Skip to main content
All CollectionsGetting Started2 | Platform SetupConnect Cloud Provider
GCP Connection FAQ
GCP Connection FAQ
Grigory Emelianov avatar
Written by Grigory Emelianov
Updated over 5 months ago

Not sure how to connect GCP to Secfix? Check out our GCP connection guide before diving into integration specifications & troubleshooting tips.

GCP Connection specs

Resources fetched

List of monitored GCP resources

  • GCP Compute InstanceGroup

  • GCP Compute Autoscaler

  • GCP Compute Instance

  • GCP Artifact Docker Image

  • GCP Container Registry

  • GCP Artifact Registry

  • GCP BigQuery Model

  • GCP BigQuery Dataset

  • GCP BigQuery Table

  • GCP Compute Backend Service

  • GCP Cloud Bigtable Backup

  • GCP Cloud Bigtable AppProfile

  • GCP Cloud Bigtable Table

  • GCP Cloud Bigtable Instance

  • GCP Cloud Bigtable Cluster

  • GCP Compute TargetHttpProxy

  • GCP Compute TargetHttpsProxy

  • GCP Compute TargetInstance

  • GCP Compute TargetPool

  • GCP Compute TargetTcpProxy

  • GCP Compute TargetSslProxy

  • GCP Compute TargetVpnGateway

  • GCP Compute UrlMap

  • GCP Compute VpnGateway

  • GCP Compute VpnTunnel

  • GCP Compute Reservation

  • GCP Compute ResourcePolicy

  • GCP Compute Route

  • GCP Compute Router

  • GCP Compute SecurityPolicy

  • GCP Compute Snapshot

  • GCP Compute SslCertificate

  • GCP Compute SslPolicy

  • GCP Compute Subnetwork

  • GCP App Engine Service

  • GCP App Engine Version

  • GCP Compute Address

  • GCP Compute GlobalAddress

  • GCP Compute Backend Bucket

  • GCP Compute Commitment

  • GCP Compute Disk

  • GCP Compute External Vpn Gateway

  • GCP Compute Firewall

  • GCP Compute Firewall Policy

  • GCP Compute Forwarding Rule

  • GCP Compute Global Forwarding Rule

  • GCP Compute HealthCheck

  • GCP Compute HttpHealthCheck

  • GCP Compute HttpsHealthCheck

  • GCP Compute Image

  • GCP Compute InstanceGroupManager

  • GCP Compute InstanceTemplate

  • GCP Compute Interconnect

  • GCP Compute InterconnectAttachment

  • GCP Compute License

  • GCP Compute Network

  • GCP Compute NetworkEndpointGroup

  • GCP Compute NodeGroup

  • GCP Compute NodeTemplate

  • GCP Compute PacketMirroring

  • GCP Compute Project

  • GCP Compute RegionBackendService

  • GCP Compute RegionDisk

  • GCP App Engine Application

  • GCP Pub/Sub Topic

  • GCP Pub/Sub Subscription

  • GCP SQL DB

  • GCP Spanner Instance

  • GCP Storage Bucket

  • GCP Spanner Instance

List of resources most crucial for the audit

  • Artifact Registry repositories

  • Bigquery datasets

  • Bigtable instances

  • CloudSQL instances

  • Cloud Task Queues

  • Compute instances

  • Container repositories

  • Log buckets

  • Log sinks

  • Monitoring policies

  • Networks

  • Roles

  • Spanner instances

  • Storage buckets

  • Subnets

  • Subscriptions

  • Topics

APIs, required roles and permissions

APIs required to be enabled on the secfix-scanner project

The following APIs are required for the Integration:

  • bigquery.googleapis.com

  • cloudresourcemanager.googleapis.com

  • containeranalysis.googleapis.com

  • firestore.googleapis.com

  • iam.googleapis.com

  • logging.googleapis.com

  • monitoring.googleapis.com

  • pubsub.googleapis.com

  • serviceusage.googleapis.com

  • sqladmin.googleapis.com

  • storage-api.googleapis.com

💡 It is not possible to connect GCP to Secfix without enabling all the APIs listed above. They only need to be enabled on the secfix-scanner project created by the script. The billing on the secfix-scanner project will not be enabled.

Permissions & roles required

  • resourcemanager.projects.get

  • resourcemanager.projects.list

  • resourcemanager.folders.list

  • iam.roles.list

  • resourcemanager.organizations.getIamPolicy

  • resourcemanager.folders.getIamPolicy

  • bigquery.datasets.get

  • compute.instances.get

  • compute.instances.getEffectiveFirewalls

  • compute.subnetworks.get

  • pubsub.topics.get

  • storage.buckets.get

  • appengine.applications.get

  • cloudasset.assets.searchAllResources

If you are connecting GCP to Secfix, all of the following roles will need to be enabled at the organization level for your account:

💡 The roles above include minimal permissions that will give you sufficient access to connect GCP with Secfix. If you want to know more about the specific permissions refer to the Complete list of required permissions.

Complete list of required permissions

iam.roles.create
iam.roles.get
iam.roles.list
iam.roles.undelete
iam.roles.update
iam.serviceAccounts.create
iam.serviceAccounts.get
resourcemanager.projects.create
resourcemanager.folders.get
resourcemanager.folders.getIamPolicy
resourcemanager.folders.list
resourcemanager.folders.setIamPolicy
resourcemanager.organizations.get
resourcemanager.organizations.getIamPolicy
resourcemanager.organizations.setIamPolicy
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list
resourcemanager.projects.setIamPolicy
iam.serviceAccountKeys.create
iam.serviceAccountKeys.get
iam.serviceAccountKeys.list
serviceusage.services.enable
serviceusage.services.get
serviceusage.services.list

GCP connection flow

What does the GCP connection flow script do?

  • Create a secfix-scanner project under your organization.

  • Enable the required APIs on the created secfix-scanner project.

  • Create a custom role, SecfixOrganizationScanner, for listing IAM policies inherited by a GCP project.

  • Create a new service account, secfix-scanner-service-account, in the secfix-scanner project.

  • Download a key for secfix-scanner-service-account as secfix-scanner-key.json.

  • Grant secfix-scanner-service-account the SecfixOrganizationScanner role in the organization that inlcudes your projects.

    Note: Service Account will be created under the first project in the list of provided projects but can read resources of multiple projects.

Troubleshooting resources

💡Secfix currently doesn't support officially connecting multiple projects from different multi-organizations.

💡Secfix only supports projects that are nested under an organization. Loose projects without organization cannot be monitored and this structure is not recommended by GCP security best practices.

How to remove previous connection data from your GCP?

If you have previously connected GCP, the project ID must be unique and cannot be one that has already been used in other GCP connections. To remove previous connection data:

  1. Run the command below to list contents on your Cloud Shell: 

    $ls

  2. If secfix-gcp-connection.sh is in the list then remove it by running the command below: 

    $rm [secfix-gcp-connection.sh](<http://secfix-gcp-connection.sh/>)

  3. If secfix-scanner-key.json is in the list, remove it by running the command below: 

    $rm secfix-scanner-key.json

Can I integrate GCP even though my GCP project isn't linked to a GCP organization?

The best practice is of course to have your project linked to your organization in Google Cloud platform. However, you can still exclude GCP from the organization and from the scope. Here are two options:

1 - Migrate your GCP project to your GCP organization (recommended)

Migrate your project to an existing GCP organization by following this doc. It comes directly from Google resources and surely will help you with this migration.

2 - Extend SecfixProjectScanner permissions and only monitor the project

In your project under the custom role named SecfixProjectScanner add additional IAM

permissions:

iam.roles.list, resourcemanager.projects.getIamPolicy

What if my GCP assets do not appear under the Inventory Page?

  • Usually, we run the initial scan within the first hour but sometimes it can take up to 24h for inventory to appear.

  • You waited out but still nothing happened? Check if you enabled IAM API and Cloud Asset API.

Still stuck or something doesn't seem to work? Write to us on the chat inside the app ✍️

Related Articles
Connecting Azure to Secfix
Bulk tagging cloud assets
How to connect your cloud provider to Secfix
How to connect AWS to Secfix
Connecting Google Cloud Platform (GCP) to Secfix
Did this answer your question?