GCP (Google Cloud Platform)
Description
The GCP connector uses the Google Cloud IAM REST API and Cloud Resource Manager API to discover service accounts and IAM role bindings within a GCP project. It authenticates using a service account with a private key via the OAuth 2.0 JWT bearer flow — no GCP SDK installation is required on the OrbisID server.
System Type Classification
| Field | Value |
|---|---|
| System Type | Infrastructure |
| Default Scan Priority | 500 |
Version Support
| OrbisID Edition | Supported |
|---|---|
| Community | No |
| Pro | Yes |
| Enterprise | Yes |
GCP scanning requires a Pro or Enterprise licence.
Supported Protocol
| Protocol | Port | Notes |
|---|---|---|
| Google Cloud REST API (HTTPS + OAuth 2.0 JWT) | 443 TCP | IAM and Resource Manager endpoints |
What OrbisID Discovers
| Data | Source |
|---|---|
| Service accounts | GET https://iam.googleapis.com/v1/projects/{id}/serviceAccounts |
| Project IAM policy | POST https://cloudresourcemanager.googleapis.com/v1/projects/{id}:getIamPolicy |
| Privileged role bindings | roles/owner, roles/editor, roles/iam.securityAdmin, roles/iam.roleAdmin, roles/resourcemanager.projectIamAdmin, roles/iam.serviceAccountAdmin |
| IAM members (users, service accounts) | Extracted from policy bindings per role |
Connection Requirements
GCP Service Account
OrbisID authenticates as a GCP service account using a JSON private key file (PEM format). Create a dedicated service account for scanning.
Recommended IAM roles for the scanning service account:
| Role | Purpose |
|---|---|
roles/iam.securityReviewer | Read IAM policies and service accounts |
Or grant individual permissions:
| Permission | Purpose |
|---|---|
iam.serviceAccounts.list | List service accounts in the project |
resourcemanager.projects.getIamPolicy | Read the project IAM policy |
Steps to create the service account:
- In the GCP Console, navigate to IAM & Admin → Service Accounts
- Click Create Service Account — name it (e.g.,
orbisid-scanner) - Grant the service account the
Security Reviewerrole on the project - Click Manage Keys → Add Key → Create new key → JSON
- Download the JSON key file — extract the
private_keyandprivate_key_idfields
Credential Mapping
| OrbisID Field | GCP Value |
|---|---|
credential.username | Service account email (e.g., orbisid-scanner@project-id.iam.gserviceaccount.com) |
credential.password | Service account private key (PEM format — the private_key field from the JSON key file) |
credential.domain | Private key ID (the private_key_id field from the JSON key file, optional) |
System Attributes
| Attribute | Required | Description |
|---|---|---|
gcpProjectId | Yes | The GCP project ID to scan (e.g., my-project-123) |
Network Requirements
| Requirement | Detail |
|---|---|
| Outbound HTTPS | OrbisID server (or On-Premise Agent) must reach oauth2.googleapis.com, iam.googleapis.com, and cloudresourcemanager.googleapis.com on port 443 |
Configuration Steps
- Create the GCP service account and grant Security Reviewer on the project
- Download the JSON key file and extract the
private_key(PEM) andprivate_key_id - Create a Credential in OrbisID:
- Username: Service account email
- Password: Private key PEM (include the full
-----BEGIN RSA PRIVATE KEY-----block) - Domain: Private key ID (optional)
- Navigate to Systems → Add System
- Fill in the fields:
| Field | Value |
|---|---|
| Name | Descriptive name (e.g., GCP – my-project-123) |
| Hostname | iam.googleapis.com (used for reference) |
| OS Type | GCP |
| System Type | Infrastructure |
| Credential | The GCP service account credential |
- Add the
gcpProjectIdsystem attribute with the GCP project ID - Click Test Connection to verify the service account credentials
- Click Save
Multiple Projects
To scan multiple GCP projects, add a separate OrbisID target system for each project. You can reuse the same service account credential if the service account has access to multiple projects, or create separate service accounts per project.
Troubleshooting
| Symptom | Likely Cause | Resolution |
|---|---|---|
| Scan fails: "GCP project ID is required" | gcpProjectId attribute not set | Add gcpProjectId in system attributes |
401 Unauthorized / token error | Invalid private key PEM or service account email | Verify the PEM includes the full key block; ensure the service account email is correct |
403 Permission Denied | Insufficient IAM permissions | Grant roles/iam.securityReviewer or the individual permissions listed above |
invalid_grant error | Private key ID mismatch or key revoked | Re-download the JSON key file; verify the key is active in the GCP Console |
| No service accounts returned | Wrong project ID | Verify gcpProjectId matches the GCP project you intend to scan |
| Connection timeout | GCP API endpoints blocked | Ensure outbound HTTPS access to *.googleapis.com on port 443 |