Docs
HomeGitHubSign Up
Start typing to search…

Onboard GCP Project

Overview

ARMO’s GCP Cloud Security Posture Management (CSPM) integration provides continuous visibility into the security posture of your Google Cloud environment. By securely connecting a GCP service account, ARMO can analyze cloud resources, identities, IAM policies, network exposure, and audit logs to identify misconfigurations, compliance gaps, and attack paths across projects and organizations.

Prerequisites

Item

Requirement

ARMO Platform

You have an admin or Manager access to the ARMO Platform

GCP Owner

Owner or IAM Admin permissions in the target GCP project

GCP Permissions

  • Create service accounts
  • Create custom IAM roles
  • Enable APIs
  • Assign IAM roles

Required IAM Roles

Role NameTypePurpose
ViewerPredefinedRead-only access to cloud resources
Security ReviewerPredefinedView IAM policies, roles, and bindings
Service Usage ConsumerPredefinedAllows ARMO to call enabled APIs
Custom RoleCustomAllows ARMO to read bucket IAM policies


High-Level Onboarding Flow

The GCP onboarding process in ARMO establishes secure, read-only access so ARMO can continuously analyze your cloud configuration, IAM posture, asset inventory, and audit logs.

Flow Overview

  1. Get your GCP Project ID
  2. Enable required GCP APIs
  3. Create a Custom IAM Role
  4. Create a Service Account
  5. Assign required IAM Roles
  6. Generate a JSON Access Key
  7. Connect the project in ARMO

[ARMO Platform]


[Start Onboarding Wizard]
├── Enter display name and GCP project ID


[Google Console]
├── Enable required APIs

├── Create Custom IAM Role

├── Create Service Account

├── Assign IAM Roles

└── Generate JSON Access Key


[Return to ARMO → Upload Key]


[Validation + Discovery]


[Continuous Scanning & Compliance Insights]

Integration Steps – Single Project

Step 1 – Get Project ID

  1. Open Google Cloud Console
  2. Select the project and Go to Project Settings
  3. Copy the Project ID




  1. Paste the project ID in the ARMO platform and provide a display name


Step 2 – Enable APIs

  1. Click Activate Cloud Shell icon in the top right in the GCP console. At the bottom of your screen, you’ll see an interactive shell where you can enter and run commands.
  2. Copy the command below, paste it into the interactive shell, and run it. You’ll see a success message once it’s complete.
gcloud services enable serviceusage.googleapis.com cloudresourcemanager.googleapis.com iam.googleapis.com compute.googleapis.com storage.googleapis.com bigquery.googleapis.com sqladmin.googleapis.com container.googleapis.com dataproc.googleapis.com dns.googleapis.com cloudkms.googleapis.com apikeys.googleapis.com logging.googleapis.com monitoring.googleapis.com accessapproval.googleapis.com essentialcontacts.googleapis.com containeranalysis.googleapis.com containerscanning.googleapis.com cloudasset.googleapis.com

Step 3 – Create Custom Role

  1. Go to IAM & Admin → Roles

  2. Click + Create Role

  3. Enter a Title, Description, ID, and Role launch stage for the role.

  4. Add permission:

    storage.buckets.getIamPolicy

  5. Click Create

Step 4 – Create Service Account

  1. Go to IAM & Admin → Service Accounts

  2. Click Create

  3. Name it (e.g. cspm-cloud-security)

  4. Assign roles:

    • Viewer
    • Security Reviewer
    • Service Usage Consumer
    • ARMO CSPM (custom role)

  5. Click Done

Step 5 – Create Access Key and Connect

  1. Open the service account
  2. Go to Keys
  3. Click Add Key → Create new key
  4. Select JSON
  5. Download the file
  6. Upload the downloaded JSON file in ARMO
  7. Click Connect

What Happens Next

ARMO will start:

  • Discovering cloud assets
  • Evaluating security posture
  • Detecting misconfigurations

Initial results typically appear within up to 60 minutes.

Updated about 3 hours ago