Google Cloud
Firefly integrates with Google Cloud to ingest information about your cloud resources into your Firefly Inventory. This enables you to view, manage, and govern Google Cloud assets alongside resources from other cloud providers. You can use Firefly to enforce infrastructure-as-code (IaC) practices and apply policies across your Google Cloud environment, helping ensure compliance, visibility, and best practices at scale.
Google Cloud Insights
After integrating your Google Cloud account, we retrieve Google Cloud Insights directly from your projects. These insights identify potential risks in your asset configurations, enhance your security posture, and reveal significant patterns in resource usage. To utilize this feature, verify you have enabled the Recommender API.
Multiple Projects
Firefly can discover multiple Google Cloud projects under one integration if the service account is given organization-level viewer rights. If you prefer to integrate each project separately, use separate service accounts or keys for isolation. In the Firefly UI, each integration will be listed by the project or alias name you give.
Integration Methods
Use one of these procedures to allow Firefly to monitor your Google Cloud account:
Service Account Key
Creating a service account
Go to your Google Cloud service account, and click Create Service Account.
Enter the Service account details, and click Create and Continue.
Add the roles below:
viewer
iam.securityReviewer
logging.configWriter (to enable event-driven integration)
storage.objectViewer (conditional to
tfstate
suffix)
To add the
tfstate
condition that enables Firefly to scan only files with atfstate
suffix:Click Add IAM Condition.
Enter the Title and Condition type > Resource > Name.
Operator > Ends with.
Under Value, enter
tfstate
> Save > Done.
At the organization level, create a custom role that allows Firefly to discover the project folder tree. Attach this role to your service account:
Click your organization level.
Click Roles > Create Role.
Enter a Title and ID.
Under Role launch stage, click General Availability.
Click Add Permissions and add the permissions below:
resourcemanager.folders.get
resourcemanager.folders.list
Click Add > Create.
Click IAM > Grant Access.
Under New principals, enter Firefly's principal.
Under Assign roles, select the role you just created > Save.
At the project level, click Service Accounts and select the Firefly service account.
Click the menu > Manage keys > Add Key > Create new key.
Click JSON > Create.
Selecting Create downloads a service account key file.
In Firefly, paste or upload the account key file into the Service Account Key field.
Enabling APIs
To allow Firefly to scan your projects and present your assets in the Inventory, enable the APIs below:
Logging API (to enable event-driven integration)
Admin SDK API
App Engine Admin API
BigQuery API
Cloud Billing API
Cloud Functions API
Cloud Scheduler API
Cloud Dataproc API
Cloud DNS API
Cloud Resource Manager API
Compute Engine API
IAM API
Kubernetes Engine API
Service Management API
Service Usage API
Cloud Asset API
Google Cloud Memorystore for Redis API
Cloud Storage API
Groups Settings API
Cloud Spanner API
Google Cloud Filestore API
Recommender API
Discovering multiple projects in this integration
Use the same service account key to simultaneously integrate multiple Google Cloud projects.
Log in to the Google Cloud console.
Click IAM & Admin > Service Accounts.
Copy the principal of the Service account you created in Creating a service account (associated email address).
Select a resource, the desired project you would like to integrate or the organization if you want Firefly to discover all the projects in your organization.
Click IAM > Grant Access.
In the New principals field, paste the principal you copied in step 3.
In the role field, select the following roles and Save:
roles/iam.securityReviewer
roles/storage.objectViewer (conditional to
tfstate
suffix)roles/viewer
roles/logging.configWriter
To exclude projects under this service account, enter the rules in the Regex rules field.
For all integrated projects, verify the Enabling APIs are activated.
Terraform Integration
Before you begin
Use Terraform v0.13 or later
Install gcloud CLI on your workstation
To verify that you fulfilled these prerequisites, run the command in your terminal:
gcloud version && terraform init && terraform --version
Setup Procedure
Create a directory for the Terraform file of your Google Cloud project.
At your gcloud CLI, run the command:
gcloud config set project <PROJECT_NAME>
In Firefly, select Settings > Integrations > Add New > Google Cloud > Terraform.
Copy the details created by the wizard, and paste them in the file.
Run:
terraform init terraform plan terraform apply
Select Done.
Additional setup instructions and information about the Firefly onboarding Terraform module are available in Firefly Google Cloud Integration.
Discovering multiple projects in this integration
Log in to the Google Cloud console.
Select IAM & Admin > Service Accounts.
Copy the principal of the Service account Terraform created (associated email address).
Select a resource, the desired project you would like to integrate or the organization if you want Firefly to discover all the projects in your organization.
Select IAM > GRANT ACCESS.
In the New principals field, paste the principal you copied in step 3.
In the role field, select the following roles and Save:
roles/iam.securityReviewer
roles/storage.objectViewer (conditional to
tfstate
suffix)roles/viewer
roles/logging.configWriter
To exclude projects under this service account, enter the rules in the Regex rules field.
Make sure the APIs in the list Enabling APIs is enabled for all projects you integrated.
Google Cloud Discovery Status
To scan your integration for changes and discover new assets:
Procedure
Select Settings > Integrations > Google Cloud.
Select the integration.
For assets changes, on the integration menu, select Scan Assets.
For IaC stacks changes, on the integration menu, select Scan Stacks.
View changes in the Inventory and/or IaC Explorer after several minutes.
The project that was initially integrated is the first one listed in the table. We use this project to discover all subsequent ones, which appear below it.

Warning: Deleting the initial project deletes this integration, including all projects listed in the table.
Last updated
Was this helpful?