Connect your Google Cloud project to Annie to unlock real-time infrastructure mapping, monitoring, and dependency insights—exactly the same capabilities as our AWS integration, but using GCP-native security primitives.
Security First: All the roles listed below provide read-only access to your infrastructure. Anyshift cannot access secrets, passwords, API keys, or any other sensitive data stored in your GCP project.
Required Roles and Permissions
Setup Options
Minimal Setup with
roles/viewerUsing only the roles/viewer role provides basic access but with limitations.
Anyshift will be able to scan core GCP resources like Compute Engine, Cloud SQL, GKE, Logging, Monitoring, and Pub/Sub.However, many specialized services will not be accessible.Complete Role List for Maximum Coverage
Complete Role List for Maximum Coverage
View all available roles that Anyshift can utilize for comprehensive infrastructure scanning:Services Covered by
These services are already accessible with the basic viewer role:
Services Requiring Additional Roles
These services need specific roles beyondroles/viewer:- AI Platform:
roles/aiplatform.viewer,roles/notebooks.viewer - API Gateway:
roles/apigateway.viewer - Artifact Registry:
roles/artifactregistry.reader - BigQuery:
roles/bigquery.dataViewer,roles/bigquery.jobUser,roles/bigquery.metadataViewer - Certificate Manager:
roles/certificatemanager.viewer - Cloud Billing:
roles/billing.viewer,roles/billing.budgets.viewer - Cloud Build:
roles/cloudbuild.builds.viewer - Cloud Functions:
roles/cloudfunctions.viewer - Cloud KMS:
roles/cloudkms.viewer - Composer:
roles/composer.environmentAndStorageObjectViewer - Data Catalog:
roles/datacatalog.viewer - Dataflow:
roles/dataflow.viewer - Dataproc:
roles/dataproc.viewer - DNS:
roles/dns.reader - IAM:
roles/iam.roleViewer,roles/iam.serviceAccountViewer,roles/iam.workloadIdentityPoolViewer - Memorystore/Redis:
roles/redis.viewer - Storage:
roles/storage.objectViewer - Workflows:
roles/workflows.viewer
Services Covered by roles/viewer
These services are already accessible with the basic viewer role:- Cloud SQL
- Compute Engine (including networks)
- Container/GKE
- Firestore
- Logging
- Monitoring
- Pub/Sub
- Service Networking
Setup Guide
Option 1: Service-account key
Option 1: Service-account key
Step 1 · Create a read-only service account
Terraform- Go to IAM & Admin → Service Accounts → Create Service Account
-
Name:
anyshift-readonly, Description: “Read-only service account for Anyshift” → Create - Go to IAM & Admin → IAM → Grant Access
-
Add the service account email and assign roles:
For Quick Setup:
Viewer(Basic role)
API Gateway ViewerArtifact Registry ReaderBigQuery Data ViewerBigQuery Job UserCertificate Manager ViewerCloud Build ViewerCloud Functions ViewerCloud KMS ViewerCloud Composer ViewerData Catalog ViewerDataflow ViewerDataproc ViewerDNS ReaderMemorystore Redis ViewerStorage Object ViewerWorkflows ViewerIAM Role ViewerIAM Service Account ViewerIAM Workload Identity Pool Viewer
-
Go back to Service Accounts, click on your
anyshift-readonlyaccount - Go to Keys tab → Add Key → Create new key → JSON → Create
- Download and securely store the JSON key file
Step 2 · Add the service account in Anyshift
Go toIntegrations → GCP → Add Service Account and upload the JSON file containing the credentials.Option 2: Workload Identity (coming soon)
Option 2: Workload Identity (coming soon)
We are working to add support for Workload Identity Federation.This will allow you to grant Anyshift access without managing service account keys, using GCP’s native identity federation capabilities.