Skip to main content

Google Cloud Platform (GCP)

Description

The Google Cloud Platform connector recursively discovers and scans IAM policy bindings across an entire Google Cloud organization — the organization itself, every folder and sub-folder beneath it, and every project under any of those folders (or directly under the org) — plus the IAM service accounts within each discovered project. It authenticates using a service account with a private key via the OAuth 2.0 JWT bearer flow — no GCP SDK installation is required on the OrbisID server.

This connector replaces the earlier separate "GCP" (single-project) and "Google Cloud IAM" (org-level only, no project drill-down) connectors, which left a gap: neither one alone gave full visibility into an organization's access without manually adding a system per project.

System Type Classification

FieldValue
System TypeInfrastructure
Default Scan Priority500

Version Support

OrbisID EditionSupported
CommunityNo
ProYes
EnterpriseYes

Google Cloud Platform scanning requires a Pro or Enterprise licence.

Supported Protocol

ProtocolPortNotes
Google Cloud REST API (HTTPS + OAuth 2.0 JWT)443 TCPCloud Resource Manager and IAM endpoints

What OrbisID Discovers

DataSource
Organization IAM policy bindingsPOST /v3/organizations/{orgId}:getIamPolicy
Every folder and sub-folder under the organizationGET /v3/folders?parent=organizations/{orgId} (recursive)
Folder IAM policy bindingsPOST /v3/folders/{folderId}:getIamPolicy (per folder)
Every project under the org or any folderGET /v3/projects?parent=... (recursive)
Project IAM policy bindingsPOST /v1/projects/{projectId}:getIamPolicy (per project)
Service accounts per projectGET /v1/projects/{projectId}/serviceAccounts
IAM members by typeuser:, serviceAccount:, group:, domain: prefixes extracted from bindings at every level

Privileged Roles Detected

roles/owner, roles/editor, roles/iam.securityAdmin, roles/iam.roleAdmin, roles/resourcemanager.organizationAdmin, roles/resourcemanager.folderAdmin, roles/resourcemanager.projectIamAdmin, roles/iam.serviceAccountAdmin, roles/iam.serviceAccountTokenCreator, roles/iam.serviceAccountKeyAdmin, roles/billing.admin, roles/compute.admin, roles/storage.admin, roles/bigquery.admin, roles/cloudsql.admin, roles/container.admin, roles/orgpolicy.policyAdmin

Connection Requirements

GCP Service Account

Create a dedicated service account and grant it organization-level IAM read access — this single grant covers discovery at every level (org, folders, projects) since IAM read permissions granted at the organization are inherited down the resource hierarchy.

Required IAM permissions at the organization level:

PermissionPurpose
resourcemanager.organizations.getIamPolicyRead the organization IAM policy
resourcemanager.folders.listEnumerate folders and sub-folders
resourcemanager.folders.getIamPolicyRead IAM policies on folders
resourcemanager.projects.listEnumerate projects under the org and each folder
resourcemanager.projects.getIamPolicyRead IAM policies on projects
iam.serviceAccounts.listList service accounts within each project

Recommended role: roles/iam.securityReviewer at the organization level — it includes all of the permissions above.

Steps to create the service account:

  1. In the GCP Console, navigate to APIs & Services → Library on the service account's own project, and Enable both the Cloud Resource Manager API and the IAM API. This is required independently of the organization-level role grant below — without it, every call (including folder/project discovery) fails with 403: ... API has not been used in project ... or it is disabled.
  2. Navigate to IAM & Admin → Service Accounts
  3. Click Create Service Account — name it (e.g., orbisid-org-scanner)
  4. At the Organization level in IAM (not the project level), grant this service account the Security Reviewer role
  5. Under the service account, click Manage Keys → Add Key → Create new key → JSON
  6. Download the JSON key file — extract the private_key and private_key_id fields

Credential Mapping

OrbisID FieldGCP Value
credential.usernameService account email (e.g., orbisid-org-scanner@project-id.iam.gserviceaccount.com)
credential.passwordService account private key (PEM format — the private_key field from the JSON key file)
credential.domainPrivate key ID (the private_key_id field from the JSON key file, optional)

System Attributes

AttributeRequiredDescription
googleCloudOrgIdYesThe numeric Google Cloud organization ID to scan (e.g., 123456789012), found in IAM & Admin → Settings or via gcloud organizations list

Network Requirements

RequirementDetail
Outbound HTTPSOrbisID server (or On-Premise Agent) must reach oauth2.googleapis.com, cloudresourcemanager.googleapis.com, and iam.googleapis.com on port 443

Configuration Steps

  1. Create the GCP service account and grant Security Reviewer at the organization level
  2. Download the JSON key file and extract the private_key (PEM) and private_key_id
  3. Create a Credential in OrbisID:
    • Username: Service account email
    • Password: Private key PEM (include the full -----BEGIN RSA PRIVATE KEY----- block)
    • Domain: Private key ID (optional)
  4. Navigate to Systems → Add System
  5. Fill in the fields:
FieldValue
NameDescriptive name (e.g., GCP – my-org)
Hostnamecloudresourcemanager.googleapis.com (used for reference)
OS TypeGoogle Cloud Platform (GCP)
System TypeInfrastructure
CredentialThe GCP service account credential
  1. Set the Google Cloud Organization ID attribute to the numeric organization ID
  2. Click Test Connection to verify the service account can obtain a token
  3. Click Save
Recursive by design

One system covers the whole organization — there is no need to add a separate system per project. The scanner walks every folder and project under the org automatically on each scan.

Troubleshooting

SymptomLikely CauseResolution
Scan fails: "Google Cloud organization ID is required"googleCloudOrgId attribute not setSet the Google Cloud Organization ID attribute on the system
401 Unauthorized / token errorInvalid private key PEM or service account emailVerify the PEM includes the full key block; ensure the service account email is correct
403 PERMISSION_DENIED on org/folder/project policyMissing IAM permissions at the organization levelGrant roles/iam.securityReviewer (or the individual permissions listed above) at the organization, not project, level
403 — "Cloud Resource Manager API has not been used in project ... or it is disabled"Cloud Resource Manager API not enabled on the service account's own GCP projectVisit the URL in the error message (or APIs & Services → Library in the GCP Console) and click Enable; wait a minute or two, then retest
403 — "IAM API has not been used in project ... or it is disabled"IAM API not enabled on the service account's own GCP project (blocks service account enumeration)Enable the IAM API on the same project via APIs & Services → Library
"Service account enumeration skipped" — 403 Request had insufficient authentication scopes / ACCESS_TOKEN_SCOPE_INSUFFICIENTFixed in this connector — earlier versions requested only the cloud-platform.read-only OAuth scope, which the IAM API does not accept for serviceAccounts.list (unlike the Cloud Resource Manager API)Upgrade to the current connector version, which also requests the iam scope; no GCP-side configuration change needed
invalid_grant errorPrivate key ID mismatch or key revokedRe-download the JSON key file; verify the key is active in the GCP Console
Some projects missing from resultsService account lacks org-level inheritance, or a project denies inherited IAM policiesConfirm the role was granted at the organization level; check for IAM deny policies on the affected project
Connection timeoutGCP API endpoints blockedEnsure outbound HTTPS access to *.googleapis.com on port 443
System was migrated from an old "GCP" connector and now fails immediatelyThe old project-only connector never stored an organization IDSet the Google Cloud Organization ID attribute — this is a one-time manual step after upgrading