> ## Documentation Index
> Fetch the complete documentation index at: https://docs.anyshift.io/llms.txt
> Use this file to discover all available pages before exploring further.

# GCP Integration

<iframe width="560" height="315" src="https://www.youtube.com/embed/BwEjpp74YZQ" title="YouTube video player" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture" allowfullscreen />

Connect your Google Cloud project to Annie to unlock real-time infrastructure mapping, monitoring, and dependency insights—exactly the same capabilities as our AWS integration, but using GCP-native security primitives.

<Info>
  **Security First**: All the roles listed below provide read-only access to your infrastructure. Anyshift cannot access secrets, passwords, API keys, or any other sensitive data stored in your GCP project.
</Info>

# Required Roles and Permissions

## Setup Options

<Tabs>
  <Tab title="Quick Setup">
    **Minimal Setup with `roles/viewer`**

    Using only the `roles/viewer` role provides basic access but with limitations.
    Anyshift will be able to scan core GCP resources like Compute Engine, Cloud SQL, GKE, Logging, Monitoring, and Pub/Sub.

    However, many specialized services will not be accessible.
  </Tab>

  <Tab title="Recommended Setup">
    **Essential Roles for Comprehensive Scanning**

    For full infrastructure visibility, add these roles beyond `roles/viewer`:

    | Role                                                   | Service             | What We Scan                                      |
    | ------------------------------------------------------ | ------------------- | ------------------------------------------------- |
    | `roles/apigateway.viewer`                              | API Gateway         | APIs, gateways, and configurations                |
    | `roles/artifactregistry.reader`                        | Artifact Registry   | Container images and packages                     |
    | `roles/bigquery.dataViewer` + `roles/bigquery.jobUser` | BigQuery            | Datasets, tables, and query jobs                  |
    | `roles/certificatemanager.viewer`                      | Certificate Manager | SSL/TLS certificates                              |
    | `roles/cloudbuild.builds.viewer`                       | Cloud Build         | Build configurations and history                  |
    | `roles/cloudfunctions.viewer`                          | Cloud Functions     | Serverless functions                              |
    | `roles/cloudkms.viewer`                                | Cloud KMS           | Encryption key metadata (not the keys themselves) |
    | `roles/composer.environmentAndStorageObjectViewer`     | Cloud Composer      | Airflow environments                              |
    | `roles/datacatalog.viewer`                             | Data Catalog        | Data discovery and metadata                       |
    | `roles/dataflow.viewer`                                | Dataflow            | Stream and batch processing jobs                  |
    | `roles/dataproc.viewer`                                | Dataproc            | Hadoop/Spark clusters                             |
    | `roles/dns.reader`                                     | Cloud DNS           | DNS zones and records                             |
    | `roles/redis.viewer`                                   | Memorystore         | Redis and Memcached instances                     |
    | `roles/storage.objectViewer`                           | Cloud Storage       | Buckets and object metadata                       |
    | `roles/workflows.viewer`                               | Workflows           | Workflow definitions and executions               |
    | `roles/iam.roleViewer`                                 | IAM                 | Roles and permissions                             |
    | `roles/iam.serviceAccountViewer`                       | IAM                 | Service accounts and keys                         |
    | `roles/iam.workloadIdentityPoolViewer`                 | IAM                 | Workload identity pools                           |
  </Tab>
</Tabs>

<Accordion title="Complete Role List for Maximum Coverage">
  View all available roles that Anyshift can utilize for comprehensive infrastructure scanning:

  ### Services Requiring Additional Roles

  These services need specific roles beyond `roles/viewer`:

  * **AI Platform**: `roles/aiplatform.viewer`, `roles/notebooks.viewer`
  * **API Gateway**: `roles/apigateway.viewer`
  * **Artifact Registry**: `roles/artifactregistry.reader`
  * **BigQuery**: `roles/bigquery.dataViewer`, `roles/bigquery.jobUser`, `roles/bigquery.metadataViewer`
  * **Certificate Manager**: `roles/certificatemanager.viewer`
  * **Cloud Billing**: `roles/billing.viewer`, `roles/billing.budgets.viewer`
  * **Cloud Build**: `roles/cloudbuild.builds.viewer`
  * **Cloud Functions**: `roles/cloudfunctions.viewer`
  * **Cloud KMS**: `roles/cloudkms.viewer`
  * **Composer**: `roles/composer.environmentAndStorageObjectViewer`
  * **Data Catalog**: `roles/datacatalog.viewer`
  * **Dataflow**: `roles/dataflow.viewer`
  * **Dataproc**: `roles/dataproc.viewer`
  * **DNS**: `roles/dns.reader`
  * **IAM**: `roles/iam.roleViewer`, `roles/iam.serviceAccountViewer`, `roles/iam.workloadIdentityPoolViewer`
  * **Memorystore/Redis**: `roles/redis.viewer`
  * **Storage**: `roles/storage.objectViewer`
  * **Workflows**: `roles/workflows.viewer`

  ### Services Covered by `roles/viewer`

  These services are already accessible with the basic viewer role:

  * Cloud SQL
  * Compute Engine (including networks)
  * Container/GKE
  * Firestore
  * Logging
  * Monitoring
  * Pub/Sub
  * Service Networking
</Accordion>

# Setup Guide

<AccordionGroup>
  <Accordion icon="user-shield" title="Option 1: Service-account key">
    ## Step 1 · Create a read-only service account

    **Terraform**

    ```hcl theme={null}
    resource "google_service_account" "anyshift" {
      account_id   = "anyshift-readonly"
      display_name = "Read-only service account for Anyshift"
    }

    # Option 1: Quick setup with basic viewer role
    resource "google_project_iam_member" "anyshift_viewer" {
      project = var.project_id
      role    = "roles/viewer"
      member  = "serviceAccount:${google_service_account.anyshift.email}"
    }

    # Option 2: Comprehensive setup with all recommended roles
    locals {
      anyshift_roles = [
        "roles/viewer",
        "roles/apigateway.viewer",
        "roles/artifactregistry.reader",
        "roles/bigquery.dataViewer",
        "roles/bigquery.jobUser",
        "roles/certificatemanager.viewer",
        "roles/cloudbuild.builds.viewer",
        "roles/cloudfunctions.viewer",
        "roles/cloudkms.viewer",
        "roles/composer.environmentAndStorageObjectViewer",
        "roles/datacatalog.viewer",
        "roles/dataflow.viewer",
        "roles/dataproc.viewer",
        "roles/dns.reader",
        "roles/redis.viewer",
        "roles/storage.objectViewer",
        "roles/workflows.viewer",
        "roles/iam.roleViewer",
        "roles/iam.serviceAccountViewer",
        "roles/iam.workloadIdentityPoolViewer"
      ]
    }

    resource "google_project_iam_member" "anyshift_comprehensive" {
      for_each = toset(local.anyshift_roles)
      project  = var.project_id
      role     = each.value
      member   = "serviceAccount:${google_service_account.anyshift.email}"
    }
    ```

    **Console**

    1. Go to **IAM & Admin → Service Accounts → Create Service Account**

    2. Name: `anyshift-readonly`, Description: "Read-only service account for Anyshift" → **Create**

    3. Go to **IAM & Admin → IAM → Grant Access**

    4. Add the service account email and assign roles:

       **For Quick Setup:**

       * `Viewer` (Basic role)

       **For Recommended Setup, also add:**

       * `API Gateway Viewer`
       * `Artifact Registry Reader`
       * `BigQuery Data Viewer`
       * `BigQuery Job User`
       * `Certificate Manager Viewer`
       * `Cloud Build Viewer`
       * `Cloud Functions Viewer`
       * `Cloud KMS Viewer`
       * `Cloud Composer Viewer`
       * `Data Catalog Viewer`
       * `Dataflow Viewer`
       * `Dataproc Viewer`
       * `DNS Reader`
       * `Memorystore Redis Viewer`
       * `Storage Object Viewer`
       * `Workflows Viewer`
       * `IAM Role Viewer`
       * `IAM Service Account Viewer`
       * `IAM Workload Identity Pool Viewer`

       **Tip**: Use the filter box to quickly find roles. You can select multiple roles before clicking Save.

    5. Go back to **Service Accounts**, click on your `anyshift-readonly` account

    6. Go to **Keys** tab → **Add Key** → **Create new key** → **JSON** → **Create**

    7. Download and securely store the JSON key file

    ## Step 2 · Add the service account in Anyshift

    Go to `Integrations → GCP → Add Service Account` and upload the JSON file containing the credentials.
  </Accordion>

  <Accordion icon="cloud" title="Option 2: Workload Identity (coming soon)">
    We are working to add support for Workload Identity Federation.

    This will allow you to grant Anyshift access without managing service account keys, using GCP's native identity federation capabilities.
  </Accordion>
</AccordionGroup>

# Try Anyshift

Start mapping your GCP infrastructure today!

<CardGroup cols={2}>
  <Card title="Create an account" icon="user-plus" href="https://app.anyshift.io/" />

  <Card title="Request a demo" icon="phone" href="https://calendly.com/d/cr9z-6g6-6g9/meet-with-anyshift">
    See Anyshift Root Cause Analysis in action
  </Card>
</CardGroup>
