Skip to main content

Google Compute Engine

google

Version: 1.0
Updated: June 8, 2026

Google Compute Engine is a scalable, high-performance virtual machine infrastructure service on Google Cloud that lets you create and manage VMs, persistent disks, and related compute resources programmatically.

Actions

  • Add Member to Role (Containment) - Add a member (user, service account, or group) to a specific IAM role on a Compute Engine instance to grant access permissions.
  • Create Disk Snapshot (Notification) - Create a snapshot of a persistent disk attached to an instance.
  • Delete Instance (Containment) - Permanently delete a Compute Engine virtual machine instance.
  • Get Instance (Enrichment) - Retrieve detailed information about a specific virtual machine instance.
  • List Instances (Enrichment) - List all virtual machine instances within a project and zone.
  • Remove Member from Role (Containment) - Remove a member from a specific IAM role on a Compute Engine instance to revoke access permissions.
  • Restore Disk from Snapshot (Notification) - Create a new persistent disk from an existing snapshot.
  • Start Instance (Containment) - Start a stopped virtual machine instance.
  • Stop Instance (Containment) - Stop a running virtual machine instance.
  • Update IAM Policy (Containment) - Update the IAM access control policy for a Compute Engine resource.
  • Check Operation Status (Scheduled) - Poll the status of a long-running operation until it reaches completion. Use this action after asynchronous operations such as stopping, starting, or deleting an instance, creating a disk snapshot, or restoring a disk from a snapshot to confirm the operation has finished.

Google Compute Engine Authentication Configuration

Our Google Compute Engine integration supports two types of authentication: Service Account and WIF (Workload Identity Federation). We recommend using WIF since it is more secure and easier to manage. For more information, see Workload Identity Federation.

Required AWS details from Sumo Logic

To configure the Google Compute Engine integration using WIF authentication, you need the following AWS details from Sumo Logic. These details are essential for setting up the Workload Identity Federation (WIF) credentials in Google Cloud:

  • Deployment name is the unique name of your Sumo Logic deployment, for example, dub, fra, etc.
  • Sumo Logic AWS account ID: 926226587429
  • Sumo Logic AWS role: <deployment_name>-csoar-automation-gcpcompute
  • Sumo Logic AWS Lambda function: <deployment_name>-csoar-automation-gcpcompute
  • Full ARN: arn:aws:sts::926226587429:assumed-role/<deployment_name>-csoar-automation-gcpcompute/<deployment_name>-csoar-automation-gcpcompute

Workload Identity Federation (WIF) authentication

To create WIF credentials in Google Cloud needed to configure the Google Compute Engine integration, follow these steps:

  1. Log in to the Google Cloud portal.
  2. Select a Google Cloud project (or create a new one).
  3. Go to API & Services.
  4. Click ENABLED API AND SERVICES and search for the following APIs, then enable them all: Cloud Resource Manager API, IAM Service Account Credentials API, Identity and Access Management (IAM) API, Security Token Service API, and Compute Engine API.
  5. Go to IAM & Admin > Service Accounts.
  6. Click CREATE SERVICE ACCOUNT. A service account is required to access Google Compute Engine.
  7. While creating the service account, in Permissions add the roles Service Account Token Creator and Compute Admin, then click DONE. If your organization prefers least-privilege access, you can create a custom role with only the following permissions instead of Compute Admin: compute.instances.get, compute.instances.list, compute.instances.delete, compute.instances.start, compute.instances.stop, compute.instances.getIamPolicy, compute.instances.setIamPolicy, compute.disks.createSnapshot, compute.snapshots.create, compute.disks.create, and compute.snapshots.useReadOnly.
    Service Account Token Creator and Compute Admin
  8. Go to IAM & Admin > Workload Identity Federation.
    Workload Identity Federation
  9. Click CREATE POOL, provide the details, and click CONTINUE.
    Create pool
  10. Add Provider details. Select AWS as the provider type and provide the AWS Account ID supplied by Sumo Logic. Click CONTINUE and SAVE.
    Provide details of AWS Account ID
  11. Confirm the created pool and provider.
    Created pool and provider
  12. Build a principal name to configure in Sumo Logic. The format is: principalSet://iam.googleapis.com/projects/{YourProjectID}/locations/global/workloadIdentityPools/{YourPoolName}/attribute.aws_role/arn:aws:sts::{SumoAWSAccountID}:assumed-role/{SumoAWSRole}/{SumoAWSLambdaFunction}.
  13. Go to IAM & Admin > IAM and click Grant Access to add a new principal.
  14. In the New principals field, enter the principal name from the previous step and select the role Workload Identity User. Click SAVE.
    Workload Identity User role
  15. Go to IAM & Admin > Workload Identity Federation and select the pool created above.
  16. Click Grant Access > Grant access using service account impersonation.
  17. Select the service account created above, set the principal as aws_role, and provide the ARN arn:aws:sts::{SumoAWSAccountID}:assumed-role/{SumoAWSRole}. Click SAVE.
    Provide ARN
  18. Again click Grant Access > Grant access using service account impersonation. Select the same service account, set the principal as aws_role, and provide the ARN arn:aws:sts::{SumoAWSAccountID}:assumed-role/{SumoAWSRole}/{SumoAWSLambdaFunction}. Click SAVE.
  19. Download the WIF conf.json file. Keep it in a safe place. Use the JSON content to configure the Google Compute Engine integration to use WIF authentication in Automation Service and Cloud SOAR.

Service Account authentication

To create service account credentials in Google Cloud needed to configure the Google Compute Engine integration, follow these steps:

  1. Log in to the Google Cloud portal.
  2. Select a Google Cloud project (or create a new one).
  3. Go to API & Services > Credentials.
  4. Click ENABLED API AND SERVICES, search for Compute Engine API, and enable it.
  5. Click CREATE CREDENTIALS and select Service Account.
    Select Service Account
  6. Enter a service account name. The Google Cloud console generates a service account ID based on this name.
  7. (Optional) Enter a description of the service account.
  8. In the Grant this service account access to project step, add the role Compute Admin, then click DONE to complete the service account creation. If your organization prefers least-privilege access, you can create a custom role with only the following permissions instead of Compute Admin: compute.instances.get, compute.instances.list, compute.instances.delete, compute.instances.start, compute.instances.stop, compute.instances.getIamPolicy, compute.instances.setIamPolicy, compute.disks.createSnapshot, compute.snapshots.create, compute.disks.create, and compute.snapshots.useReadOnly.
    Complete service account creation
  9. Click the generated service account to open the details.
    Service account details
  10. Under the KEYS tab, click ADD KEY and choose Create new key.
    Create new key
  11. Click CREATE (make sure JSON is selected).
    Click on Create
  12. The JSON file is downloaded. Keep it in a safe place.

Configure Google Compute Engine in Automation Service and Cloud SOAR

Before you can use this automation integration, you must configure its authentication settings so that the product you're integrating with can communicate with Sumo Logic. For general guidance, see Configure Authentication for Automation Integrations.

How to open the integration's configuration dialog
  1. Access App Central and install the integration. (You can configure at installation, or after installation with the following steps.)
  2. Go to the Integrations page.
    Classic UI. In the main Sumo Logic menu, select Automation and then select Integrations in the left nav bar.
    New UI. In the main Sumo Logic menu, select Automation > Integrations. You can also click the Go To... menu at the top of the screen and select Integrations.
  3. Select the installed integration.
  4. Hover over the resource name and click the Edit button that appears.
    Edit a resource

In the configuration dialog, enter information from the product you're integrating with. When done, click TEST to test the configuration, and click SAVE to save the configuration:

  • Label. Enter the name you want to use for the resource.

  • Private Key Json. Provide the content of the JSON file generated above. Open the file and copy-paste the whole content in the field.

  • WIF Private Key Json. Provide the content of the Workload Identity Federation JSON file generated above. Open the file and copy-paste the whole content in the field.

  • Project ID. Provide the Google Cloud Project ID where the Compute Engine actions will be performed.

  • Zone. Provide the default Google Cloud zone (for example, us-central1-a) where your Compute Engine instances reside.

  • Automation Engine. Select Cloud execution for this certified integration. Select a bridge option only for a custom integration. See Cloud or Bridge execution.

  • Proxy Options. Select whether to use a proxy. (Applies only if the automation engine uses a bridge instead of cloud execution.)

    • Use no proxy. Communication runs on the bridge and does not use a proxy.
    • Use default proxy. Use the default proxy for the bridge set up as described in Using a proxy.
    • Use different proxy. Use your own proxy service. Provide the proxy URL and port number.
Google Compute Engine configuration

For information about Google Compute Engine, see Google Compute Engine documentation.

Change Log

  • June 8, 2026 (v1.0) - First upload
Status
Legal
Privacy Statement
Terms of Use
CA Privacy Notice

Copyright © 2026 by Sumo Logic, Inc.