Our GCP integration supports:
Google Cloud VMs with external IP addresses
Hostnames from Cloud DNS
Any other asset types will need to be added manually.
Before you start
You’ll need to:
Create a dedicated project in GCP to host your service account (recommended)
Create a service account and key
Grant it the right permissions at the organisation level
Enable a set of APIs required for scanning
Step 1 - Creating the GCP Environment
There are two different options available for setting up the Service Account - please find links to each of these below:
Option A - using gcloud
CLI
Authenticate with Google Cloud:
gcloud auth login
Get your organisation ID
gcloud organizations list
ORGANIZATION_ID=<copy your organization ID here>Create a new project to contain the service account (It's recommended to use a standalone project that contains the permissions we need for cloud security scans instead of reusing an existing project)
PROJECT_ID="intruder-connector-$(date +%s)"
gcloud projects create $PROJECT_ID --organization=$ORGANIZATION_IDCreate the service account:
SA_NAME="intruder-connector-$(date +%s)"
gcloud iam service-accounts create $SA_NAME --project=$PROJECT_ID --display-name="Intruder Connector"Create a key file
gcloud iam service-accounts keys create "./${SA_NAME}-key.json" --iam-account="${SA_NAME}@${PROJECT_ID}.iam.gserviceaccount.com" --project=$PROJECT_ID
⚠️ Note: the service account key is confidential. Store it securely following the best practices outlined here
Save this JSON key securely. You’ll need to upload it to Intruder.
Add the Viewer and Security Auditor roles across your organisation for the service account:
gcloud organizations add-iam-policy-binding $ORGANIZATION_ID \
-member="serviceAccount:${SA_NAME}@${PROJECT_ID}.iam.gserviceaccount.com" \
--role="roles/viewer"
gcloud organizations add-iam-policy-binding $ORGANIZATION_ID \
--member="serviceAccount:${SA_NAME}@${PROJECT_ID}.iam.gserviceaccount.com" \
--role="roles/iam.securityAuditor"Finally, enable APIs which we use to scan your projects for vulnerabilities
First, select a billing account to link to the project containing your service account
gcloud billing accounts list
BILLING_ACCOUNT_ID=<insert the billing account's ACCOUNT_ID here>⚠️ Note: Setting a billing account is required by Google to enable some of the APIs we use to scan your projects. We use read-only access to those APIs and will never incur any charges to your account.
Link your project to the billing account:
gcloud billing projects link $PROJECT_ID --billing-account=$BILLING_ACCOUNT_ID
Enable the APIs:
gcloud services enable \
--project=$PROJECT_ID \
serviceusage.googleapis.com \
cloudresourcemanager.googleapis.com \
sqladmin.googleapis.com \
iam.googleapis.com \
apikeys.googleapis.com \
accessapproval.googleapis.com \
essentialcontacts.googleapis.com \
cloudkms.googleapis.com \
bigquery.googleapis.com \
logging.googleapis.com \
compute.googleapis.com \
container.googleapis.com \
dns.googleapis.com \
storage.googleapis.com \
cloudasset.googleapis.com
Option B - Using the GCP Console
1. Log in to console.cloud.google.com
2. Open the project picker in the top left navigation menu
3. Create a new project to contain the service account by clicking New project
.
👉 It's recommended to use a standalone project that contains the permissions we need for cloud security scans instead of reusing an existing project
Give the project a name, select a billing account, and click
Create
:
👉 Setting a billing account is required by Google for enabling some of the APIs we use to scan your projects. We use read-only access to those APIs and will never incur any charges to your account.
Open the project picker again
4. Select the newly created project
5. In the top navigation, search for Service accounts
and navigate as shown
6. Click Create service account
7. Give the service account a name (here Intruder connector
), note down the Service account ID
and click Done
8. In the service account list, click on the newly created service account:
9. Note down the value in the Email
field in the Details
tab:
10. Open the Keys
tab, and click on Add Key
→ Create new key
11. Select the JSON
type and click on Create
12. The service account key is automatically downloaded to your computer. You will need to upload the file to Intruder when connecting your account.
⚠️ Note: the service account key is confidential. Store it securely following the best practices outlined here
13. Open the project picker again, and select your organisation:
14. In the left navbar, select the IAM
link:
15. In the View by principals
tab, click on Grant access
16. In the Add principals
field, enter the service account's Email
from step 9, and in Assign roles
, add the Basic → Viewer
role. Then click, Add another role
, search for Security Auditor
, add the Security Auditor
role and click Save
.
17. Open the project picker again, and select the project containing your service account. This is important, as the APIs must be enabled on this project in order to enable us to scan all your projects.
18. Finally, enable APIs that we use to scan your projects for vulnerabilities:
Service Usage API
Cloud Resource Manager API
Cloud SQL Admin API
Identity and Access Management (IAM) API
API Keys API
Access Approval API
Essential Contacts API
Cloud Key Management Service (KMS) API
BigQuery API
Cloud Logging API
Cloud Asset API
Compute Engine API
Kubernetes Engine API
Cloud DNS API
Cloud Storage API
The APIs can be enabled one by one by searching for them via the search bar at the top, clicking the search result and clicking Enable
. For example, the Cloud Resource Manager API can be enabled as follows:
Depending on your organisation's settings, some APIs may be enabled by default, and you don't need to enable them separately. If that's the case, you will see this instead of the
Enable
button:
Step 2 - Add the integration in Intruder
Log in to portal.intruder.io
Go to the Discovery tab
Click Add asset source → Google Cloud
Click on Choose File, and upload the JSON key file you created
Click Add asset
That’s it 🎉 - Intruder will now sync your GCP assets and run cloud security scans automatically.
Note: Google Cloud Platform integration is only available for customers on our Cloud, Pro, Enterprise, and Vanguard plans.
Intruder is a Google Cloud Technology Partner.