Google Pub/Sub Destination (Beta)

Configuring Google Pub/Sub as an alert destination in your Panther Console

Overview

The Pub/Sub alert destination is in open beta starting with Panther version 1.112, and is available to all customers. Please share any bug reports and feature requests with your Panther support team.

Destinations are integrations that receive alerts from rules, policies, system health notifications, and rule errors. Panther supports configuring a Google Pub/Sub topic as the destination where you will receive alerts.

How to set up Google Pub/Sub alert destinations in Panther

Step 1: Create required Google Cloud Platform (GCP) infrastructure

To enable Panther to publish alerts as messages to a Pub/Sub topic, you'll need a topic (either new or existing) and a credentials file. Panther supports authenticating to GCP using either Google Cloud Workload Identity Federation or a service account.

If you do not already have one, create a Pub/Sub topic for the notifications.
- You can create a topic using the gcloud CLI tool with the following command format: gcloud pubsub topics create $TOPIC_ID
Enable the IAM API.
Create a new Google Cloud service account. To create the account using the gcloud CLI tool, use the following command format:
```
gcloud iam service-accounts create SA-NAME \
    --description="DESCRIPTION" \
    --display-name="DISPLAY_NAME"
```
- Make sure to take note of the account email address, as Panther will use this to access the infrastructure created for this GCS integration.
Assign the required IAM roles to the account.
- The following permissions are required for the project where the Pub/Sub subscription and topic lives:
  pubsub.topics.publish
  roles/pubsub.publisher
  topic-name
  - Note: You can set conditions or IAM policies on permissions for specific resources. This can be done either in the IAM page of the service account (as seen in the example screenshot below) or in the specific resource's page.
  - Note: You can create the permissions using the gcloud CLI tool:
    gcloud projects add-iam-policy-binding $PROJECT_ID --member="serviceAccount:$SERVICE_ACCOUNT_EMAIL" --role="roles/pubsub.publisher"
Generate a JSON key file for the service account, which will be used in Panther to authenticate to the GCP infrastructure.
- To create a JSON key file using the gcloud CLI tool, run the following command format: gcloud iam service-accounts keys create $KEYFILE_PATH --iam-account=$SERVICE_ACCOUNT_EMAIL
- Alternative: You can run the above command in GCP's terminal instead of locally:
  1. Click the 3 dots icon menu in the top right, then click Download.
  2. Click the folder icon for Browse.
  3. Navigate to the key file and select it, then click Download.

If you do not already have one, create a Pub/Sub topic for the notifications.
- You can create a topic using the gcloud CLI tool with the following command format: gcloud pubsub topics create $TOPIC_ID
Enable the IAM API.
Configure Workload Identity Federation with AWS:
1. As you are defining an attribute mapping(s) and condition, take note of the following examples:
  - Example attribute mappings:
    Google
    AWS
    google.subject
    assertion.arn.extract('arn:aws:sts::{account_id}:')+":"+assertion.arn.extract('assumed-role/{role_and_session}').extract('/{session}')
    attribute.account
    assertion.account
    The value of the google.subject attribute cannot exceed 127 characters. You may use Common Expression Language (CEL) expressions to transform or combine attributes from the token issued by AWS. The expression suggested above takes this into account and is an attempt at "distilling" the arn to a value that uniquely identifies Panther entities. For more information regarding the AWS attributes check "Example 2 - Called by user created with AssumeRole" from this page.
  - Example attribute condition: attribute.account=="<PANTHER_AWS_ACCOUNT_ID>"
2. When you are adding a provider to your identity pool, select AWS.
Assign the required IAM roles to the account.
- The following permissions are required for the project where the Pub/Sub subscription and topic lives:
  Permissions required
  Role
  Scope
  pubsub.topics.publish
  roles/pubsub.publisher
  topic-name
  - Note: You can create the permissions using the gcloud CLI tool, where the $PRINCIPAL_ID may be something like: principalSet://iam.googleapis.com/projects/<THE_ACTUAL_GOOGLE_PROJECT_NUMBER>/locations/global/workloadIdentityPools/<THE_ACTUAL_POOL_ID>/attribute.account/<THE_ACTUAL_PANTHER_AWS_ACCOUNT_ID>
    gcloud projects add-iam-policy-binding $PROJECT_ID --member="$PRINCIPAL_ID" --role="roles/pubsub.publisher"
Download the credential configuration file, which will be used in Panther to authenticate to the GCP infrastructure.
- To generate a credential configuration file using the gcloud CLI tool, use the following command format: gcloud iam workload-identity-pools create-cred-config projects/$PROJECT_NUMBER/locations/global/workloadIdentityPools/$POOL_ID/providers/$PROVIDER_ID --aws --output-file=config.json

Step 2: Configure the Google Pub/Sub alert destination in Panther

In the Panther Console, navigate to Configure > Alert Destinations.
Click + Add your first Destination.
- If you have already created Destinations, click Create New in the upper right side of the page to add a new Destination.
Click Google Pub/Sub.
Fill in the form to configure the Google Pub/Sub destination:
- Display Name: Enter a descriptive name.
- Project ID: Enter the ID of your project.
- File Upload: Add the key file or credential configuration file you generated in Step 1.
- Topic ID: Enter the ID of your topic.
- Severity: Select the severity level of alerts to send to this Destination.
- Alert Types: Select the alert types to send to this Destination.
- Log Types: By default, we will send alerts from all log types. Specify log types here if you want to only send alerts from specific log types.
Click Add Destination.
Click Finish Setup to complete your setup, or click Send Test Alert to test your setup.

Additional Information on Destinations

For more information on alert routing order, modifying or deleting destinations, and workflow automation, please see the Panther docs: Destinations.

PreviousGitHub Destination NextIncident.io Destination

Last updated 11 hours ago

Was this helpful?

Overview

The Pub/Sub alert destination is in open beta starting with Panther version 1.112, and is available to all customers. Please share any bug reports and feature requests with your Panther support team.

How to set up Google Pub/Sub alert destinations in Panther

Step 1: Create required Google Cloud Platform (GCP) infrastructure

If you do not already have one, create a Pub/Sub topic for the notifications.
- You can create a topic using the gcloud CLI tool with the following command format: gcloud pubsub topics create $TOPIC_ID
Enable the IAM API.
Create a new Google Cloud service account. To create the account using the gcloud CLI tool, use the following command format:
```
gcloud iam service-accounts create SA-NAME \
    --description="DESCRIPTION" \
    --display-name="DISPLAY_NAME"
```
- Make sure to take note of the account email address, as Panther will use this to access the infrastructure created for this GCS integration.
Assign the required IAM roles to the account.
- The following permissions are required for the project where the Pub/Sub subscription and topic lives:
  pubsub.topics.publish
  roles/pubsub.publisher
  topic-name
  - Note: You can set conditions or IAM policies on permissions for specific resources. This can be done either in the IAM page of the service account (as seen in the example screenshot below) or in the specific resource's page.
  - Note: You can create the permissions using the gcloud CLI tool:
    gcloud projects add-iam-policy-binding $PROJECT_ID --member="serviceAccount:$SERVICE_ACCOUNT_EMAIL" --role="roles/pubsub.publisher"
Generate a JSON key file for the service account, which will be used in Panther to authenticate to the GCP infrastructure.
- To create a JSON key file using the gcloud CLI tool, run the following command format: gcloud iam service-accounts keys create $KEYFILE_PATH --iam-account=$SERVICE_ACCOUNT_EMAIL
- Alternative: You can run the above command in GCP's terminal instead of locally:
  1. Click the 3 dots icon menu in the top right, then click Download.
  2. Click the folder icon for Browse.
  3. Navigate to the key file and select it, then click Download.

If you do not already have one, create a Pub/Sub topic for the notifications.
- You can create a topic using the gcloud CLI tool with the following command format: gcloud pubsub topics create $TOPIC_ID
Enable the IAM API.
Configure Workload Identity Federation with AWS:
1. As you are defining an attribute mapping(s) and condition, take note of the following examples:
  - Example attribute mappings:
    Google
    AWS
    google.subject
    assertion.arn.extract('arn:aws:sts::{account_id}:')+":"+assertion.arn.extract('assumed-role/{role_and_session}').extract('/{session}')
    attribute.account
    assertion.account
    The value of the google.subject attribute cannot exceed 127 characters. You may use Common Expression Language (CEL) expressions to transform or combine attributes from the token issued by AWS. The expression suggested above takes this into account and is an attempt at "distilling" the arn to a value that uniquely identifies Panther entities. For more information regarding the AWS attributes check "Example 2 - Called by user created with AssumeRole" from this page.
  - Example attribute condition: attribute.account=="<PANTHER_AWS_ACCOUNT_ID>"
2. When you are adding a provider to your identity pool, select AWS.
Assign the required IAM roles to the account.
- The following permissions are required for the project where the Pub/Sub subscription and topic lives:
  Permissions required
  Role
  Scope
  pubsub.topics.publish
  roles/pubsub.publisher
  topic-name
  - Note: You can set conditions or IAM policies on permissions for specific resources. This can be done either in the IAM section in GCP (as seen in the example screenshot below) or in the specific resource's page.
  - Note: You can create the permissions using the gcloud CLI tool, where the $PRINCIPAL_ID may be something like: principalSet://iam.googleapis.com/projects/<THE_ACTUAL_GOOGLE_PROJECT_NUMBER>/locations/global/workloadIdentityPools/<THE_ACTUAL_POOL_ID>/attribute.account/<THE_ACTUAL_PANTHER_AWS_ACCOUNT_ID>
    gcloud projects add-iam-policy-binding $PROJECT_ID --member="$PRINCIPAL_ID" --role="roles/pubsub.publisher"
Download the credential configuration file, which will be used in Panther to authenticate to the GCP infrastructure.
- To generate a credential configuration file using the gcloud CLI tool, use the following command format: gcloud iam workload-identity-pools create-cred-config projects/$PROJECT_NUMBER/locations/global/workloadIdentityPools/$POOL_ID/providers/$PROVIDER_ID --aws --output-file=config.json

Step 2: Configure the Google Pub/Sub alert destination in Panther

In the Panther Console, navigate to Configure > Alert Destinations.

Click + Add your first Destination.

If you have already created Destinations, click Create New in the upper right side of the page to add a new Destination.

Click Google Pub/Sub.

Fill in the form to configure the Google Pub/Sub destination:

Display Name: Enter a descriptive name.
Project ID: Enter the ID of your project.
File Upload: Add the key file or credential configuration file you generated in Step 1.
Topic ID: Enter the ID of your topic.
Severity: Select the severity level of alerts to send to this Destination.
Alert Types: Select the alert types to send to this Destination.
Log Types: By default, we will send alerts from all log types. Specify log types here if you want to only send alerts from specific log types.

Click Add Destination.

Click Finish Setup to complete your setup, or click Send Test Alert to test your setup.