Connect GCP

VinTekh reads Google Cloud via a per-project or per-organization service account with read-only IAM roles. Workload Identity Federation (no key file) is supported and recommended.

What you need

• A GCP project with billing enabled.
• Organization access if you want multi-project enumeration via cloudresourcemanager.organizations.get.
• Owner or Security Admin on the target scope to create the SA + bind roles.

Workload Identity Federation (recommended — no key file)

1. Create a Workload Identity Pool + Provider in your GCP org for the VinTekh Azure tenant. We give you the issuer URL + audience claim on the connector setup page.
2. Create a service account vintekh-reader@PROJECT.iam.gserviceaccount.com.
3. Bind these read-only roles on the project (or org):
   • roles/iam.securityReviewer
   • roles/cloudasset.viewer
   • roles/logging.viewer
   • roles/recommender.viewer
   • roles/securitycenter.findingsViewer (if SCC Premium)
4. Bind the WIF principal to roles/iam.workloadIdentityUser on the SA.
5. Paste the SA email + WIF audience into VinTekh setup. Click Test connection.

Service-account-key path (fallback)

Use only if your org policy blocks Workload Identity Federation. Generate a JSON key, upload it; we store it AES-256-GCM encrypted with a kid envelope (see architecture doc). Rotation is your responsibility — we surface keys older than 90 days as a finding.

What we read, what we don't

We read via Cloud Asset Inventory + SCC Findings + Logging read API. We do NOT bind any role with mutating permission (no *.write, *.create, *.delete, *.update, or iam.serviceAccountKeys.create).

Troubleshooting

• PERMISSION_DENIED on assets:listAssets. The SA needs roles/cloudasset.viewer at the scope you're querying. Re-bind at the org level for full coverage.
• WIF audience mismatch. Re-copy the audience claim from VinTekh setup; trailing slashes matter.