Cloud
Connect Google Cloud
Authenticates a read-only service account (JWT-bearer) to read Cloud Resource Manager + Compute inventory and Security Command Center findings — feeding Security Readiness and Cloud Health.
What it pulls
Project info + Compute instance inventory, and (with an organization ID) Security Command Center active findings bucketed by severity.
What you’ll enter
The exact fields the connect form asks for — and where to find each value.
- Service account key (JSON)
- Cloud Console → IAM & Admin → Service Accounts → your account → Keys → Add key → JSON. Open the downloaded file and paste ALL of it here.
- Organization ID (for Security Command Center)optional
- Only for security findings. IAM & Admin → Settings (or run `gcloud organizations list`). A number like 123456789012.
- Project ID (defaults to the key's project)optional
- Leave blank to use the key’s own project — only set this to target a different project.
Step-by-step setup
- 1
Create a service account
Cloud Console → IAM & Admin → Service Accounts → Create service account (e.g. shipready-metrics).
- 2
Grant Viewer on the project
Grant roles/viewer (Viewer) on the project — that covers Cloud Resource Manager + Compute inventory.
- 3
Optional — SCC Findings Viewer at the org level
For Security Command Center findings, grant roles/securitycenter.findingsViewer to the service account at the ORGANIZATION level (Organization IAM), not the project. Skip this if you don't need findings.
- 4
Create and download a JSON key
Open the service account → Keys → Add key → Create new key → JSON. A key file downloads — it's shown once.
- 5
Paste the key + optional org ID
Open the file, copy ALL of its contents, and paste into Service account key (JSON). For SCC, also enter your Organization ID (IAM & Admin → Settings, or `gcloud organizations list`). Project ID defaults to the key’s project.
- 6
Connect
Click Connect — we validate via Resource Manager (enabling Compute/SCC APIs as needed), then sync inventory + findings.
Read-only service-account key, RS256 JWT-signed → OAuth token. Validated via Resource Manager, then Compute + Security Command Center. Feeds Security Readiness + Cloud Health.