Documentation

Google Cloud Platform

Suggest Edits

Requirements

Identity Security Insights requires a service account to access information in your Google Cloud Platform organization.

A service account can be created manually, via the Google Cloud Console, or via a script for Google Cloud Shell provided by Identity Security Insights.

Manually configure a Google Cloud Platform connector

Create a new project

  1. Within the Google Cloud Console, click the project selector in the top navigation bar, and select your organization.
  2. In the project window, click New Project.
  3. Enter a human-readable name for your project.
  4. Click Create.

Enable required services

  1. From your new project's navigation menu, go to APIs & Services > Library.
  2. Search for and enable the following APIs:
    • Cloud Asset API
    • Cloud Logging API
    • Cloud Resource Manager API

ℹ️

Note

Ensure all projects within your organization have the same APIs enabled.

Create a service account

  1. From the navigation menu, go to IAM & Admin > Service Accounts.
  2. Click Create Service Account.
    • Enter a human-readable display name for your new service account.
    • Enter a unique service account ID.
  3. The Google Cloud console will generate an email address for this service account. This email address will be required in the next step.
  4. When finished, click Done.

Assign service account roles

  1. In the top navigation toolbar, click the project selector, and select your organization.
  2. Navigate to IAM & Admin > IAM, and click Grant Access.
  3. In the New principals field, enter the service account email generated by Google Cloud.
  4. Under Assign roles, select the following roles:
    • Cloud Asset Viewer
    • Security Reviewer
  5. When finished, click Save.

Generate a key for the service account

  1. In the top navigation toolbar, click the project selector, and select your new project.
  2. From the navigation menu, go to IAM & Admin > Service Accounts, and select the created service account.
  3. Click the Keys tab.
  4. Click Add Key > Create new key.
    • Select JSON as the key type.
    • Click Create.
  5. A new key will be automatically downloaded to your local system. Ensure you keep the downloaded JSON key in a secure location.

Create the Google Cloud Platform Connector

  1. Within the Insights Tenant dashboard, navigate to Menu > Connectors > Available and click Create Connector beside Google Cloud Platform.
  2. In the connection panel, enter a human-readable name for your GCP Connector.
  3. Select Manual Configuration from the installation method drop-down menu.
  4. Provide the following information about your service account:
    • Organization ID: Your organization ID can be found in the Google Cloud Console by selecting your organization from the drop-down menu, and navigating to IAM & Admin > Settings.
    • Service Account Key: The JSON key created for your service account.
  5. Click Create Connector.

Navigate to the Configured Connectors panel (Menu > Connectors > Configured) to confirm that connector creation was successful and review any connector settings.

Create a GCP connector with Google Cloud Shell

Create the Google Cloud Platform Connector

  1. Within the Insights Tenant dashboard, navigate to Menu > Connectors > Available and click Create Connector beside Google Cloud Platform.
  2. In the connection panel, enter a human-readable name for your GCP Connector.
  3. Select Google Cloud Shell from the installation method drop-down menu.

Configure Google Cloud Platform

  1. In a new window, sign into Google Cloud Platform Console.
  2. Click Activate Cloud Shell in the upper-right navigation menu to open the command line interface.

ℹ️

Note

If you are prompted to authorize an action after running a command, authorize it. The command may need to be re-run after authorization.

Retrieve the organization ID

  1. Run the following command to retrieve your organization ID:
gcloud organizations list
  1. Paste your organization ID in the Organization ID field in Identity Security Insights.

Create a new project

Run the following command to create a new project, replacing <Project_ID> with a unique ID of your choosing:

gcloud projects create <Project_ID>

Set the current project

Run the following command to set your current project, replacing <Project_ID> with the ID you created:

gcloud config set project <Project_ID>

Enable required services

Run the following command to enable necessary Google Cloud services:

project_ids=$(gcloud projects list --format json | jq -r '.[].projectId')
for project_id in $project_ids; do
gcloud services enable cloudresourcemanager.googleapis.com --project "$project_id"
gcloud services enable cloudasset.googleapis.com --project "$project_id"
gcloud services enable logging.googleapis.com --project "$project_id"
done

This command enables the following APIs for all projects:

  • Cloud Asset API
  • Cloud Logging API
  • Cloud Resource Manager API

Create a service account

Run the following command to enable create a new service account, replacing <Service_account_ID> with a unique ID:

gcloud iam service-accounts create <Service_account_ID>

Assign service account roles

Run the following command to assign necessary roles to your new service account, replacing <Organizations_ID>, <Service_account_ID>, and <Project_ID> with the values set in earlier steps:

gcloud organizations add-iam-policy-binding <Organizations_ID> --role 'roles/iam.securityReviewer' --member serviceAccount:<Service_account_ID>@<Project_ID>.iam.gserviceaccount.com
gcloud organizations add-iam-policy-binding <Organizations ID> --role 'roles/cloudasset.viewer' --member serviceAccount:<Service_account_ID>@<Project_ID>.iam.gserviceaccount.com

Generate a key for the service account

  1. Run the following command to generate a new key, replacing <Service_account_ID> and <Project_ID> with the values set in earlier steps:
gcloud organizations add-iam-policy-binding <Organizations_ID> --role 'roles/iam.securityReviewer' --member serviceAccount:<Service_account_ID>@<Project_ID>.iam.gserviceaccount.com
gcloud organizations add-iam-policy-binding <Organizations ID> --role 'roles/cloudasset.viewer' --member serviceAccount:<Service_account_ID>@<Project_ID>.iam.gserviceaccount.com
  1. Copy the full JSON output, and paste it in Service Account Key field in Identity Security Insights.
  2. When finished, click Create Connector.

Navigate to the Configured Connectors panel (Menu > Connectors > Configured) to confirm that connector creation was successful and review any connector settings.

Updated 8 days ago

©2003-2025 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.