GCP Integration

Grant Suger the necessary access to manage your GCP Marketplace on hour behalf, no more no less.


To sell on GCP Marketplace, you must sign up to become a Google Cloud Build partner and Google Cloud Marketplace vendor. There are several requirements to meet before you can list products/services on Google Cloud Marketplace. More details can be found here.

Once your organization is approved as a Google Cloud Marketplace vendor and integrate with Suger, all product listing, private offers, entitlements & metering on GCP Marketplace can be managed in Suger platform on your behalf.


Suger relies on workooad identity federation to get access to integrate & manage your GCP Marketplace. Follow the steps below to prepare resources required for Suger integration.

  1. Enable Workload Identity Federation on GCP Project. Enable the following APIs before we can configure Workload Identity Federation. Here is the quick link. More details can be found in the official guideline.
    • Identity and Access Management (IAM) API
    • Cloud Resource Manager API
    • IAM Service Account Credentials API
    • Security Token Service API
    • Service Control API
    • Cloud Commerce Consumer Procurement API
  2. Create a Workload Identity Pool. This pool is used by Suger AWS account as an external identity provider, to impersonate a Service Account and access resources on your Google Cloud Marketplace. Here is the official guideline. You can name the Workload Identity Pool with suger-wip.
  3. Add Suger AWS as Identity Provider. Get the Suger AWS Account ID from inquerying support@suger.io and add it as Identity Provider to the Workload Identity Pool (created in Step 2). You can name the Identity Provider with suger-aws-ip.
  1. Create a Service Account. Follow the guideline to create a Service Account to let Suger AWS Account impersonate. You can name the Service Account with suger. Grant the Service Account with all IAM roles listed below:
    • Editor of the GCP Project
    • Commerce Producer Admin
    • Commerce Price Management Private Offers Admin
    • Consumer Procurement Entitlement Manager
    • Consumer Procurement Order Administrator
    • Service Controller
    • Pub/Sub Admin
  2. Link Service Account to GCP Producer Portal. To access all of the information on the marketplace, the Service Account needs to be linked within your GCP Producer Portal. The direct link to Producer Portal is https://console.cloud.google.com/producer-portal?project=YOUR_PROJECT_ID. Follow the official guideline to allow the Service Account to access Billing Integration, call Procurement API and subscribe to Pub/Sub topic.
  3. Connect Service Account with Workload Identity Pool. This step allows Suger to impersonate the Service Account via the Workload Identity Federation. Go to the details page of the Workload Identity Pool (created in Step 2), click GRANT ACCESS , select the Service Account (created in Step 4) and save.
  • After saving Grant access to service account, there will be a dialog pop-up, as shown below. Select the Identity Provider (created in Step 3).
  • Download config json with content like:
    {     "type": "external_account",     "audience": "//iam.googleapis.com/projects/***/locations/global/workloadIdentityPools/***/providers/***",     "subject_token_type": "urn:ietf:params:aws:token-type:aws4_request",     "service_account_impersonation_url": "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/***@***.iam.gserviceaccount.com:generateAccessToken",     "token_url": "https://sts.googleapis.com/v1/token",     "credential_source": {          "environment_id": "aws1",          "region_url": "",          "url": "",          "regional_cred_verification_url": "https://sts.{region}.amazonaws.com?Action=GetCallerIdentity&Version=2011-06-15"     }}

Create Integration

Click the button CONNECT and fill the dialog of GCP integration on Suger Console with info below.

  • GCP Project ID.
  • GCP Project Number.
  • Workload Identity Pool ID: The ID of the Workload Identity Pool created in Step 2.
  • Identity Provider ID: The ID of the Identity Provider created in Step 3.
  • Service Account Email: The email of Service Acccount created in Step 4.
  • Marketplace Partner/Provider ID: The Partner/Provider ID is assigned when your business gets approved to access GCP Marketplace Producer Portal. Often it is same as the Project ID.

Edit Integration

Editing an existing GCP integration is not supported. The practical way is to delete it and then re-connect it with new inputs.

Delete Integration

The GCP integration can be deleted like all other integrations. Once the deletion is triggered, all integration info will be deleted immediately & permanently from Suger. No time window or methods to recover.