GCP Connection Scanning Configuration

  • Published on Dec 5, 2025
  • 3 minute(s) read
Prev Next

1.0 Introduction

This article describes the minimum access privileges required for Fortanix Key Insight to scan the Google Cloud Platform (GCP) cloud projects.

2.0 Terminology Reference

For GCP terminologies and concepts, refer to All Connections Concepts and GCP Connection Concepts.

3.0 GCP Single Project - Onboarding Setup

This section describes the steps to onboard a single GCP project in Fortanix Key Insight.

For a comprehensive list of GCP permissions required to onboard a GCP connection, refer to GCP Connection Permissions.

3.1 Prerequisites

The following GCP APIs must be enabled in the target project before onboarding into Fortanix Key Insight. These APIs provide read-only access required to scan the supported services (Cloud Key Management Service (KMS), Cloud Storage, and Cloud SQL):

  • Cloud Resource Manager API – Identifies project metadata and resource hierarchy.

  • Cloud Key Management Service (KMS) API – Discovers and reads Cloud KMS key metadata.

  • Cloud Storage API – Scans Google Cloud Storage buckets and objects.

  • Cloud SQL Admin API – Retrieves Cloud SQL instance configuration and metadata.

If any of these APIs are not enabled, the GCP connection test may fail with service-disabled or insufficient-permission errors.

Navigate to GCP Cloud Console → APIs & Services → Enable APIs and Services to enable these APIs in the target project.

3.2 Create a Service Account with Required Permissions

Perform the following steps to create a Google Cloud IAM Service Account in the project to be scanned:

  1. Log in to the Google Cloud Console.

  2. In the top navigation bar, select the target project where the service account will be created.

  3. Navigate to IAM & Admin → Service Accounts.

  4. On the Service Accounts page, click Create Service Account.

  5. On the Create service account page,

    1. Enter a Service account name. For example, fortanix-key-insight-gcp.

    2. The Service account ID field will auto-populate based on the name entered.

    3. Enter a Service account description (Optional).

    4. Click Create and Continue.

    5. On the Permissions (Optional) section, search for and add the following IAM roles from the Select a role dropdown, based on the supported services:

      • Cloud KMS Viewer – Provides read-only access to Cloud KMS keys and key metadata.

      • Storage Bucket Viewer (beta) – Provides read-only access to Cloud Storage objects and bucket metadata.

        NOTE

        If Storage Bucket Viewer (beta) is not available, add the Storage Object Viewer role instead.

      • Cloud SQL Viewer – Provides read-only access to Cloud SQL instances, configurations, and metadata.

    6. Click Continue.

    7. Click Done to complete the service account creation.

Figure 1: Create a Service Account

3.3 Create and Save a Private Key for the Service Account

Fortanix Key Insight requires a service account key file to authenticate to GCP.

Perform the following steps to create a service account key file for the project selected in the previous section:

  1. Navigate to IAM & Admin → Service Accounts.

  2. Select the service account created in Section 3.2: Create a Service Account with Required Permissions.

  3. Go to the Keys tab.

  4. On the Keys page, click Add Key → Create New Key.

  5. In the Create private key dialog box, select JSON.

  6. Click Create. The JSON key file is generated and saved in your local machine.

  7. Download and securely store the JSON file.

  8. Copy the following values from the JSON file:

    • client_email: Use this as the Service Account Email.

    • private_key: Use this as the Private Key.

      NOTE

      When pasting the private key into the Fortanix Key Insight user interface (UI):

      • Preserve the full multi-line PEM block exactly as provided in the JSON(including line breaks).

        -----BEGIN PRIVATE KEY----- <base64 data> -----END PRIVATE KEY-----

      • Do not escape characters, remove newlines, or paste the entire JSON file.

      Incorrect formatting will cause the connection test to fail.

    • project_id: Use this as the Project ID.

    A close-up of a computer screen AI-generated content may be incorrect.

     Figure 2: Obtain the GCP credentials

    These values will be used in the Fortanix Key Insight UI when onboarding a GCP connection.

NOTE

  • Service account key files contain sensitive credentials. Therefore, store them securely.

  • Service account keys do not expire automatically, so rotate them regularly (for example, every 90 days or according to your organization’s security policy) and delete unused keys immediately.

Related articles