GCP

Connect your Google Cloud Platform infrastructure to Ciphrix using a Service Account for automated compliance monitoring.

Capabilities

The GCP integration provides the following capabilities:

✅ Compliance Checks

Automatically verify security configurations and compliance controls across your GCP infrastructure including:

🔄 Import Asset (Coming Soon)

Automatically import and track GCP resources as assets in your Ciphrix inventory.

How to Connect GCP

Prerequisites

Before connecting GCP, ensure you have:

• GCP account with administrative access
• Permissions to create Service Accounts
• Access to Google Cloud Console
• Owner or Editor role on the project

Connection Instructions

Step 1: Create a Service Account in GCP

1. Log in to Google Cloud Console

   • Go to https://console.cloud.google.com
   • Sign in with your Google account credentials

2. Select Your Project

   • In the top navigation bar, click on the project dropdown
   • Select the project you want to monitor
   • Copy and save the Project ID - you'll need this later

3. Navigate to Service Accounts

   • In the left sidebar, click on IAM & Admin
   • Click on Service Accounts
   • Or use the search bar and type "Service Accounts"

4. Create Service Account

   • Click + CREATE SERVICE ACCOUNT
   • Enter the following details:
     • Service account name: ciphrix-integration (or your preferred name)
     • Service account ID: Will be auto-generated (e.g., ciphrix-integration@your-project.iam.gserviceaccount.com)
     • Service account description: "Ciphrix compliance monitoring integration"
   • Click CREATE AND CONTINUE

Step 2: Grant Roles to Service Account

1. Assign Required Roles

   • In the "Grant this service account access to project" section
   • Click Select a role dropdown and add the following roles:
     • Browser - Provides read access to browse resources
     • Viewer - Provides read-only access to all resources
     • Service Account Viewer - View service accounts
   • To add multiple roles:
     • Select the first role and click + ADD ANOTHER ROLE
     • Repeat for each role
   • Click CONTINUE

2. Grant Users Access (Optional)

   • You can skip this step
   • Click DONE

Step 3: Create and Download Service Account Key

1. Access Service Account

   • You'll be back at the Service Accounts list
   • Click on the service account you just created (e.g., ciphrix-integration@your-project.iam.gserviceaccount.com)

2. Create Key

   • Click on the KEYS tab
   • Click ADD KEY > Create new key

3. Select Key Type

   • Select JSON as the key type
   • Click CREATE

4. Save the Key File

   • A JSON file will be automatically downloaded to your computer
   • ⚠️ Important: This file contains your private key. Store it securely.
   • The file name will be something like: your-project-abc123.json
   • Keep this file safe - you'll need to extract information from it in the next step

Step 4: Extract Service Account Information

1. Open the JSON Key File

   • Open the downloaded JSON file in a text editor
   • You'll see a structure like this:

   {
       "type": "service_account",
       "project_id": "your-project-id",
       "private_key_id": "key-id",
       "private_key": "-----BEGIN PRIVATE KEY-----\n...\n-----END PRIVATE KEY-----\n",
       "client_email": "ciphrix-integration@your-project.iam.gserviceaccount.com",
       "client_id": "123456789",
       "auth_uri": "https://accounts.google.com/o/oauth2/auth",
       "token_uri": "https://oauth2.googleapis.com/token",
       "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
       "client_x509_cert_url": "https://..."
   }

2. Note the Following Values

   • type: Should be "service_account"
   • project_id: Your GCP project ID
   • client_email: The service account email
   • private_key: The entire private key (including the BEGIN and END lines)

Step 5: Add GCP Integration in Ciphrix

You have two options to create the GCP connection in Ciphrix:

Option A: From Integration Library (Recommended)

1. Navigate to Integration Library

   • Log in to ciphrix.app
   • Go to Integrations in the sidebar
   • Go to the Integration Library tab
   • Click on the Cloud Infrastructure category

2. Connect GCP

   • Click the Connect button on the GCP integration tile

3. Fill Integration Form

   • Connection Name: Enter a name for this connection (e.g., "Production GCP Project")
   • Connection Identifier: Paste the Project ID from the JSON file
   • Credential Name: Enter the service account name (e.g., "ciphrix-integration")
   • Type: Select "Service Account" (or it may be pre-filled)
   • Project: Paste the project_id from the JSON file
   • Client Email: Paste the client_email from the JSON file
   • Private Key: Paste the entire private_key value from the JSON file (including -----BEGIN PRIVATE KEY----- and -----END PRIVATE KEY-----)
   • Region: Select the GCP regions you want to monitor
   • Select Items: Select the GCP capabilities in Ciphrix you want to enable. Compliance checks are enabled by default

4. Create Connection

   • Click Create Connection
   • Wait for the connection to be validated

Option B: From Create Connection

1. Navigate to Create Connection

   • Log in to ciphrix.app
   • Go to Integrations in the sidebar
   • Click Create Connection

2. Select GCP

   • From the connection provider dropdown, select Google Cloud Platform

3. Fill Integration Form

   • Connection Name: Enter a name for this connection (e.g., "Production GCP Project")
   • Connection Identifier: Paste the Project ID from the JSON file
   • Credential Name: Enter the service account name (e.g., "ciphrix-integration")
   • Type: Select "Service Account" (or it may be pre-filled)
   • Project: Paste the project_id from the JSON file
   • Client Email: Paste the client_email from the JSON file
   • Private Key: Paste the entire private_key value from the JSON file (including -----BEGIN PRIVATE KEY----- and -----END PRIVATE KEY-----)
   • Region: Select the GCP regions you want to monitor
   • Select Items: Select the GCP capabilities in Ciphrix you want to enable. Compliance checks are enabled by default

4. Create Connection

   • Click Create or Save
   • Wait for the connection to be validated

Step 6: Verify Connection

1. Check Connection Status

   • After creating the connection, you'll see the integration status
   • Status should show Connected or Active

2. Initial Scan

   • Ciphrix will automatically begin scanning your GCP infrastructure
   • Ciphrix scans your environment once a week
   • You can contact support@ciphrix.com to know your next scan date
   • Compliance checks will run automatically

3. View Results

   • Navigate to Monitoring
   • View compliance check results and findings

Roles Applied

Ciphrix uses the following GCP predefined roles for compliance monitoring:

Browser

• Role: roles/browser
• Purpose: Browse the resource hierarchy

This role provides:

• ✅ Read access to browse the hierarchy for projects and folders
• ✅ View resource metadata and properties

Viewer

• Role: roles/viewer
• Purpose: Read-only access to all resources

This role provides:

• ✅ Read access to all GCP resources
• ✅ View configurations and settings
• ✅ View security policies
• ✅ View network configurations
• ❌ Cannot modify any resources
• ❌ Cannot access sensitive data

Service Account Viewer

• Role: roles/iam.serviceAccountViewer
• Purpose: View service accounts

This role provides:

• ✅ List and view service accounts
• ✅ View service account metadata
• ❌ Cannot view or download service account keys

These roles ensure that Ciphrix can perform comprehensive compliance checks while maintaining security by preventing any modifications to your GCP environment and restricting access to sensitive data.

Troubleshooting

Connection Failed

Issue: Integration connected but showing permission errors

• Verify the Project ID, Client Email, and Private Key are correct
• Ensure the private key includes the BEGIN and END markers
• Ensure there are no extra spaces or line breaks when copying
• Check that the service account has all three required roles (Browser, Viewer, Service Account Viewer)
• Verify the service account is not disabled

No Data Appearing

Issue: Integration connected but no compliance data showing for more than 7 days

• Contact Ciphrix Support support@ciphrix.com

Authentication Errors

Issue: Authentication failed or invalid credentials

• Verify the JSON key file is not corrupted
• Check that the service account still exists in GCP
• Ensure the private key was copied completely
• Verify the project ID is correct
• Check that the service account email is correct

Permission Denied Errors

Issue: Getting permission denied on certain resources

• Verify all three roles are assigned (Browser, Viewer, Service Account Viewer)
• Check that roles are assigned at the project level
• Ensure the service account has not been removed from the project
• Verify no organization policies are blocking access

Key Rotation

Issue: Need to rotate service account key

• Create a new key in GCP Console (Step 3)
• Update the private key in Ciphrix integration settings
• Delete the old key from GCP Console after confirming the new one works

Support

Need help with GCP integration?

• Email: support@ciphrix.com