →

Frequently asked questions

What Admin SDK scopes does Gateco require?
https://www.googleapis.com/auth/admin.directory.user.readonly and https://www.googleapis.com/auth/admin.directory.group.readonly. Authorize these in Google Admin under Security > API Controls > Domain-wide Delegation.
How are GCP group names represented in policies?
GCP Cloud Identity groups are identified by their email address (e.g. engineering@company.com). This email becomes the value in principal.groups. Policy conditions must reference the group email exactly.
Can one service account cover both Cloud Identity sync and Vertex AI connectors?
Yes, if granted both the Admin SDK DWD scope and the Vertex AI User role. In practice, separating the two service accounts is recommended for least-privilege.

Ready to connect GCP Cloud Identity?

Follow the step-by-step setup guide or talk to the team for help with your specific configuration.

Setup guide →Talk to the teamAll integrations