ben.carrasco/prowler
1
0
Fork 0
mirror of https://github.com/prowler-cloud/prowler.git synced 2026-04-16 09:37:53 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
cb7941e9bec690d336559cdecf0d92d82e5249fd
prowler/docs/tutorials/gcp/authentication.md
Andoni Alonso 1fdebfa295 docs: remove "Requirements" page (#8559)
2025-08-22 15:55:25 +05:45

3.0 KiB
Raw Blame History

GCP Authentication in Prowler

Required Permissions

Prowler for Google Cloud requires the following permissions:

IAM Roles

  • Reader (roles/reader) Must be granted at the project, folder, or organization level to allow scanning of target projects.

Project-Level Settings

At least one project must have the following configurations:

  • Identity and Access Management (IAM) API (iam.googleapis.com) Must be enabled via:

    gcloud services enable iam.googleapis.com --project <your-project-id>

  • Service Usage Consumer (roles/serviceusage.serviceUsageConsumer) IAM Role Required for resource scanning.

  • Quota Project Setting Define a quota project using either:

    • The gcloud CLI:
    gcloud auth application-default set-quota-project <project-id>
    • Setting an environment variable:
    export GOOGLE_CLOUD_QUOTA_PROJECT=<project-id>

???+ note prowler will scan the GCP project associated with the credentials.

Credentials lookup order

Prowler follows the same credential search process as Google authentication libraries, checking credentials in this order:

  1. GOOGLE_APPLICATION_CREDENTIALS environment variable
  2. CLOUDSDK_AUTH_ACCESS_TOKEN + optional GOOGLE_CLOUD_PROJECT
  3. User credentials set up by using the Google Cloud CLI
  4. Attached service account (e.g., Cloud Run, GCE, Cloud Functions)

???+ note The credentials must belong to a user or service account with the necessary permissions. To ensure full access, assign the roles/reader IAM role to the identity being used.

???+ note Prowler will use the enabled Google Cloud APIs to get the information needed to perform the checks.

Using an Access Token

For existing access tokens (e.g., generated with gcloud auth print-access-token), run Prowler with:

export CLOUDSDK_AUTH_ACCESS_TOKEN=$(gcloud auth print-access-token)
prowler gcp --project-ids <project-id>

???+ note When using this method, also set the default project explicitly: bash export GOOGLE_CLOUD_PROJECT=<project-id>

Impersonating a GCP Service Account

To impersonate a GCP service account, use the --impersonate-service-account argument followed by the service account email:

prowler gcp --impersonate-service-account <service-account-email>

This command leverages the default credentials to impersonate the specified service account.

Reference in New Issue View Git Blame Copy Permalink