GCP Workloads
GCP Workloads integration allows your product to discover and monitor containerized and compute workloads running across Google Cloud — including Google Kubernetes Engine (GKE) clusters, Cloud Run services, and Cloud Functions. This integration provides deep visibility into workloads, pods, services, and running containers for inventory, monitoring, and security analysis.
Credentials Needed
You need credentials from a Google Cloud Service Account with read-only access to workload-related APIs (Kubernetes Engine, Cloud Run, and Cloud Functions).
Required credentials:
- Service Account JSON Key File (contains: project_id, client_email, private_key, etc.)
This key allows your integration to authenticate with GCP APIs to fetch workload metadata securely.
Permissions Needed
To read workloads and related configurations, assign the following roles to the Service Account:
Required Roles
| Role | Purpose |
|---|---|
| Kubernetes Engine Viewer (roles/container.viewer) | Read access to GKE clusters, node pools, and configurations. |
| Cloud Run Viewer (roles/run.viewer) | Allows viewing Cloud Run services and revisions. |
| Cloud Functions Viewer (roles/cloudfunctions.viewer) | Grants read access to Cloud Functions configurations and deployments. |
| Viewer (roles/viewer) | Optional role for read-only access to general project metadata. |
Key Permissions These Roles Include
- container.clusters.list
- container.clusters.get
- run.services.list
- run.services.get
- cloudfunctions.functions.list
- cloudfunctions.functions.get
- resourcemanager.projects.get
Creating Users / Service Account in GCP
Step 1: Create a Service Account
- Go to GCP Console → IAM & Admin → Service Accounts
- Click + CREATE SERVICE ACCOUNT
- Enter a name (e.g., gcp-workload-integration-sa)
- Click Create and Continue
Step 2: Assign Roles
- Under Grant this service account access to project, click + Add Another Role
- Add:
- Kubernetes Engine Viewer
- Cloud Run Viewer
- Cloud Functions Viewer
- (Optional) Viewer
- Click Continue → Done
Step 3: Create and Download JSON Key
- Go to the created Service Account
- Navigate to Keys → Add Key → Create new key
- Select JSON format and download the key file
- Save it securely (e.g., gcp-workloads-key.json)
Test Connectivity
You can verify connectivity and access using the gcloud CLI:
# Authenticate using the Service Account key
gcloud auth activate-service-account --key-file=gcp-workloads-key.json
# Verify authentication
gcloud auth list
# Set the correct project
gcloud config set project <PROJECT_ID>
# List GKE clusters
gcloud container clusters list
# List Cloud Run services
gcloud run services list --platform managed --region <REGION>
# List Cloud Functions
gcloud functions list --region <REGION>
If the commands return workload details successfully, your credentials and permissions are correctly configured.
Save the Results in the Platform and Create Connection
In your platform's integrations module, securely upload or link the Service Account JSON Key.
Extract and securely store:
- project_id
- client_email
- private_key
Create a connector labeled GCP Workloads Integration.
Test the connection by listing workloads like GKE clusters, Cloud Run services, and Cloud Functions.
Best Practices
- Use dedicated Service Accounts for workload discovery — do not reuse accounts from other integrations.
- Assign only read-only roles (viewer variants) to enforce the principle of least privilege.
- Rotate Service Account keys periodically using automated processes or use Workload Identity Federation to eliminate static credentials.
- Store JSON keys securely in Google Secret Manager or your platform's encrypted storage.
- Limit the scope of the Service Account to specific projects or folders when multi-project access isn't required.
- Enable Audit Logs for container.googleapis.com, run.googleapis.com, and cloudfunctions.googleapis.com to track API access.
- For multi-region workloads, ensure your integration fetches data across all active regions for full coverage.