Google IAM Streaming Configuration

Steps to Enable Data Streaming for Google IAM

Create OAuth2 Credentials

Create a project in Google Cloud Console:
1. Go to the Google Cloud Console.
2. Create a new project or select an existing project.
Enable the Admin SDK:
1. In the Google Cloud Console, navigate to the APIs & Services > Library.
2. Search for Admin SDK and click on it.
3. Click the Enable button to enable the Admin SDK API for your project.
Create OAuth 2.0 Credentials:
1. In the Google Cloud Console, go to APIs & Services > Credentials.
2. Click Create credentials and select Service account.
3. Enter a name in the Service account name field and click CREATE CREDENTIALS.
4. Under Grant this service account access to the project, select role as Owner and click DONE.
5. Select the newly created service account and click Keys > Add Key > Create new key.
6. Make sure the key type is set to json and click CREATE.
7. The new private key pair is generated and downloaded to the machine. Note the values of private_key, client_email, and client_id.

Delegate domain-wide authority to your service account

From your domain's Admin console, go to Main menu > Security > Access and data control > API controls.
In the Domain wide delegation pane, select Manage Domain Wide Delegation.
Click Add new.
In the Client ID field, enter the client ID obtained from the service account creation steps above.
In the OAuth Scopes field, enter a comma-delimited list of the scopes required for the application.
Use the below scopes:
- https://www.googleapis.com/auth/admin.directory.user.readonly
- https://www.googleapis.com/auth/admin.directory.domain.readonly
- https://www.googleapis.com/auth/admin.directory.group.readonly
- https://www.googleapis.com/auth/admin.directory.rolemanagement.readonl y
- https://www.googleapis.com/auth/admin.reports.audit.readonly
Click Authorize.

Steps to Enable Data Streaming for Google Iam

Go to the Data Sources section under Administration.
From the Data Sources page, select Google iam from the list of available data sources.
In the Scan Configurations list, create a New Configuration.
Make sure the connection has a Name and Credentials set then click on Data streaming toggle and click Save & Close to finalize the changes.
Clock icon: When data streaming is being activated, the Requested status will appear, indicating that the subscription is being processed. Once the subscription is activated, this status will change to On.
After enabling Data Streaming, the system will automatically handle the subscription to Google Iamʼs real-time events. There is no need to manually configure Webhooks.

Monitoring Real-Time Events

After the subscription is activated, real-time events will start flowing into the platform, and can be monitored from the relevant parts of the platform.

Viewing Events in the Live Events Section

Go to the Live Events section under Administration to view a detailed audit log of all streaming events.
Filter by source to get only Google IAM events.

Monitoring Extended Streaming Events

Once extended streaming is enabled, events will be available for monitoring in multiple sections of the platform:

Live Events Section

Go to Live Events under Administration to view real-time extended events.
Use the filter options to narrow down events to only Google IAM activities.