Use service accounts to create policies

A service account is a special type of account and is typically used by an application or compute workload, such as a Compute Engine instance, rather than a person. This account is identified by its email address, which is unique to it.

Applications use service accounts to make authorized API calls by authenticating as either the service account itself, or as Google Workspace or Cloud Identity users through domain-wide delegation. When an application authenticates as a service account, it has access to all resources that the service account has permission to access.

You can use a service account to identify the traffic source and configure Secure Web Proxy policies, as needed.

This guide shows you how to do the following:

  • Create a Secure Web Proxy instance with an empty policy.
  • Create and attach service accounts to resources.
  • Use service accounts to create a Secure Web Proxy policy.
  • Create a Secure Web Proxy instance.
  • Test connectivity from your VMs.

Before you begin

  • Complete the initial setup steps.

  • Have an organization administrator grant access to a service account.

  • Verify that you have the Google Cloud CLI version 406.0.0 or later installed:

    gcloud version | head -n1

    If you have an earlier gcloud CLI version installed, update the version:

    gcloud components update --version=406.0.0

Create a Secure Web Proxy instance with an empty policy

To create a Secure Web Proxy instance, you must first create an empty security policy and then create a web proxy that uses the policy.

Create an empty security policy

Console

  1. In the Google Cloud console, go to the SWP Policies page.

    Go to SWP Policies

  2. Click Create a policy.

  3. In the Name field, enter a name for the policy, such as myswppolicy.

  4. In the Description field, enter a description for the policy, such as My new swp policy.

  5. For Regions, select the region where you want to create the policy, such as us-central1.

  6. Click Create.

Cloud Shell

  1. Use your preferred text editor to create a policy.yaml file.

  2. Add the following to the policy.yaml file that you created:

    name: projects/PROJECT_NAME/locations/REGION/gatewaySecurityPolicies/POLICY_NAME
description: POLICY_DESCRIPTION

    Replace the following:

    • PROJECT_NAME: name of your project

    • REGION: region where your policy is created, such as us-central1

    • POLICY_NAME: name of your policy

    • POLICY_DESCRIPTION: description for your policy

  3. Import the security policy by using the gcloud network-security gateway-security-policies import command:

    gcloud network-security gateway-security-policies import POLICY_NAME \
    --source=POLICY_FILE.yaml \
    --location=REGION

Create a web proxy

Console

  1. In the Google Cloud console, go to the Web Proxies page.

    Go to Web Proxies

  2. Click Create a secure web proxy.

  3. In the Name field, enter a name for the web proxy, such as myswp.

  4. In the Description field, enter a description for the web proxy, such as My new swp.

  5. For Routing mode, select the Explicit option.

  6. For Regions, select the region where you want to create the web proxy, such as us-central1.

  7. For Network, select the network where you want to create the web proxy.

  8. For Subnetwork, select the VPC subnet that you previously created as part of the initial setup steps.

  9. Optional: In the Web proxy IP address field, enter the Secure Web Proxy IP address.

    You can enter an IP address from the range of Secure Web Proxy IP addresses that reside in the subnetwork you created in the previous step. If you don't enter the IP address, then your Secure Web Proxy instance automatically chooses an IP address from the selected subnetwork.

  10. For Certificate, select the certificate that you want to use to create the web proxy.

  11. For Policy, select the policy that you created to associate the web proxy with.

  12. Click Create.

Cloud Shell

  1. Use your preferred text editor to create a gateway.yaml file.

  2. Add the following to the gateway.yaml file:

    name: projects/PROJECT_NAME/locations/REGION/gateways/GATEWAY_NAME
type: SECURE_WEB_GATEWAY
ports: [GATEWAY_PORT_NUMBERS]
certificateUrls: [CERTIFICATE_URLS]
gatewaySecurityPolicy: projects/PROJECT_NAME/locations/REGION/gatewaySecurityPolicies/POLICY_NAME
network: projects/PROJECT_NAME/global/networks/NETWORK_NAME
subnetwork: projects/PROJECT_NAME/regions/REGION/subnetworks/SUBNETWORK
addresses: [GATEWAY_IP_ADDRESS]
scope: samplescope

    Replace the following:

    • GATEWAY_NAME: name of this Secure Web Proxy instance

    • GATEWAY_PORT_NUMBERS: list of port numbers for this gateway, such as [80,443]

    • CERTIFICATE_URLS: list of SSL certificate URLs

    • SUBNETWORK: VPC subnet that you previously created as part of the initial setup steps

    • GATEWAY_IP_ADDRESS: optional list of IP addresses for your Secure Web Proxy instances within the proxy subnets that you previously created in the initial setup steps

      If you choose not to list IP addresses, omit the field to let the web proxy choose an IP address for you.

  3. Create the Secure Web Proxy instance by using the gcloud network-services gateways import command:

    gcloud network-services gateways import GATEWAY_NAME \
    --source=gateway.yaml \
    --location=REGION

Test connectivity

To test connectivity, use the curl command from any virtual machine (VM) instance within your Virtual Private Cloud (VPC) network:

  curl -x https://GATEWAY_IP_ADDRESS:PORT_NUMBER https://www.example.com --proxy-insecure

If everything is working correctly, then your Secure Web Proxy instance returns a 403 Forbidden status code. This error confirms the following:

  • The Secure Web Proxy instance has been successfully deployed and is actively receiving traffic.

  • The Secure Web Proxy policy is correctly enforcing the default security posture of rejecting all traffic until you define specific allow rules in the next sections.

Create and attach service accounts to resources

Do the following to create and attach service accounts:

  1. Create the service accounts.

  2. Attach service accounts to resources.

Create Secure Web Proxy rules

To create Secure Web Proxy rules, do the following:

  1. Use your preferred text editor to create a RULE_FILE.yaml file. Replace RULE_FILE with your chosen filename.

  2. To allow access to a URL from the chosen service account, add the following to the YAML file:

    name: projects/PROJECT_NAME/locations/REGION/gatewaySecurityPolicies/POLICY_NAME/rules/RULE_NAME
description: RULE_DESCRIPTION
enabled: true
priority: RULE_PRIORITY
sessionMatcher: CEL_EXPRESSION
basicProfile: ALLOW

    Replace the following:

    • RULE_NAME: a name for this rule
    • RULE_DESCRIPTION: a description for the rule that you're creating
    • RULE_PRIORITY: the priority for this rule; a lower number corresponds to a higher priority

    • CEL_EXPRESSION: a Common Expression Language (CEL) expression

      For more information, see CEL matcher language reference.

      For example, to allow access to example.com from the resource with the desired service account attached, add the following to the YAML file that you created for the sessionMatcher:

      sessionMatcher: "source.matchServiceAccount('SERVICE_ACCOUNT') && host() == 'example.com'"

      Replace SERVICE_ACCOUNT with the service account that you want to allow. This must be the service account's email address.

  3. Import the rules that you created:

    gcloud network-security gateway-security-policies rules import RULE_NAME \
   --source=RULE_FILE.yaml \
   --location=REGION \
   --gateway-security-policy=POLICY_NAME

Test connectivity

To test connectivity, use the curl command from the resource with the attached SERVICE_ACCOUNT:

curl -x https://IPv4_ADDRESS:443 http://example.com 
--proxy-insecure

Replace IPv4_ADDRESS with the IPv4 address of your Secure Web Proxy instance.

What's next