Firefly Documentation Portal
  • Welcome to the Documentation Portal
  • Contacting Firefly support
  • User Guides
    • QuickStart Guide
      • Onboarding
      • Dashboard
      • FAQ
      • Glossary
        • IaC status
    • Exploring the Inventory
    • Compose: Generating new configuration
    • Navigating the IaC Explorer
    • Workflows
      • Guardrails
    • Integrations
      • Integrate your providers and tools
        • Integrate your data sources
          • Integrate PagerDuty
          • Integrate MongoDB Atlas
          • Integrate AWS
            • Integrate AWS using Terraform
            • Integrate AWS using CloudFormation
            • Upgrading AWS integration to event-driven
            • AWS Discovery Status
          • Integrate Google Cloud
            • Integrate Google Cloud using a service account key
            • Integrate Google Cloud using Terraform
            • Google Cloud Discovery Status
          • Integrate Kubernetes
          • Integrate Datadog
          • Integrate New Relic
          • Integrate Okta
          • Integrate GitHub service
          • Integrate Cloudflare
          • Integrate NS1
          • Integrate Microsoft Azure
            • Integrate Microsoft Azure using Terraform
            • Azure Discovery Status
          • Integrate HashiCorp Vault
        • Integrate your IaC remote states
          • Integrate Terraform Cloud
          • Integrate Terraform Enterprise
          • Integrate HashiCorp Consul
          • Integrate remote stacks in Google Cloud Storage
          • Integrate env0
        • Integrate your version control system
          • Integrate GitHub
          • Integrate GitLab
          • Integrate Bitbucket
            • Integrate Bitbucket Data Center
            • Integrate Bitbucket Cloud
          • Integrate AWS CodeCommit
          • Integrate Azure DevOps
        • Send Firefly notifications to your messaging tools
          • Send Firefly notifications to Slack
            • Send notifications to Slack using the Slack App
            • Sending notifications to Slack using a webhook
          • Send Firefly notifications to Microsoft Teams
          • Send Firefly notifications to Torq
          • Send Firefly notifications to webhooks
          • Send Firefly notifications to Opsgenie
          • Send Firefly notifications to PagerDuty
            • Integration Key
            • General Access REST API Key
          • Send Firefly notifications to Google Chat
        • Integrate project management tools
          • Integrate Jira
    • Governance
    • Event-Center
    • How-to Guides
      • Manage assets
        • Codify assets
          • Codify assets to Config Connector
          • Codify assets to Manifest
          • Codify assets to Helm
          • Codify assets to CDK8S
          • Codify assets to Terraform
          • Codify assets to Pulumi
          • Codify assets to CloudFormation
          • Codify assets to CDK
          • Codify assets to Crossplane
          • Codify assets to Ansible
        • Delete unmanaged assets
        • Fix drifts
        • Remove asset Terraform code
        • Excluded drifts
        • IaC-Ignored assets
      • Monitor events
      • Manage notifications
      • Manage user roles
    • Deep Dive articles
      • Disaster recovery
      • Drifts
      • Codification
      • Notifications
      • Governance
      • Event-driven
      • IaC-Ignored assets
  • Appendix
    • Migrating CloudFormation resources to Terraform
    • Terraform Cloud Run Tasks
    • Creating a key pair
    • SSO Configuration
    • Firefly API Documentation
    • Support Matrix
    • Data privacy and AI usage
  • Firefly MCP
  • Firefly Backstage Plugin
Powered by GitBook
On this page
  • Procedure
  • Creating a service account
  • Enabling APIs
  • Discovering multiple projects in this integration
  • Google Cloud Insights

Was this helpful?

  1. User Guides
  2. Integrations
  3. Integrate your providers and tools
  4. Integrate your data sources
  5. Integrate Google Cloud

Integrate Google Cloud using a service account key

PreviousIntegrate Google CloudNextIntegrate Google Cloud using Terraform

Last updated 1 year ago

Was this helpful?

Procedure

Creating a service account

  1. Go to your , and select + CREATE SERVICE ACCOUNT.

  2. Enter the Service account details, and select CREATE AND CONTINUE.

  3. Add the roles below:

    • viewer

    • iam.securityReviewer

    • logging.configWriter (to enable event-driven integration)

    • storage.objectViewer conditional to tfstate suffix

      1. To add the tfstate condition that enables Firefly to scan only files with a tfstate suffix, select + ADD IAM CONDITION.

      2. Enter the Title and Condition type > Resource > Name.

      3. Operator > Ends with

      4. Under Value, enter tfstate > SAVE > DONE.

  4. At the organization level, create a custom role that allows Firefly to discover the project folder tree. Attach this role to your service account.

    1. Select your organization level.

    2. Select Roles > + CREATE ROLE.

    3. Enter a Title and ID.

    4. Under Role launch stage, select General Availability.

    5. Select + ADD PERMISSIONS and add the permissions below:

      • resourcemanager.folders.get

      • resourcemanager.folders.list

    6. Select ADD > CREATE.

    7. Select IAM > GRANT ACCESS.

    8. Under New principals, enter Firefly's principal.

    9. Under Assign roles, select the role you just created > SAVE.

  5. At the project level, select Service Accounts and select the Firefly service account.

  6. Select the kebab > Manage keys > ADD KEY > Create new key.

    1. Select JSON > CREATE. Selecting CREATE downloads a service account key file.

    2. In Firefly, paste or upload the account key file into the Service Account Key field.

Enabling APIs

To allow Firefly to scan your projects and present your assets in the Inventory, enable the APIs below:

  • Logging API (to enable event-driven integration)

  • Admin SDK API

  • App Engine Admin API

  • BigQuery API

  • Cloud Billing API

  • Cloud Functions API

  • Cloud Scheduler API

  • Cloud Dataproc API

  • Cloud DNS API

  • Cloud Resource Manager API

  • Compute Engine API

  • IAM API

  • Kubernetes Engine API

  • Service Management API

  • Service Usage API

  • Cloud Asset API

  • Google Cloud Memorystore for Redis API

  • Cloud Storage API

  • Groups Settings API

  • Cloud Spanner API

  • Google Cloud Filestore API

  • Recommender API

Discovering multiple projects in this integration

Use the same service account key to simultaneously integrate multiple Google Cloud projects.

Procedure

  1. Select IAM & Admin > Service Accounts.

  2. Copy the principal of the Service account you created in "Creating a service account" (associated email address).

  3. Select a resource - the desired project you would like to integrate or the organization if you want Firefly to discover all the projects in your organization.

  4. Select IAM > GRANT ACCESS.

  5. In the New principals field, paste the principal you copied in step 3.

  6. In the role field, select the following roles and SAVE:

    • roles/iam.securityReviewer

    • roles/storage.objectViewer (conditional to tfstate suffix)

    • roles/viewer

    • roles/logging.configWriter

  • To exclude projects under this service account, enter the rules in the Regex rules field.

Google Cloud Insights

.

For all integrated projects, verify the are activated.

After integrating your Google Cloud account, we retrieve Google Cloud Insights directly from your projects. These insights identify potential risks in your asset configurations, enhance your security posture, and reveal significant patterns in resource usage. To utilize this feature, verify you have enabled the .

Google Cloud service account
Log in to the Google Cloud console
Recommender API
Enabling APIs