Integrate with GCP
SlashID supports two connection types for GCP:
- GCP Project: Monitor a single GCP project
- GCP Organization: Monitor your entire GCP organization, including all folders and projects
Choose the appropriate section below based on your needs.
GCP Project Connection
Use this option to monitor a single GCP project.
STEP 1: Create a new service account
In your GCP Console > IAM & Admin > Service Accounts, click on Create service account in the horizontal bar at the top of the page.
- Service account name: a custom name for your new account
- Service account ID: this will be autogenerated by the GCP Console
- Service account description: an optional description
Click on Create and continue.
STEP 2: Grant permissions
Grant the service account the following roles at the project level.
Required roles
These roles are mandatory for the connection to work. Without them, the sync will fail:
| Role | Purpose |
|---|---|
roles/viewer | Basic read access to project resources |
roles/iam.securityReviewer | Read IAM policies and service account details |
Optional roles
These roles enable additional resource visibility. If not granted (or if the corresponding API is disabled), the sync will continue but skip those resources:
| Role | Resources enabled |
|---|---|
roles/logging.viewer | Audit logs for identity activity tracking |
roles/bigquery.metadataViewer | BigQuery datasets and tables |
roles/storage.objectViewer | Cloud Storage buckets |
roles/secretmanager.viewer | Secret Manager secrets |
roles/container.viewer | GKE clusters |
roles/run.viewer | Cloud Run services |
roles/cloudkms.viewer | Cloud KMS keys |
roles/compute.viewer | Compute Engine instances |
Click on the Done button to complete the account creation.
STEP 3: Create key
Open the new service account from the list, and navigate to the Keys tab.
Click on Add key > Create new key > JSON > Create.
The new key was downloaded and saved on your machine.
Open it with a text editor, you will need to paste it in the SlashID Console in the next step.
STEP 4: SlashID Console configuration
Fill in the connection details:
| SlashID Console field | Description |
|---|---|
| Name of the connection | Arbitrary name you give to this connection |
| Project ID | Your GCP project ID |
| Service account email | The "Email" field from the service account details tab |
| Authoritative status | Decide whether GCP identities are the primary (or secondary) source of truth when reconciling identities across providers |
| Service account key | The content of the key file you created in step 3 |
Click on the Connect button to complete the setup.
GCP Organization Connection
Use this option to monitor your entire GCP organization, including all folders and projects within it.
STEP 1: Create a new service account
In your GCP Console > IAM & Admin > Service Accounts, create a service account in a project that will host the SlashID integration.
- Service account name: a custom name for your new account (e.g.,
slashid-org-reader) - Service account ID: this will be autogenerated by the GCP Console
- Service account description: an optional description
Click on Create and continue.
STEP 2: Grant organization-level permissions
Grant the service account the following roles at the organization level. These are required for SlashID to traverse your organization hierarchy and read IAM policies.
Go to IAM & Admin > IAM at the organization level (select your organization from the project dropdown), then click Grant Access.
Required roles (organization level)
These roles are mandatory for the organization connection to work. Without them, the sync will fail:
| Role | Purpose |
|---|---|
roles/resourcemanager.organizationViewer | Read organization metadata |
roles/resourcemanager.folderViewer | List and traverse folders |
roles/iam.securityReviewer | Read IAM policies at org, folder, and project levels |
roles/iam.organizationRoleViewer | List custom roles defined at the organization level |
STEP 3: Grant project-level permissions
The service account also needs permissions to read resources within each project. You can either:
Option A: Grant at organization level (recommended)
Grant these additional roles at the organization level so they inherit to all projects.
Required roles (project level)
These roles are mandatory for project resources to sync:
| Role | Purpose |
|---|---|
roles/viewer | Basic read access to project resources |
Optional roles (project level)
These roles enable additional resource visibility. If not granted (or if the corresponding API is disabled), the sync will continue but skip those resources:
| Role | Resources enabled |
|---|---|
roles/logging.viewer | Audit logs for identity activity tracking |
roles/bigquery.metadataViewer | BigQuery datasets and tables |
roles/storage.objectViewer | Cloud Storage buckets |
roles/secretmanager.viewer | Secret Manager secrets |
roles/container.viewer | GKE clusters |
roles/run.viewer | Cloud Run services |
roles/cloudkms.viewer | Cloud KMS keys |
roles/compute.viewer | Compute Engine instances |
roles/orgpolicy.policyViewer | Organization policies |
Option B: Grant per-project
Alternatively, grant the above roles individually on each project you want to monitor.
STEP 4: Create key
Open the new service account from the list, and navigate to the Keys tab.
Click on Add key > Create new key > JSON > Create.
The new key was downloaded and saved on your machine.
Open it with a text editor, you will need to paste it in the SlashID Console in the next step.
STEP 5: SlashID Console configuration
Fill in the connection details:
| SlashID Console field | Description |
|---|---|
| Name of the connection | Arbitrary name you give to this connection |
| Organization ID | Your GCP organization ID (numeric) |
| Authoritative status | Decide whether GCP identities are the primary (or secondary) source of truth when reconciling identities across providers |
| Service account key | The content of the key file you created in step 4 |
Click on the Connect button to complete the setup.
Additional Permissions for Advanced Features
The permissions above cover read-only sync of your GCP resources. If you want to enable remediation actions (provisioning, quarantine, etc.) or real-time event streaming, you'll need additional permissions.
Remediation Actions (Optional)
To enable SlashID to take remediation actions (quarantine service accounts, modify IAM bindings, rotate secrets, etc.), grant these additional roles:
| Role | Actions enabled |
|---|---|
roles/iam.serviceAccountAdmin | Create, delete, disable, enable service accounts |
roles/iam.serviceAccountKeyAdmin | Delete service account keys (for quarantine) |
roles/iam.roleAdmin | Create and delete custom roles |
roles/resourcemanager.projectIamAdmin | Modify IAM policy bindings |
roles/secretmanager.admin | Delete and rotate secrets |
Event Streaming (Optional)
To enable real-time audit log streaming to SlashID, the following permissions are required to provision the necessary infrastructure (Pub/Sub topic, Cloud Function, and Log Sink):
| Role | Purpose |
|---|---|
roles/pubsub.admin | Create Pub/Sub topics and manage subscriptions |
roles/cloudfunctions.admin | Deploy Cloud Functions to forward logs |
roles/storage.admin | Create bucket for Cloud Function source code |
roles/logging.configWriter | Create log sinks to route audit logs |
roles/iam.serviceAccountUser | Allow Cloud Functions to run as service account |
APIs that must be enabled for event streaming:
- Cloud Functions API
- Cloud Pub/Sub API
- Cloud Logging API
- Cloud Storage API
- Cloud Build API (for deploying Cloud Functions)
Troubleshooting
Permission Denied Errors
If you see errors like:
Permission 'resourcemanager.organizations.getIamPolicy' denied on resource '//cloudresourcemanager.googleapis.com/organizations/...'
This means the service account is missing the roles/iam.securityReviewer role at the organization level. Grant this role following Step 2 in the Organization Connection section above.
Service Disabled Errors
If certain resources are not being synced, ensure the corresponding APIs are enabled in your GCP project:
- Cloud Resource Manager API
- Identity and Access Management (IAM) API
- Cloud Logging API
- BigQuery API
- Cloud Storage API
- Secret Manager API
- Kubernetes Engine API
- Cloud Run Admin API
- Cloud Key Management Service (KMS) API