Skip to main content

Google Cloud Service Mesh

google

Version: 1.0
Updated: Jun 25, 2026

Google Cloud Service Mesh provides a managed service mesh that helps you secure, manage, and observe communication between your microservices running on Google Kubernetes Engine (GKE) and other platforms.

Actions

  • Get Authorization Policy (Enrichment) - Retrieve details of a specific authorization policy in the service mesh.
  • Get Mesh Metrics (Enrichment) - Retrieve service mesh metrics including traffic, latency, and error rates.
  • List Authorization Policies (Enrichment) - List all authorization policies configured in the service mesh.
  • Restrict Network Flow (Containment) - Restrict network traffic flow between services by creating or updating authorization policies.
  • Update Authorization Policy (Containment) - Update an existing authorization policy in the service mesh.

Required IAM roles

The following table lists the required IAM roles for each action:

ActionRequired RolePermission
Get Authorization PolicyMesh Viewer (roles/meshconfig.viewer)meshconfig.authorizationPolicies.get
Get Mesh MetricsMonitoring Viewer (roles/monitoring.viewer)monitoring.timeSeries.list
List Authorization PoliciesMesh Viewer (roles/meshconfig.viewer)meshconfig.authorizationPolicies.list
Restrict Network FlowMesh Admin (roles/meshconfig.admin)meshconfig.authorizationPolicies.create, meshconfig.authorizationPolicies.update
Update Authorization PolicyMesh Admin (roles/meshconfig.admin)meshconfig.authorizationPolicies.update

Additional permissions required:

PermissionDescription
container.clusters.getGet GKE cluster details
container.clusters.listList GKE clusters
container.clusters.createCreate GKE clusters
container.clusters.updateUpdate GKE clusters
meshconfig.meshes.getGet mesh configuration
meshconfig.meshes.listList mesh configurations
note

For read-only actions (Get Authorization Policy, List Authorization Policies), the Mesh Viewer role provides the minimum required access. The Mesh Admin role grants broader permissions including create, update, and delete capabilities, and is only required for write actions (Restrict Network Flow, Update Authorization Policy). For monitoring actions (Get Mesh Metrics), the Monitoring Viewer role is sufficient.

Google Cloud Service Mesh configuration

The Google Cloud Service Mesh integration supports two types of authentication: Service Account and WIF (Workload Identity Federation). We recommend using WIF since it is more secure and easier to manage. For more information, see Workload Identity Federation.

Required AWS details from Sumo Logic

To configure the Google Cloud Service Mesh integration using WIF authentication, you need the following AWS details from Sumo Logic. These details are essential for setting up the Workload Identity Federation (WIF) credentials in Google Workspace:

  • Deployment name is the unique name of your Sumo Logic deployment, for example, dub, fra, etc.
  • Sumo Logic AWS account ID: 926226587429
  • Sumo Logic AWS role: <deployment_name>-csoar-automation-gcpservicemesh
  • Sumo Logic AWS Lambda function: <deployment_name>-csoar-automation-gcpservicemesh
  • Full ARN: arn:aws:sts::926226587429:assumed-role/<deployment_name>-csoar-automation-gcpservicemesh/<deployment_name>-csoar-automation-gcpservicemesh

Workload Identity Federation (WIF) authentication

To create WIF credentials in Google Cloud needed to configure the Google Cloud Service Mesh integration, follow these steps:

  1. Log in to the Google Cloud portal.
  2. Select a Google Cloud project (or create a new one).
  3. Go to APIs & Services.
  4. In the same page click on ENABLED API AND SERVICES and search for Mesh API, Kubernetes Engine API, Cloud Resource Manager API, IAM Service Account Credentials API, Identity and Access Management (IAM) API, Security Token Service API, Cloud Monitoring API and enable them all.
  5. Go to the IAM & Admin > Service Accounts page.
  6. Click CREATE SERVICE ACCOUNT. A Service Account is required to access Google Cloud Service Mesh.
  7. While creating the service account, in Permissions add the role Service Account Token Creator and click on DONE.
    Service Account Token Creator
  8. Go to the IAM & Admin > Workload Identity Federation page.
    Workload Identity Federation
  9. Click CREATE POOL, provide the details, and click on CONTINUE.
    Create pool
  10. Add Provider details. Select AWS as the provider type and provide the details of the AWS Account ID which is provided by Sumo Logic. Click on CONTINUE and SAVE.
    Provider details
  11. Now you will see the created pool and provider.
    Created pool and provider
  12. Now we have to build a principal name to configure in Sumo Logic. The format of the principal name is: principalSet://iam.googleapis.com/projects/{YourProjectID}/locations/global/workloadIdentityPools/{YourPoolName}/attribute.aws_role/arn:aws:sts::{SumoAWSAccountID}:assumed-role/{SumoAWSRole}/{SumoAWSLambdaFunction}.
  13. Go to the IAM & Admin > IAM page and click on Grant Access to add a new principal.
  14. In the New principals field, provide the above principal name and select the role Workload Identity User. Click on SAVE.
    Workload Identity User
  15. Go to the IAM & Admin > Workload Identity Federation page and select the pool which was created above.
  16. Click on Grant Access > Grant access using service account impersonation.
  17. Select the service account which was created above, select the principle as aws_role and provide the arn arn:aws:sts::{SumoAWSAccountID}:assumed-role/{SumoAWSRole} and click on SAVE.
    Provide ARN
  18. Again go to Grant Access > Grant access using service account impersonation. Select the service account which was created above. Select the principle as aws_role and provide the arn arn:aws:sts::{SumoAWSAccountID}:assumed-role/{SumoAWSRole}/{SumoAWSLambdaFunction}. Click on SAVE.
  19. Download the WIF conf.json file. Make sure you save it in a safe place. Use the JSON content to configure the Google Cloud Service Mesh integration to use WIF authentication in Automation Service and Cloud SOAR.

Service Account authentication

To create service account credentials in Google Cloud needed to configure the Google Cloud Service Mesh integration, follow these steps:

  1. Log in to the Google Cloud portal.
  2. Select a Google Cloud project (or create a new one).
  3. Go to the APIs & Services > Credentials page.
  4. In the same page click on ENABLED API AND SERVICES and search for Mesh API, Kubernetes Engine API, Cloud Resource Manager API, IAM Service Account Credentials API, Identity and Access Management (IAM) API, Security Token Service API, Cloud Monitoring API and enable them.
  5. Click CREATE CREDENTIALS and select Service Account.
    Create credentials
  6. Enter a service account name to display in the Google Cloud console. The Google Cloud console generates a service account ID based on this name.
  7. (Optional) Enter a description of the service account.
  8. Skip two optional grant permissions steps and click Done to complete the service account creation.
    Complete service account creation
  9. Click on the generated service account to open the details.
    Generated service details
  10. Under the KEYS tab, click ADD KEY and choose Create new key.
    Create new key
  11. Click on CREATE (make sure JSON is selected).
    Click on create
  12. The JSON file is downloaded. Make sure you save it in a safe place.

Configure Google Cloud Service Mesh in Automation Service and Cloud SOAR

Before you can use this automation integration, you must configure its authentication settings so that the product you're integrating with can communicate with Sumo Logic. For general guidance, see Configure Authentication for Automation Integrations.

How to open the integration's configuration dialog
  1. Access App Central and install the integration. (You can configure at installation, or after installation with the following steps.)
  2. Go to the Integrations page.
    Classic UI. In the main Sumo Logic menu, select Automation and then select Integrations in the left nav bar.
    New UI. In the main Sumo Logic menu, select Automation > Integrations. You can also click the Go To... menu at the top of the screen and select Integrations.
  3. Select the installed integration.
  4. Hover over the resource name and click the Edit button that appears.
    Edit a resource

In the configuration dialog, enter information from the product you're integrating with. When done, click TEST to test the configuration, and click SAVE to save the configuration:

  • Label. Enter the name you want to use for the resource.

  • Authentication Type. Select the authentication type: Service Account Private Key Json or Workload Identity Federation Private Key Json and provide the selected type JSON content.
  • Scopes. Default scope is already added as https://www.googleapis.com/auth/cloud-platform, if not then add this scope.
  • Project ID. Provide the Google Cloud Project ID where the Service Mesh actions will be performed.

  • Automation Engine. Select Cloud execution for this certified integration. Select a bridge option only for a custom integration. See Cloud or Bridge execution.

  • Proxy Options. Select whether to use a proxy. (Applies only if the automation engine uses a bridge instead of cloud execution.)

    • Use no proxy. Communication runs on the bridge and does not use a proxy.
    • Use default proxy. Use the default proxy for the bridge set up as described in Using a proxy.
    • Use different proxy. Use your own proxy service. Provide the proxy URL and port number.
Google Cloud Service Mesh

For information about Google Cloud Service Mesh, see Google Cloud Service Mesh documentation.

Change Log

  • June 25, 2026 (v1.0) - First upload
Status
Legal
Privacy Statement
Terms of Use
CA Privacy Notice

Copyright © 2026 by Sumo Logic, Inc.