Connect your Google Cloud project to Annie to unlock real-time infrastructure mapping, monitoring, and dependency insights—exactly the same capabilities as our AWS integration, but using GCP-native security primitives.
Security First: All the roles listed below provide read-only access to your infrastructure. Anyshift cannot access secrets, passwords, API keys, or any other sensitive data stored in your GCP project.
Required Roles and Permissions
Setup Options
Minimal Setup with
roles/viewer
Using only the roles/viewer
role provides basic access but with limitations.
Anyshift will be able to scan core GCP resources like Compute Engine, Cloud SQL, GKE, Logging, Monitoring, and Pub/Sub.However, many specialized services will not be accessible.Complete Role List for Maximum Coverage
Complete Role List for Maximum Coverage
View all available roles that Anyshift can utilize for comprehensive infrastructure scanning:Services Covered by
These services are already accessible with the basic viewer role:
Services Requiring Additional Roles
These services need specific roles beyondroles/viewer
:- AI Platform:
roles/aiplatform.viewer
,roles/notebooks.viewer
- API Gateway:
roles/apigateway.viewer
- Artifact Registry:
roles/artifactregistry.reader
- BigQuery:
roles/bigquery.dataViewer
,roles/bigquery.jobUser
,roles/bigquery.metadataViewer
- Certificate Manager:
roles/certificatemanager.viewer
- Cloud Billing:
roles/billing.viewer
,roles/billing.budgets.viewer
- Cloud Build:
roles/cloudbuild.builds.viewer
- Cloud Functions:
roles/cloudfunctions.viewer
- Cloud KMS:
roles/cloudkms.viewer
- Composer:
roles/composer.environmentAndStorageObjectViewer
- Data Catalog:
roles/datacatalog.viewer
- Dataflow:
roles/dataflow.viewer
- Dataproc:
roles/dataproc.viewer
- DNS:
roles/dns.reader
- IAM:
roles/iam.roleViewer
,roles/iam.serviceAccountViewer
,roles/iam.workloadIdentityPoolViewer
- Memorystore/Redis:
roles/redis.viewer
- Storage:
roles/storage.objectViewer
- Workflows:
roles/workflows.viewer
Services Covered by roles/viewer
These services are already accessible with the basic viewer role:- Cloud SQL
- Compute Engine (including networks)
- Container/GKE
- Firestore
- Logging
- Monitoring
- Pub/Sub
- Service Networking
Setup Guide
Option 1: Service-account key
Option 1: Service-account key
Step 1 · Create a read-only service account
Terraform- Go to IAM & Admin → Service Accounts → Create Service Account
-
Name:
anyshift-readonly
, Description: “Read-only service account for Anyshift” → Create - Go to IAM & Admin → IAM → Grant Access
-
Add the service account email and assign roles:
For Quick Setup:
Viewer
(Basic role)
API Gateway Viewer
Artifact Registry Reader
BigQuery Data Viewer
BigQuery Job User
Certificate Manager Viewer
Cloud Build Viewer
Cloud Functions Viewer
Cloud KMS Viewer
Cloud Composer Viewer
Data Catalog Viewer
Dataflow Viewer
Dataproc Viewer
DNS Reader
Memorystore Redis Viewer
Storage Object Viewer
Workflows Viewer
IAM Role Viewer
IAM Service Account Viewer
IAM Workload Identity Pool Viewer
-
Go back to Service Accounts, click on your
anyshift-readonly
account - Go to Keys tab → Add Key → Create new key → JSON → Create
- Download and securely store the JSON key file
Step 2 · Add the service account in Anyshift
Go toIntegrations → GCP → Add Service Account
and upload the JSON file containing the credentials.Option 2: Workload Identity (coming soon)
Option 2: Workload Identity (coming soon)
We are working to add support for Workload Identity Federation.This will allow you to grant Anyshift access without managing service account keys, using GCP’s native identity federation capabilities.