Skip to main content
Connect your Google Cloud project to Annie to unlock real-time infrastructure mapping, monitoring, and dependency insights—exactly the same capabilities as our AWS integration, but using GCP-native security primitives.
Security First: All the roles listed below provide read-only access to your infrastructure. Anyshift cannot access secrets, passwords, API keys, or any other sensitive data stored in your GCP project.

Required Roles and Permissions

Setup Options

  • Quick Setup
Minimal Setup with roles/viewerUsing only the roles/viewer role provides basic access but with limitations. Anyshift will be able to scan core GCP resources like Compute Engine, Cloud SQL, GKE, Logging, Monitoring, and Pub/Sub.However, many specialized services will not be accessible.
View all available roles that Anyshift can utilize for comprehensive infrastructure scanning:

Services Requiring Additional Roles

These services need specific roles beyond roles/viewer:
  • AI Platform: roles/aiplatform.viewer, roles/notebooks.viewer
  • API Gateway: roles/apigateway.viewer
  • Artifact Registry: roles/artifactregistry.reader
  • BigQuery: roles/bigquery.dataViewer, roles/bigquery.jobUser, roles/bigquery.metadataViewer
  • Certificate Manager: roles/certificatemanager.viewer
  • Cloud Billing: roles/billing.viewer, roles/billing.budgets.viewer
  • Cloud Build: roles/cloudbuild.builds.viewer
  • Cloud Functions: roles/cloudfunctions.viewer
  • Cloud KMS: roles/cloudkms.viewer
  • Composer: roles/composer.environmentAndStorageObjectViewer
  • Data Catalog: roles/datacatalog.viewer
  • Dataflow: roles/dataflow.viewer
  • Dataproc: roles/dataproc.viewer
  • DNS: roles/dns.reader
  • IAM: roles/iam.roleViewer, roles/iam.serviceAccountViewer, roles/iam.workloadIdentityPoolViewer
  • Memorystore/Redis: roles/redis.viewer
  • Storage: roles/storage.objectViewer
  • Workflows: roles/workflows.viewer

Services Covered by roles/viewer

These services are already accessible with the basic viewer role:
  • Cloud SQL
  • Compute Engine (including networks)
  • Container/GKE
  • Firestore
  • Logging
  • Monitoring
  • Pub/Sub
  • Service Networking

Setup Guide

Step 1 · Create a read-only service account

Terraform
resource "google_service_account" "anyshift" {
  account_id   = "anyshift-readonly"
  display_name = "Read-only service account for Anyshift"
}

# Option 1: Quick setup with basic viewer role
resource "google_project_iam_member" "anyshift_viewer" {
  project = var.project_id
  role    = "roles/viewer"
  member  = "serviceAccount:${google_service_account.anyshift.email}"
}

# Option 2: Comprehensive setup with all recommended roles
locals {
  anyshift_roles = [
    "roles/viewer",
    "roles/apigateway.viewer",
    "roles/artifactregistry.reader",
    "roles/bigquery.dataViewer",
    "roles/bigquery.jobUser",
    "roles/certificatemanager.viewer",
    "roles/cloudbuild.builds.viewer",
    "roles/cloudfunctions.viewer",
    "roles/cloudkms.viewer",
    "roles/composer.environmentAndStorageObjectViewer",
    "roles/datacatalog.viewer",
    "roles/dataflow.viewer",
    "roles/dataproc.viewer",
    "roles/dns.reader",
    "roles/redis.viewer",
    "roles/storage.objectViewer",
    "roles/workflows.viewer",
    "roles/iam.roleViewer",
    "roles/iam.serviceAccountViewer",
    "roles/iam.workloadIdentityPoolViewer"
  ]
}

resource "google_project_iam_member" "anyshift_comprehensive" {
  for_each = toset(local.anyshift_roles)
  project  = var.project_id
  role     = each.value
  member   = "serviceAccount:${google_service_account.anyshift.email}"
}
Console
  1. Go to IAM & Admin → Service Accounts → Create Service Account
  2. Name: anyshift-readonly, Description: “Read-only service account for Anyshift” → Create
  3. Go to IAM & Admin → IAM → Grant Access
  4. Add the service account email and assign roles: For Quick Setup:
    • Viewer (Basic role)
    For Recommended Setup, also add:
    • API Gateway Viewer
    • Artifact Registry Reader
    • BigQuery Data Viewer
    • BigQuery Job User
    • Certificate Manager Viewer
    • Cloud Build Viewer
    • Cloud Functions Viewer
    • Cloud KMS Viewer
    • Cloud Composer Viewer
    • Data Catalog Viewer
    • Dataflow Viewer
    • Dataproc Viewer
    • DNS Reader
    • Memorystore Redis Viewer
    • Storage Object Viewer
    • Workflows Viewer
    • IAM Role Viewer
    • IAM Service Account Viewer
    • IAM Workload Identity Pool Viewer
    Tip: Use the filter box to quickly find roles. You can select multiple roles before clicking Save.
  5. Go back to Service Accounts, click on your anyshift-readonly account
  6. Go to Keys tab → Add KeyCreate new keyJSONCreate
  7. Download and securely store the JSON key file

Step 2 · Add the service account in Anyshift

Go to Integrations → GCP → Add Service Account and upload the JSON file containing the credentials.
We are working to add support for Workload Identity Federation.This will allow you to grant Anyshift access without managing service account keys, using GCP’s native identity federation capabilities.

Try Anyshift

Start mapping your GCP infrastructure today!

Create an account

Request a demo

See Anyshift Root Cause Analysis in action
I