Skip to main content

GCP (Google Cloud Platform) integration

Connect Intruder to Google Cloud Platform to synchronise your targets

Updated yesterday

Our GCP integration supports:

Any other asset types will need to be added manually.


Before you start

You’ll need to:

  1. Create a dedicated project in GCP to host your service account (recommended)

  2. Create a service account and key

  3. Grant it the right permissions at the organisation level

  4. Enable a set of APIs required for scanning


Step 1 - Creating the GCP Environment

There are two different options available for setting up the Service Account - please find links to each of these below:

Option A - using gcloud CLI

  1. Authenticate with Google Cloud:

    gcloud auth login

  2. Get your organisation ID

    gcloud organizations list

    ORGANIZATION_ID=<copy your organization ID here>

  3. Create a new project to contain the service account (It's recommended to use a standalone project that contains the permissions we need for cloud security scans instead of reusing an existing project)

    PROJECT_ID="intruder-connector-$(date +%s)" 

    gcloud projects create $PROJECT_ID --organization=$ORGANIZATION_ID

  4. Create the service account:

    SA_NAME="intruder-connector-$(date +%s)"

    gcloud iam service-accounts create $SA_NAME --project=$PROJECT_ID --display-name="Intruder Connector"

  5. Create a key file

    gcloud iam service-accounts keys create "./${SA_NAME}-key.json" --iam-account="${SA_NAME}@${PROJECT_ID}.iam.gserviceaccount.com" --project=$PROJECT_ID

    ⚠️ Note: the service account key is confidential. Store it securely following the best practices outlined here

    Save this JSON key securely. You’ll need to upload it to Intruder.

  6. Add the Viewer and Security Auditor roles across your organisation for the service account:

    gcloud organizations add-iam-policy-binding $ORGANIZATION_ID \
    -member="serviceAccount:${SA_NAME}@${PROJECT_ID}.iam.gserviceaccount.com" \
    --role="roles/viewer"


    gcloud organizations add-iam-policy-binding $ORGANIZATION_ID \
    --member="serviceAccount:${SA_NAME}@${PROJECT_ID}.iam.gserviceaccount.com" \
    --role="roles/iam.securityAuditor"

  7. Finally, enable APIs which we use to scan your projects for vulnerabilities

    1. First, select a billing account to link to the project containing your service account

      gcloud billing accounts list
      BILLING_ACCOUNT_ID=<insert the billing account's ACCOUNT_ID here>

      ⚠️ Note: Setting a billing account is required by Google to enable some of the APIs we use to scan your projects. We use read-only access to those APIs and will never incur any charges to your account.

    2. Link your project to the billing account:

      gcloud billing projects link $PROJECT_ID --billing-account=$BILLING_ACCOUNT_ID

    3. Enable the APIs:

      gcloud services enable \ 
      --project=$PROJECT_ID \
      serviceusage.googleapis.com \
      cloudresourcemanager.googleapis.com \
      sqladmin.googleapis.com \
      iam.googleapis.com \
      apikeys.googleapis.com \
      accessapproval.googleapis.com \
      essentialcontacts.googleapis.com \
      cloudkms.googleapis.com \
      bigquery.googleapis.com \
      logging.googleapis.com \
      compute.googleapis.com \
      container.googleapis.com \
      dns.googleapis.com \
      storage.googleapis.com \
      cloudasset.googleapis.com


Option B - Using the GCP Console

1. Log in to console.cloud.google.com

2. Open the project picker in the top left navigation menu

3. Create a new project to contain the service account by clicking New project.

👉 It's recommended to use a standalone project that contains the permissions we need for cloud security scans instead of reusing an existing project

  • Give the project a name, select a billing account, and click Create:

👉 Setting a billing account is required by Google for enabling some of the APIs we use to scan your projects. We use read-only access to those APIs and will never incur any charges to your account.

  • Open the project picker again

4. Select the newly created project

5. In the top navigation, search for Service accounts and navigate as shown

6. Click Create service account

7. Give the service account a name (here Intruder connector), note down the Service account ID and click Done

8. In the service account list, click on the newly created service account:

9. Note down the value in the Email field in the Details tab:

10. Open the Keys tab, and click on Add KeyCreate new key

11. Select the JSON type and click on Create

12. The service account key is automatically downloaded to your computer. You will need to upload the file to Intruder when connecting your account.

⚠️ Note: the service account key is confidential. Store it securely following the best practices outlined here

13. Open the project picker again, and select your organisation:

14. In the left navbar, select the IAM link:

15. In the View by principals tab, click on Grant access

16. In the Add principals field, enter the service account's Email from step 9, and in Assign roles, add the Basic → Viewer role. Then click, Add another role, search for Security Auditor, add the Security Auditor role and click Save.

17. Open the project picker again, and select the project containing your service account. This is important, as the APIs must be enabled on this project in order to enable us to scan all your projects.

18. Finally, enable APIs that we use to scan your projects for vulnerabilities:

  1. Service Usage API

  2. Cloud Resource Manager API

  3. Cloud SQL Admin API

  4. Identity and Access Management (IAM) API

  5. API Keys API

  6. Access Approval API

  7. Essential Contacts API

  8. Cloud Key Management Service (KMS) API

  9. BigQuery API

  10. Cloud Logging API

  11. Cloud Asset API

  12. Compute Engine API

  13. Kubernetes Engine API

  14. Cloud DNS API

  15. Cloud Storage API

The APIs can be enabled one by one by searching for them via the search bar at the top, clicking the search result and clicking Enable. For example, the Cloud Resource Manager API can be enabled as follows:

  • First, search for the API, then click on the result:

    User-uploaded Image
  • Then click on Enable:

    User-uploaded Image

  • Depending on your organisation's settings, some APIs may be enabled by default, and you don't need to enable them separately. If that's the case, you will see this instead of the Enable button:

    User-uploaded Image

Step 2 - Add the integration in Intruder

  1. Go to the Discovery tab

  2. Click Add asset source → Google Cloud

  3. Click on Choose File, and upload the JSON key file you created

    User-uploaded Image
  4. Click Add asset

That’s it 🎉 - Intruder will now sync your GCP assets and run cloud security scans automatically.


Note: Google Cloud Platform integration is only available for customers on our Cloud, Pro, Enterprise, and Vanguard plans.

Did this answer your question?