Skip to main content
Enable Cloudgeni to scan your Google Cloud infrastructure by creating a dedicated service account. Choose between keyless authentication (recommended) or traditional service account keys.

Prerequisites

  • GCP project with owner or admin access
  • gcloud CLI installed and configured
  • Cloudgeni account (free trial available)
  • Time estimate: 3 minutes

Authentication Methods

Keyless (Recommended)

Service Account Impersonation
  • No credentials stored in Cloudgeni
  • Short-lived tokens generated on-demand
  • Enhanced security posture
  • Simple IAM binding setup

Service Account Key

Traditional JSON Key
  • Upload service account key file
  • Works in air-gapped environments
  • Key rotation required
Keyless authentication uses service account impersonation. Cloudgeni’s platform service account generates short-lived access tokens on demand - no long-lived credentials are stored.

Step 1: Create Service Account

Set your project ID and create a dedicated service account for Cloudgeni:
# Set your GCP project ID
export PROJECT_ID="your-project-id-here"
export SA_NAME="cloudgeni-access"

# Configure gcloud to use your project
gcloud config set project $PROJECT_ID

# Create the service account
gcloud iam service-accounts create $SA_NAME \
  --display-name="CloudGeni Access"
The service account email will be: {SA_NAME}@{PROJECT_ID}.iam.gserviceaccount.com

Step 2: Assign IAM Roles

Assign the minimum required roles for Cloudgeni to scan your infrastructure:
# Grant viewer role for read-only access to resources
gcloud projects add-iam-policy-binding $PROJECT_ID \
  --member="serviceAccount:$SA_NAME@$PROJECT_ID.iam.gserviceaccount.com" \
  --role="roles/viewer"

# Grant service usage consumer role (required for API access)
gcloud projects add-iam-policy-binding $PROJECT_ID \
  --member="serviceAccount:$SA_NAME@$PROJECT_ID.iam.gserviceaccount.com" \
  --role="roles/serviceusage.serviceUsageConsumer"
These roles provide read-only access to your GCP resources. Cloudgeni cannot make any changes to your infrastructure.

Step 3: Allow Cloudgeni to Impersonate

Allow Cloudgeni’s platform service account to impersonate your service account:
# Grant Cloudgeni permission to impersonate this service account
gcloud iam service-accounts add-iam-policy-binding \
  $SA_NAME@$PROJECT_ID.iam.gserviceaccount.com \
  --member="serviceAccount:cloudgeni-platform-sa@cloudgeni-production.iam.gserviceaccount.com" \
  --role="roles/iam.serviceAccountTokenCreator" \
  --project=$PROJECT_ID
This allows Cloudgeni to generate short-lived access tokens (valid for 1 hour) to scan your infrastructure. No long-lived credentials are stored.

Step 4: Configure Cloudgeni Integration

  1. Log into your Cloudgeni dashboard
  2. Navigate to Settings > Integrations > Cloud
  3. Click “Connect GCP”
  4. Select the “Keyless (Recommended)” tab
  5. Enter your configuration:
    • Name: GCP Production (or your environment name)
    • Project ID: Your GCP project ID
    • Service Account Email: {SA_NAME}@{PROJECT_ID}.iam.gserviceaccount.com
  6. Click “Create Integration”
A scan of all your GCP resources will start automatically after creating the integration.

Option B: Service Account Key

If you prefer traditional authentication or operate in an air-gapped environment, you can use service account keys.

Step 1: Create Service Account

Follow the same steps as Option A, Step 1 above.

Step 2: Assign IAM Roles

Follow the same steps as Option A, Step 2 above.

Step 3: Create Service Account Key

Create and download the service account key file:
# Generate and download the key file
gcloud iam service-accounts keys create $SA_NAME-key.json \
  --iam-account=$SA_NAME@$PROJECT_ID.iam.gserviceaccount.com
Result: You’ll have a {SA_NAME}-key.json file in your current directory.
Keep this key file secure. It provides access to your GCP project. Never commit it to version control.

Step 4: Configure Cloudgeni Integration

  1. Log into your Cloudgeni dashboard
  2. Navigate to Settings > Integrations > Cloud
  3. Click “Connect GCP”
  4. Select the “Service Account Key” tab
  5. Enter your configuration:
    • Name: GCP Production (or your environment name)
    • Project ID: Your GCP project ID
    • Default Region: Select your primary region
    • Service Account Key: Upload your service account key JSON file
  6. Click “Create Integration”
A scan of all your GCP resources will start automatically after creating the integration.

Troubleshooting

If you see permission denied errors during scans:
  1. Verify the service account has the roles/viewer role
  2. For keyless auth, verify the impersonation binding is correct: 
    gcloud iam service-accounts get-iam-policy \
  $SA_NAME@$PROJECT_ID.iam.gserviceaccount.com
  3. Ensure the roles/serviceusage.serviceUsageConsumer role is assigned
If token generation fails with keyless authentication:
  1. Verify the Cloudgeni platform SA has the serviceAccountTokenCreator role
  2. Check that the service account email is correctly formatted
  3. Ensure your project’s IAM API is enabled: 
    gcloud services enable iamcredentials.googleapis.com

What’s Next?

Quick Start Guide

Get started with Cloudgeni in under 5 minutes

Cloud Compliance

Monitor compliance across your cloud infrastructure

Static Analysis

Scan your infrastructure as code for issues

Configuration Drift

Detect drift between your code and deployed resources