GCP Integration
Connect your Google Cloud project to Annie to unlock real-time infrastructure mapping, monitoring, and dependency insights—exactly the same capabilities as our AWS integration, but using GCP-native security primitives.
Security First: All the roles listed below provide read-only access to your infrastructure. Anyshift cannot access secrets, passwords, API keys, or any other sensitive data stored in your GCP project.
Required Roles and Permissions
Setup Options
Minimal Setup with roles/viewer
Using only the roles/viewer role provides basic access but with limitations.
Anyshift will be able to scan core GCP resources like Compute Engine, Cloud SQL, GKE, Logging, Monitoring, and Pub/Sub.
However, many specialized services will not be accessible.
Minimal Setup with roles/viewer
Using only the roles/viewer role provides basic access but with limitations.
Anyshift will be able to scan core GCP resources like Compute Engine, Cloud SQL, GKE, Logging, Monitoring, and Pub/Sub.
However, many specialized services will not be accessible.
Essential Roles for Comprehensive Scanning
For full infrastructure visibility, add these roles beyond roles/viewer:
| Role | Service | What We Scan |
|---|---|---|
roles/apigateway.viewer | API Gateway | APIs, gateways, and configurations |
roles/artifactregistry.reader | Artifact Registry | Container images and packages |
roles/bigquery.dataViewer + roles/bigquery.jobUser | BigQuery | Datasets, tables, and query jobs |
roles/certificatemanager.viewer | Certificate Manager | SSL/TLS certificates |
roles/cloudbuild.builds.viewer | Cloud Build | Build configurations and history |
roles/cloudfunctions.viewer | Cloud Functions | Serverless functions |
roles/cloudkms.viewer | Cloud KMS | Encryption key metadata (not the keys themselves) |
roles/composer.environmentAndStorageObjectViewer | Cloud Composer | Airflow environments |
roles/datacatalog.viewer | Data Catalog | Data discovery and metadata |
roles/dataflow.viewer | Dataflow | Stream and batch processing jobs |
roles/dataproc.viewer | Dataproc | Hadoop/Spark clusters |
roles/dns.reader | Cloud DNS | DNS zones and records |
roles/redis.viewer | Memorystore | Redis and Memcached instances |
roles/storage.objectViewer | Cloud Storage | Buckets and object metadata |
roles/workflows.viewer | Workflows | Workflow definitions and executions |
roles/iam.roleViewer | IAM | Roles and permissions |
roles/iam.serviceAccountViewer | IAM | Service accounts and keys |
roles/iam.workloadIdentityPoolViewer | IAM | Workload identity pools |
Complete Role List for Maximum Coverage
Complete Role List for Maximum Coverage
View all available roles that Anyshift can utilize for comprehensive infrastructure scanning:
Services Requiring Additional Roles
These services need specific roles beyond roles/viewer:
- AI Platform:
roles/aiplatform.viewer,roles/notebooks.viewer - API Gateway:
roles/apigateway.viewer - Artifact Registry:
roles/artifactregistry.reader - BigQuery:
roles/bigquery.dataViewer,roles/bigquery.jobUser,roles/bigquery.metadataViewer - Certificate Manager:
roles/certificatemanager.viewer - Cloud Billing:
roles/billing.viewer,roles/billing.budgets.viewer - Cloud Build:
roles/cloudbuild.builds.viewer - Cloud Functions:
roles/cloudfunctions.viewer - Cloud KMS:
roles/cloudkms.viewer - Composer:
roles/composer.environmentAndStorageObjectViewer - Data Catalog:
roles/datacatalog.viewer - Dataflow:
roles/dataflow.viewer - Dataproc:
roles/dataproc.viewer - DNS:
roles/dns.reader - IAM:
roles/iam.roleViewer,roles/iam.serviceAccountViewer,roles/iam.workloadIdentityPoolViewer - Memorystore/Redis:
roles/redis.viewer - Storage:
roles/storage.objectViewer - Workflows:
roles/workflows.viewer
Services Covered by roles/viewer
These services are already accessible with the basic viewer role:
- Cloud SQL
- Compute Engine (including networks)
- Container/GKE
- Firestore
- Logging
- Monitoring
- Pub/Sub
- Service Networking
Setup Guide
Option 1: Service-account key
Option 1: Service-account key
Step 1 · Create a read-only service account
Terraform
Console
-
Go to IAM & Admin → Service Accounts → Create Service Account
-
Name:
anyshift-readonly, Description: “Read-only service account for Anyshift” → Create -
Go to IAM & Admin → IAM → Grant Access
-
Add the service account email and assign roles:
For Quick Setup:
Viewer(Basic role)
For Recommended Setup, also add:
API Gateway ViewerArtifact Registry ReaderBigQuery Data ViewerBigQuery Job UserCertificate Manager ViewerCloud Build ViewerCloud Functions ViewerCloud KMS ViewerCloud Composer ViewerData Catalog ViewerDataflow ViewerDataproc ViewerDNS ReaderMemorystore Redis ViewerStorage Object ViewerWorkflows ViewerIAM Role ViewerIAM Service Account ViewerIAM Workload Identity Pool Viewer
Tip: Use the filter box to quickly find roles. You can select multiple roles before clicking Save.
-
Go back to Service Accounts, click on your
anyshift-readonlyaccount -
Go to Keys tab → Add Key → Create new key → JSON → Create
-
Download and securely store the JSON key file
Step 2 · Add the service account in Anyshift
Go to Integrations → GCP → Add Service Account and upload the JSON file containing the credentials.
Option 2: Workload Identity (coming soon)
Option 2: Workload Identity (coming soon)
We are working to add support for Workload Identity Federation.
This will allow you to grant Anyshift access without managing service account keys, using GCP’s native identity federation capabilities.
Try Anyshift
Start mapping your GCP infrastructure today!