Service Graph connector for Google Console - Setup InstructionsSummaryThis article describes the steps to set up the Google Console environment. With this setup, Service Graph Connector for Google Console will securely integrate with Google Console and get CI data into the CMDB. InstructionsSummary: Create service accountCreate and Assign roleEnable the APIGet Customer IDCreate a P12 file GCP generated P12 fileCreating X509 and P12 filesCreate a P12 file Registering P12 file for Service Graph Connector for Google Console in the ServiceNow instance 1. Create service account For the ServiceNow Service Graph Connector for Google Console to securely integrate with a Google Console environment, a service account is created in a GCP Project. Depending on the security configurations, a service account might have access to all the projects or a selected group of projects. Follow below steps to create a service account: Navigate to Cloud Console: https://console.cloud.google.com/.Activate Google Cloud Shell by clicking on the Cloud Shell icon at the top right of the console.A terminal console will open at the bottom of the browser window where you can run the following command to create a service account: gcloud iam service-accounts create chrome-devices --project=PROJECT_ID Where "chrome-devices" is the name of the service account, you can choose a different name in accordance with your company's naming conventions. Replace "PROJECT_ID" to the name of the project. The service account created may look like chrome-devices@example.iam.gserviceaccount.com where the example is the project name. 2. Create and Assign role For different portions of the Chrome Management APIs, different admin privileges are needed. To grant privileges: As customer admin, go to Admin Console (https://admin.google.com/).Navigate to Admin roles page.Create a new role (chrome.management.viewall for instance) with the following privileges: Chrome Management / View Reports (all)Chrome Management / Manage Chrome OS Devices/ Read (all) Assign this role to the service account email address. Click on Assign service accounts linkManually type in the service account email address (chrome-devices@example.iam.gserviceaccount.com in our case). 3. Enable the API Navigate to Cloud Console: https://console.cloud.google.com/.Select cloud project.Go to APIs & Services > Enable APIs and Services.Search for “Admin SDK”.Select “Admin SDK API”.Familiarize yourself with Terms of Service.Click Enable. 4. Get Customer ID Customer ID is unique ID for the customer's Google Workspace account. It is not the ID of the organisation, but the “Directory Customer_ID”. Access Google Cloud Platform (https://console.cloud.google.com) and run the following command on the Cloud Shell Terminal to fetch the customer ID: gcloud organizations list 5. Create a P12 file The Service Graph Connector for Google Console must be authenticated using a P12 file to get an OAuth2 JWT token. You can select any of the two ways (5.1 or 5.2) indicated below to generate the P12 file. 5.1 GCP Generated P12 file: The P12 file is created in the GCP console in this stage and has a preset password. If using this mode does not feel right to you, move on to the following step, "Alternate Step to Generate P12 File". Go to the IAM & Admin tab in the project in which the service account is created.Select "Service Accounts" from the left navigation and click the service account.Click the Keys tab. Next, choose "ADD KEY" and select 'Create a new key'.Click CREATE after selecting "P12" as the key type.Make a note of the private key and save it safely. 5.2 Alternate Step to Generate P12 File In this step, you will be performing a series of Linux commands to generate a P12 file. This P12 file is then uploaded in the GCP console for the service account created and in the ServiceNow guided setup next steps. The steps below create a P12 file: Create a SSH Key. Create a Self-Signed Certificate. Convert the Certificate and Private Key to PKCS#12 format. Attach P12 to the ServiceNow Service Account created in the previous step. 5.2.1. Create a SSH Key You can generate a SSH key using the command below, or you can choose an SSH private key file that already exists. Consider the "mygcpprivatekey.pem" file for this example. ssh-keygen -t rsa -b 4096 5.2.2. Create a Self-Signed Certificate With the private key file you generated in the previous step, this step creates a X.509 certificate. This step created the "mygcpcertificate.pem" file as an example, which will be needed in the following step. openssl req -x509 -sha256 -nodes -newkey rsa:2048 -days 365 -keyout mygcpprivatekey.pem -out mygcpcertificate.pem 5.2.3. Convert Certificate and Private Key to PKCS#12 format You will create the P12 file (eg. snowkeystore.p12) in this stage using the command listed below: openssl pkcs12 -export -in mygcpcertificate.pem -inkey mygcpprivatekey.pem -certfile mygcpcertificate.pem -out snowkeystore.p12 5.2.4. Registering X.509 file in a GCP service account Go to the IAM & Admin tab in the project in which the service account is created.Select "Service Accounts" from the left navigation and click the service account.Click the Keys tab. After that, select "Upload Existing Key" and add the P12 file (eg. mygcpcertificate.pem).Make a note of the private key and save it safely. 6. Registering P12 file in ServiceNow instance for Service Graph Connector for Google Console As seen below, the P12 file prepared in the preceding step is uploaded in the ServiceNow's X.509 certificate page.