How to configure Google Workspace Alert Center to publish alerts to a PubSub topic?

Question

I'm building a notification system that will notify employees on slack when they take an action that triggers a DLP Rule.

The ideal flow I'm trying to get at is:

Employee takes action > Rule triggered > Alert is published to PubSub topic > Triggers Cloud function that renders the slack message and sends it to the user.

The point where I'm stuck is having the API alert center to publish the alert the to the PubSub topic. I have done something like this in the past with the Gmail API, to publish to the topic when an particular account received an email. And there was a watch request to configure the account to publish to the topic.

I looked through the Alert Center API documentation and haven´t found a watch request or anything that does something similar.

Is there a way to achieve this? Or is this just impossible?

I searched through the Google Alert Center API reference and the Alert Center console for any options to configure publishing to a pubsub topic or a webhook.

Answer 1

After a couple of hours of trial and error I found the solution to this.

We have to update the settings by making and updateSetting, and send a settings object in the body.

Here's some python code to do that using a service account with domain wide delegation:

from google.oauth2 import service_account
from googleapiclient.discovery import build
import json

def main():

    # Authenticate the service account
    scopes = ['https://www.googleapis.com/auth/apps.alerts']
    admin_to_impersonate = '******'
    credentials = service_account.Credentials.from_service_account_file(
        'client_secrets.json', scopes=scopes, subject=admin_to_impersonate
        )
    
    # Build the service
    service = build('alertcenter', 'v1beta1', credentials=credentials)

    settings = {
        'notifications': [
            {
                'cloudPubsubTopic': {
                    'topicName': '<YOUR TOPIC NAME>',
                    'payloadFormat': 'JSON'
                }
            }
        ]
    }

    # Execute a updateSetting request
    response = service.v1beta1().updateSettings(body=settings).execute()
    print(response)

if __name__ == '__main__':
    main()

Answer 2

Thanks Andre, your method worked for me.

For anyone looking to deploy on Cloud Functions or anywhere else where calling a service account key ('client_secrets.json') isn't sufficiently secure, here is how I did it:

First refer to and follow all steps in https://github.com/GoogleCloudPlatform/professional-services/blob/e79c75a14eb20640afbcab3ee110eccdd8378720/examples/gce-to-adminsdk/README.md. Ignore the bits about admin group read privileges, instead create a custom admin role with All Access to the Alert Center, assign it to the dummy user account.

Make sure your VPC subnet has Private Google Access enabled (or at least has some connectivity to the Alert Center endpoint.) I allowed internal traffic only in the Cloud Function and tested using a compute instance in the same subnet to curl it.

lastly, for whatever reason, from googleapiclient.discovery import build caused deployment errors in Cloud Functions. You can use from googleapiclient import discovery and change the build() to discovery.build().