ben.carrasco/prowler
1
0
Fork 0
mirror of https://github.com/prowler-cloud/prowler.git synced 2026-04-14 16:50:04 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
42939a79f56f9442346e39d596663cb2e714fa6a
prowler/docs/tutorials/gcp/authentication.md
Sergio Garcia 2f741f35a8 chore(gcp): enhance GCP APIs logic (#7046)
2025-02-28 14:55:43 +05:45

1.9 KiB
Raw Blame History

GCP authentication

Prowler will use by default your User Account credentials, you can configure it using:

  • gcloud init to use a new account
  • gcloud config set account <account> to use an existing account

Then, obtain your access credentials using: gcloud auth application-default login

Otherwise, you can generate and download Service Account keys in JSON format (refer to https://cloud.google.com/iam/docs/creating-managing-service-account-keys) and provide the location of the file with the following argument:

prowler gcp --credentials-file path

???+ note prowler will scan the GCP project associated with the credentials.

Prowler will follow the same credentials search as Google authentication libraries:

  1. GOOGLE_APPLICATION_CREDENTIALS environment variable
  2. User credentials set up by using the Google Cloud CLI
  3. The attached service account, returned by the metadata server

Those credentials must be associated to a user or service account with proper permissions to do all checks. To make sure, add the Viewer role to the member associated with the credentials.

???+ note Prowler will use the enabled Google Cloud APIs to get the information needed to perform the checks.

Impersonate Service Account

If you want to impersonate a GCP service account, you can use the --impersonate-service-account argument:

prowler gcp --impersonate-service-account <service-account-email>

This argument will use the default credentials to impersonate the service account provided.

Reference in New Issue View Git Blame Copy Permalink