GCP Connection Scanning Configuration

  • Updated on Feb 27, 2026
  • Published on Dec 5, 2025
  • 8 minute(s) read
Prev Next

1.0 Introduction

This article describes the minimum access privileges required for Fortanix Key Insight to scan the Google Cloud Platform (GCP) cloud organization and projects.

2.0 Terminology Reference

For GCP terminologies and concepts, refer to All Connections Concepts and GCP Connection Concepts.

3.0 Onboard a GCP Project

This section describes the steps to onboard a single GCP project in Fortanix Key Insight.

For a comprehensive list of GCP permissions required to onboard a GCP project, refer to GCP Connection Permissions.

3.1 Prerequisites

Ensure the following before onboarding a GCP project into Fortanix Key Insight:

3.1.1 Enable Required APIs

The following GCP APIs must be enabled in the project where the service account is created and where resources will be scanned:

  • Cloud Resource Manager API – Retrieves project metadata and resource hierarchy.

  • Cloud Key Management Service (KMS) API – Discovers and reads Cloud KMS key metadata.

  • Cloud Storage API – Scans Google Cloud Storage buckets and objects.

  • Cloud SQL Admin API – Retrieves Cloud SQL instance configuration and metadata.

  • Kubernetes Engine API - Retrieves GKE cluster configuration, node metadata and workload status, and related resource settings.

  • Compute Engine API – Retrieves Compute Engine virtual machine (VM) instances, disk encryption configuration, metadata, and related resource settings.

These APIs provide read-only access required to scan the supported services: Cloud Key Management Service (KMS), Cloud Storage, Cloud SQL, Google Kubernetes Engine (GKE), and Google Compute Engine (GCE).

WARNING

If any of the above APIs are not enabled, the GCP connection test may fail with service-disabled or insufficient-permission errors.

Navigate to GCP Cloud Console → APIs & Services → Enable APIs and Services to enable these APIs in the target project.

3.1.2 Grant Required IAM Permissions

Ensure the service account used for onboarding has read-only access to the supported GCP services within the target project. Missing permissions may cause the connection test to fail or result in incomplete scan results.

For instructions on creating the service account and assigning the required roles, refer to Section 3.2: Create a Service Account with Required Permissions.

3.2 Create a Service Account with Required Permissions

You can create a service account and grant permissions using any of the following methods:

  • Predefined viewer roles

  • Custom role with minimum required permissions (least privilege)

3.2.1 Using Predefined Viewer Roles

Perform the following steps to create a Google Cloud IAM Service Account using the predefined viewer roles in the project to be scanned:

  1. Log in to the Google Cloud Console.

  2. In the top navigation bar, select the target project where the service account will be created.

  3. Navigate to IAM & Admin → Service Accounts.

  4. On the Service Accounts page, click Create Service Account.

  5. On the Create service account page,

    1. Enter a Service account name. For example, fortanix-key-insight-gcp.

    2. The Service account ID field will auto-populate based on the name entered.

    3. Enter a Service account description (Optional).

    4. Click Create and Continue.

    5. On the Permissions (Optional) section, search for and add the following IAM roles from the Select a role drop down, based on the supported services:

      • Cloud KMS Viewer – Provides read-only access to Cloud KMS keys and key metadata.

      • Storage Bucket Viewer (beta) – Provides read-only access to Cloud Storage objects and bucket metadata.

        NOTE

        If Storage Bucket Viewer (beta) is not available, add the Storage Object Viewer role instead.

      • Cloud SQL Viewer – Provides read-only access to Cloud SQL instances, configurations, and metadata.

      • Kubernetes Engine Viewer - Provides read-only access to GKE resources, including cluster configuration, node metadata, and workload status.

      • Compute Viewer: Provides read-only access to GCE resources, including VM instances, disks, images, and associated metadata.

    6. Click Continue.

    7. Click Done to complete the service account creation.

Figure 1: Create a Service Account

3.2.2 Using a Custom Role (Least Privilege)

Instead of assigning multiple predefined viewer roles, you can create a custom IAM role that includes only the minimum permissions required for scanning (least privilege).

Perform the following steps to create a Google Cloud IAM Service Account using a custom role in the project to be scanned:

  1. Create a Custom Role:

    1. Log in to the Google Cloud Console.

    2. Navigate to the IAM & Admin → Roles.

    3. Click Create Role.

    4. On the Create role page, enter the following:

      1. Title: Enter the role name. For example, Fortanix Key Insight Scanner Role.

      2. Description (Optional): Enter a role description.

      3. ID: Enter the role ID. For example, FortanixKeyInsightScanner.

    5. Click Add permissions and add the following permissions according to the required GCP services:

      GCP Service

      Permissions

      Cloud Key Management Service (KMS)

      • cloudkms.cryptoKeyVersions.get

      • cloudkms.cryptoKeyVersions.list

      • cloudkms.cryptoKeys.get

      • cloudkms.cryptoKeys.list

      • cloudkms.keyRings.get

      • cloudkms.keyRings.list

      • cloudkms.locations.list

      Cloud SQL

      • cloudsql.instances.get

      • cloudsql.instances.list

      • cloudsql.databases.list

      • cloudsql.users.list

      Cloud Storage

      • storage.buckets.get

      • storage.buckets.list

      Google Kubernetes Engine (GKE)

      • container.clusters.get

      • container.clusters.list

      Google Compute Engine (GCE)

      • compute.instances.get

      • compute.instances.list

      • compute.projects.get

      • compute.regions.list

      • compute.zones.list

    6. Click Create to create a new custom role.

  2. Create a Service Account and Assign the Custom Role:

    1. Navigate to IAM & Admin → Service Accounts.

    2. On the Service Accounts page, click Create Service Account.

    3. On the Create service account page,

      1. Enter a Service account name. For example, fortanix-key-insight-gcp.

      2. The Service account ID field will auto-populate based on the name entered.

      3. Enter a Service account description (Optional).

      4. Click Create and Continue.

      5. On the Permissions (Optional) section, search for and select the custom role created in Step 1 from the Select a role drop-down.

    4. Click Continue.

    5. Click Done to complete the service account creation.

3.3 Create and Save a Private Key for the Service Account

Fortanix Key Insight requires a service account key file to authenticate to GCP.

Perform the following steps to create a service account key file for the project selected in the previous section:

  1. Navigate to IAM & Admin → Service Accounts.

  2. Select the service account created in Section 3.2: Create a Service Account with Required Permissions.

  3. Go to the Keys tab.

  4. On the Keys page, click Add Key → Create New Key.

  5. In the Create private key dialog box, select JSON.

  6. Click Create. The JSON key file is generated and saved in your local machine.

  7. Download and securely store the JSON file.

  8. Copy the following values from the JSON file:

    • client_email: Use this as the Service Account Email.

    • private_key: Use this as the Private Key.

      NOTE

      When pasting the private key into the Fortanix Key Insight user interface (UI):

      • Preserve the full multi-line PEM block exactly as provided in the JSON(including line breaks).

        -----BEGIN PRIVATE KEY----- <base64 data> -----END PRIVATE KEY-----

      • Do not escape characters, remove newlines, or paste the entire JSON file.

      Incorrect formatting will cause the connection test to fail.

    • project_id: Use this as the Project ID.

    A close-up of a computer screen AI-generated content may be incorrect.

     Figure 2: Obtain the GCP credentials

    These values will be used in the Fortanix Key Insight UI when onboarding a GCP connection.

NOTE

  • Service account key files contain sensitive credentials. Therefore, store them securely.

  • Service account keys do not expire automatically, so rotate them regularly (for example, every 90 days or according to your organization’s security policy) and delete unused keys immediately.

4.0 Onboard a GCP Organization

This section describes the steps to configure a GCP organization to perform key scans using Fortanix Key Insight.

For a comprehensive list of GCP permissions required to onboard a GCP organization, refer to GCP Connection Permissions.

Before adding a new GCP organization connection in Fortanix Key Insight, configure an IAM service account with organization-level visibility.

4.1 Prerequisites

Ensure the following before onboarding a GCP organization into Fortanix Key Insight:

4.1.1 Enable Required APIs

Ensure that all required APIs listed in Section 3.1.1: Enable Required APIs are enabled in every project within the organization that should be scanned.

If required APIs are not enabled in certain projects, those projects may be skipped or return permission errors during scanning.

4.1.2 Grant Required IAM Permissions

Ensure the service account used for onboarding has read-only access to the supported GCP services at the organization level. Missing permissions may cause the connection test to fail or result in incomplete scan results.

For instructions on creating the service account and assigning the required roles at the organization level, refer to Section 4.2: Create a Service Account with Required Permissions.

4.2 Create a Service Account with Required Permissions

Perform the following steps to create the service account in a project that belongs to your GCP organization (preferably a central project managed by your security team):

NOTE

You cannot create service accounts at the organization level. You must create them within a project.

  1. Log in to the Google Cloud Console.

  2. In the top navigation bar, select the project where you want to create the service account.

  3. Navigate to IAM & Admin → Service Accounts.

  4. On the Service Accounts page, click Create Service Account.

  5. On the Create service account page,

    1. Enter the Service account name. For example, fortanix-key-insight-gcp-organization.

    2. The Service account ID field auto-populates based on the service account name.

    3. Enter a Service account description (Optional).

    4. Click Create and Continue.

    5. In the Permissions (Optional) section, do not assign any roles. Click Continue.

    6. Click Done to create a service account.

  6. Navigate to IAM & Admin → IAM.

  7. In the resource selector at the top of the IAM page, select your Organization.

  8. Locate the service account created in Step 5, and click Edit Principal.

  9. In the Roles section, assign the following IAM roles to enable organization-wide read-only scanning, based on the supported services:

    • Organization Viewer – Provides read-only access to all resources and metadata across the organization.

    • Cloud KMS Viewer – Provides read-only access to Cloud KMS keys and key metadata.

    • Storage Bucket Viewer (beta) – Provides read-only access to Cloud Storage objects and bucket metadata.

      NOTE

      If Storage Bucket Viewer (beta) is not available, add the Storage Object Viewer role instead.

    • Cloud SQL Viewer – Provides read-only access to Cloud SQL instances, configurations, and metadata.

    • Kubernetes Engine Viewer - Provides read-only access to GKE resources, including cluster configuration, node metadata, and workload status.

    • Compute Viewer: Provides read-only access to GCE resources, including VM instances, disks, images, and associated metadata.

    NOTE

    Assigning the required roles at the Organization level grants inherited visibility across all folders and projects within that organization.

  10. Click Save to apply the permissions.

4.3 Create and Save a Private Key for the Service Account

For steps on how to create and save a private key for the service account in GCP organization, refer to Section 3.3: Create and Save a Private Key for the Service Account.

4.4 Obtain the GCP Organization ID

Perform the following steps to obtain your GCP organization ID using the Google Cloud Console:

  1. Log in to the Google Cloud Console.

  2. In the top navigation bar, open the project and organization selector (project picker), and select your Organization.

  3. On the right side of the top navigation bar, click More actions ( ) menu.

  4. Select Settings. This page displays your organization resource ID.

  5. Copy the organization ID value to use it in the Fortanix Key Insight (UI) when onboarding a GCP connection.

For detailed steps on obtaining the organization ID using the Google Cloud CLI or REST API, refer to Creating and Managing Organization Resources.

Related articles

Platform
Fortanix Armor
Armet AI Key Insight Data Security Manager Confidential Computing Manager
Open Source Platform
Enclave Development Platform®

Solutions
Use Cases
Legacy to Cloud Infrastructure Migration Regulatory Compliance Post-Quantum Readiness Secure, Data-Driven Innovation
Industry
Healthcare Banking & Financial Services Fintech Manufacturing Federal Government

Company
About Us Partners Careers Confidential Computing University Blog FAQ Contact Us Awards Events Webinars Press News Services Media Kit Newsletters

Customers

Resources

Support
Fortanix-logo

4.6

star-ratings

As of August 2025

Request a Demo