Google Cloud Platform (GCP)
Description
The Google Cloud Platform connector recursively discovers and scans IAM policy bindings across an entire Google Cloud organization — the organization itself, every folder and sub-folder beneath it, and every project under any of those folders (or directly under the org) — plus the IAM service accounts within each discovered project. It authenticates using a service account with a private key via the OAuth 2.0 JWT bearer flow — no GCP SDK installation is required on the OrbisID server.
This connector replaces the earlier separate "GCP" (single-project) and "Google Cloud IAM" (org-level only, no project drill-down) connectors, which left a gap: neither one alone gave full visibility into an organization's access without manually adding a system per project.
System Type Classification
| Field | Value |
|---|
| System Type | Infrastructure |
| Default Scan Priority | 500 |
Version Support
| OrbisID Edition | Supported |
|---|
| Community | No |
| Pro | Yes |
| Enterprise | Yes |
Google Cloud Platform scanning requires a Pro or Enterprise licence.
Supported Protocol
| Protocol | Port | Notes |
|---|
| Google Cloud REST API (HTTPS + OAuth 2.0 JWT) | 443 TCP | Cloud Resource Manager and IAM endpoints |
What OrbisID Discovers
| Data | Source |
|---|
| Organization IAM policy bindings | POST /v3/organizations/{orgId}:getIamPolicy |
| Every folder and sub-folder under the organization | GET /v3/folders?parent=organizations/{orgId} (recursive) |
| Folder IAM policy bindings | POST /v3/folders/{folderId}:getIamPolicy (per folder) |
| Every project under the org or any folder | GET /v3/projects?parent=... (recursive) |
| Project IAM policy bindings | POST /v1/projects/{projectId}:getIamPolicy (per project) |
| Service accounts per project | GET /v1/projects/{projectId}/serviceAccounts |
| IAM members by type | user:, serviceAccount:, group:, domain: prefixes extracted from bindings at every level |
Privileged Roles Detected
roles/owner, roles/editor, roles/iam.securityAdmin, roles/iam.roleAdmin, roles/resourcemanager.organizationAdmin, roles/resourcemanager.folderAdmin, roles/resourcemanager.projectIamAdmin, roles/iam.serviceAccountAdmin, roles/iam.serviceAccountTokenCreator, roles/iam.serviceAccountKeyAdmin, roles/billing.admin, roles/compute.admin, roles/storage.admin, roles/bigquery.admin, roles/cloudsql.admin, roles/container.admin, roles/orgpolicy.policyAdmin
Connection Requirements
GCP Service Account
Create a dedicated service account and grant it organization-level IAM read access — this single grant covers discovery at every level (org, folders, projects) since IAM read permissions granted at the organization are inherited down the resource hierarchy.
Required IAM permissions at the organization level:
| Permission | Purpose |
|---|
resourcemanager.organizations.getIamPolicy | Read the organization IAM policy |
resourcemanager.folders.list | Enumerate folders and sub-folders |
resourcemanager.folders.getIamPolicy | Read IAM policies on folders |
resourcemanager.projects.list | Enumerate projects under the org and each folder |
resourcemanager.projects.getIamPolicy | Read IAM policies on projects |
iam.serviceAccounts.list | List service accounts within each project |
Recommended role: roles/iam.securityReviewer at the organization level — it includes all of the permissions above.
Steps to create the service account:
- In the GCP Console, navigate to APIs & Services → Library on the service account's own project, and Enable both the Cloud Resource Manager API and the IAM API. This is required independently of the organization-level role grant below — without it, every call (including folder/project discovery) fails with
403: ... API has not been used in project ... or it is disabled.
- Navigate to IAM & Admin → Service Accounts
- Click Create Service Account — name it (e.g.,
orbisid-org-scanner)
- At the Organization level in IAM (not the project level), grant this service account the
Security Reviewer role
- Under the service account, click Manage Keys → Add Key → Create new key → JSON
- Download the JSON key file — extract the
private_key and private_key_id fields
Credential Mapping
| OrbisID Field | GCP Value |
|---|
credential.username | Service account email (e.g., orbisid-org-scanner@project-id.iam.gserviceaccount.com) |
credential.password | Service account private key (PEM format — the private_key field from the JSON key file) |
credential.domain | Private key ID (the private_key_id field from the JSON key file, optional) |
System Attributes
| Attribute | Required | Description |
|---|
googleCloudOrgId | Yes | The numeric Google Cloud organization ID to scan (e.g., 123456789012), found in IAM & Admin → Settings or via gcloud organizations list |
Network Requirements
| Requirement | Detail |
|---|
| Outbound HTTPS | OrbisID server (or On-Premise Agent) must reach oauth2.googleapis.com, cloudresourcemanager.googleapis.com, and iam.googleapis.com on port 443 |
Configuration Steps
- Create the GCP service account and grant Security Reviewer at the organization level
- Download the JSON key file and extract the
private_key (PEM) and private_key_id
- Create a Credential in OrbisID:
- Username: Service account email
- Password: Private key PEM (include the full
-----BEGIN RSA PRIVATE KEY----- block)
- Domain: Private key ID (optional)
- Navigate to Systems → Add System
- Fill in the fields:
| Field | Value |
|---|
| Name | Descriptive name (e.g., GCP – my-org) |
| Hostname | cloudresourcemanager.googleapis.com (used for reference) |
| OS Type | Google Cloud Platform (GCP) |
| System Type | Infrastructure |
| Credential | The GCP service account credential |
- Set the Google Cloud Organization ID attribute to the numeric organization ID
- Click Test Connection to verify the service account can obtain a token
- Click Save
One system covers the whole organization — there is no need to add a separate system per project. The scanner walks every folder and project under the org automatically on each scan.
Troubleshooting
| Symptom | Likely Cause | Resolution |
|---|
| Scan fails: "Google Cloud organization ID is required" | googleCloudOrgId attribute not set | Set the Google Cloud Organization ID attribute on the system |
401 Unauthorized / token error | Invalid private key PEM or service account email | Verify the PEM includes the full key block; ensure the service account email is correct |
403 PERMISSION_DENIED on org/folder/project policy | Missing IAM permissions at the organization level | Grant roles/iam.securityReviewer (or the individual permissions listed above) at the organization, not project, level |
403 — "Cloud Resource Manager API has not been used in project ... or it is disabled" | Cloud Resource Manager API not enabled on the service account's own GCP project | Visit the URL in the error message (or APIs & Services → Library in the GCP Console) and click Enable; wait a minute or two, then retest |
403 — "IAM API has not been used in project ... or it is disabled" | IAM API not enabled on the service account's own GCP project (blocks service account enumeration) | Enable the IAM API on the same project via APIs & Services → Library |
"Service account enumeration skipped" — 403 Request had insufficient authentication scopes / ACCESS_TOKEN_SCOPE_INSUFFICIENT | Fixed in this connector — earlier versions requested only the cloud-platform.read-only OAuth scope, which the IAM API does not accept for serviceAccounts.list (unlike the Cloud Resource Manager API) | Upgrade to the current connector version, which also requests the iam scope; no GCP-side configuration change needed |
invalid_grant error | Private key ID mismatch or key revoked | Re-download the JSON key file; verify the key is active in the GCP Console |
| Some projects missing from results | Service account lacks org-level inheritance, or a project denies inherited IAM policies | Confirm the role was granted at the organization level; check for IAM deny policies on the affected project |
| Connection timeout | GCP API endpoints blocked | Ensure outbound HTTPS access to *.googleapis.com on port 443 |
| System was migrated from an old "GCP" connector and now fails immediately | The old project-only connector never stored an organization ID | Set the Google Cloud Organization ID attribute — this is a one-time manual step after upgrading |