Skip to main content

GCP Compute

GCP Compute integration allows your product to fetch information about virtual machine (VM) instances, IP addresses, zones, networks, and metadata from Google Cloud's Compute Engine service. This helps in building asset inventory, tracking compute workloads, analyzing resource configurations, and monitoring infrastructure for compliance or security assessments.

Credentials Needed

You'll need credentials from a Google Cloud Service Account with read-only access to Compute Engine resources.

Required credentials:

  • Service Account JSON Key File (contains: project_id, client_email, private_key, etc.)

This key authenticates your integration with GCP APIs to retrieve VM and network details.

Permissions Needed

To read Compute Engine details, assign the following roles to your Service Account:

RolePurpose
Compute Viewer (roles/compute.viewer)Allows read-only access to VM instances, disks, networks, and snapshots.
Viewer (roles/viewer)Grants general read-only access to project resources.
Service Account Viewer (roles/iam.serviceAccountViewer) (optional)Lets the integration read metadata about service accounts attached to VMs.

Key Permissions These Roles Include

  • compute.instances.list
  • compute.instances.get
  • compute.disks.list
  • compute.networks.list
  • compute.addresses.list
  • compute.subnetworks.list
  • compute.zones.list
  • resourcemanager.projects.get

Creating Users / Service Account in GCP

Step 1: Create a Service Account

  1. Go to GCP Console → IAM & Admin → Service Accounts
  2. Click + CREATE SERVICE ACCOUNT
  3. Enter a name (e.g., compute-integration-sa)
  4. Click Create and Continue

Step 2: Assign Roles

  1. Under Grant this service account access to project, click + Add Another Role
  2. Add the following roles:
    • Compute Viewer
    • Viewer
    • (Optional) Service Account Viewer
  3. Click Continue → Done

Step 3: Create and Download JSON Key

  1. Open the created service account
  2. Go to Keys → Add Key → Create new key
  3. Select JSON format and download the key file
  4. Save it securely (e.g., gcp-compute-key.json)

Test Connectivity

Verify the configuration using the Google Cloud CLI:

# Authenticate using the Service Account key
gcloud auth activate-service-account --key-file=gcp-compute-key.json

# Verify authentication
gcloud auth list

# List projects accessible by this service account
gcloud projects list

# List all compute instances in a project
gcloud compute instances list --project <PROJECT_ID> --format=table(name,zone,status,EXTERNAL_IP,INTERNAL_IP)

# List networks and subnets
gcloud compute networks list
gcloud compute networks subnets list --project <PROJECT_ID>

If you successfully receive instance and network details, your credentials and permissions are correctly set up.

Save the Results in the Platform and Create Connection

  1. In your platform's integrations section, securely upload or link the Service Account JSON Key.
  2. Extract and store securely:
    • project_id
    • client_email
    • private_key
  3. Create a new connector labeled GCP Compute Integration.
  4. Test the connection by fetching VM instance details from the target project.

Best Practices

  • Use a dedicated service account for compute integrations — avoid reusing across different modules.
  • Apply the principle of least privilege — only grant Compute Viewer and Viewer roles.
  • Store the JSON key securely in an encrypted secret manager (never commit it to code).
  • Rotate keys regularly using automated scripts or GCP IAM key rotation policies.
  • Limit the service account's access scope to specific projects or folders if your platform doesn't need organization-wide data.
  • Enable Audit Logs for compute.googleapis.com to track API access and detect unauthorized activities.
  • Use region and zone filters in your API calls to improve performance if your platform spans multiple regions.