Skip to main content

GCP Integration FAQ

S
Written by Shannon DeLange
Updated yesterday

Which resources does Vanta fetch from GCP?

  • Artifact Registry repositories

  • Bigquery datasets

  • Bigtable instances

  • CloudSQL instances

  • Cloud Task Queues

  • Compute instances

  • Container repositories

  • Datastore projects

  • Firestore projects

  • Log buckets

  • Log sinks

  • Monitoring policies

  • Networks

  • Role grants

  • Roles

  • Spanner instances

  • Storage buckets

  • Subnets

  • Subscriptions

  • Topics

Authentication Options

Using Workload identity federation, you can provide on-premises or multi-cloud workloads with access to Google Cloud resources by using federated identities instead of a service account key.

Which APIs need to be enabled on the Vanta-scanner project for the Integration?

The following APIs are required for the Integration:

  • bigquery.googleapis.com

  • cloudresourcemanager.googleapis.com

  • containeranalysis.googleapis.com

  • firestore.googleapis.com

  • iam.googleapis.com

  • logging.googleapis.com

  • monitoring.googleapis.com

  • pubsub.googleapis.com

  • serviceusage.googleapis.com

  • sqladmin.googleapis.com

  • storage-api.googleapis.com

Which permissions need to be granted for the integration?

resourcemanager.projects.get
resourcemanager.projects.list
resourcemanager.folders.list
iam.roles.list
resourcemanager.organizations.getIamPolicy
resourcemanager.folders.getIamPolicy
bigquery.datasets.get
compute.instances.get
compute.instances.getEffectiveFirewalls
compute.subnetworks.get
pubsub.topics.get
storage.buckets.get
appengine.applications.get
cloudasset.assets.searchAllResources

Is it possible to connect Vanta without enabling all the APIs listed above?

  • No, but these APIs only need to be enabled on the vanta-scanner project created by the script, and billing will not be enabled on the vanta-scanner project.

What permissions are required to run the script in GCP?

Does Vanta integrate with Google Firebase?

  • Vanta will run a limited scope of tests on Firebase, looking at the overall configuration of GCP (e.g., user access that MFA is enabled)

What does the GCP linking flow script do?

  • Create a Vanta-scanner project under your organization.

  • Enable the required APIs on the created Vanta-scanner project.

  • Create a custom role, VantaOrganizationScanner, for listing IAM policies inherited by a GCP project.

  • Create a new service account, vanta-scanner-service-account, in the vanta-scanner project.

  • Download a key for vanta-scanner-service-account as vanta-scanner-key.json.

  • Grant vanta-scanner-service-account the VantaOrganizationScanner role in the organization that houses your projects.

If you are linking individual projects, the script will additionally:

  • Create a custom role, VantaProjectScanner, for listing resources in a GCP project

    • For each specified project:

      • Grant vanta-scanner-service-account the VantaProjectScanner role.

      • Grant vanta-scanner-service-account the roles/iam.securityReviewer standard role.

If you are linking an organization, the script will additionally:

  • Grant vanta-scanner-service-account the roles/iam.securityReviewer standard role for the organization.

How does Vanta determine vulnerability priority from GCP?

  • Vanta uses the effective severity of the vulnerability determined by GCP.

  • GCP determines the effective severity based on the CVSS score and other factors about the asset the vulnerability is on.

  • Vanta's vulnerability priority should be the same as the vulnerability priority in the GCP dashboard.

Connecting Multiple GCP Organizations to Vanta

You can connect multiple GCP organizations to a single Vanta account. This is helpful if your company uses separate GCP organizations for different business units, environments, or subsidiaries and you want consolidated security monitoring in Vanta.

Here’s how to connect an additional GCP organization:

  • Navigate to Integrations in Vanta

  • Select your existing GCP integration

  • You'll see a list of your connected GCP organizations

  • Click Add to connect another organization

  • Follow the standard connection workflow:

    • Provide your organization domain

    • Create a service account in the new organization with the required permissions

    • Upload the service account key to Vanta

Each GCP organization is connected independently with its own service account. Vanta monitors resources across all organizations and displays them on a single dashboard.

Notes for Terraform flow

  • Customers download our Terraform script, make any necessary changes, and place the script in their codebase or wherever they place their infrastructure code.

  • If customers disconnect GCP in Vanta, they should also clean up using Terraform destroy.

  • Just like console flow, we don’t support projects outside of organizations.

How is Terraform script different from the Shell script from the Console flow?

  • Project ID will use vanta-scanner-{organizationId} as the project ID for the project Vanta creates on behalf of the customers to pull in resources

  • When clicking on “Shut down,” the project is soft-deleted, and it could take up to 30 days for Google to shut it down completely. During that soft delete period, the project ID of that soft-deleted project is not available for reuse. You might need to come up with a different, unique ID for your project ID if you were to connect with GCP using Terraform again within 30 days. Once the project is fully shut down, you can reuse that project ID.

  • Terraform does not support conditionally creating or updating resources easily compared to Shell script (Console flow), hence compared to Shell script, instead of conditionally creating and updating the custom role VantaOrganizationScanner with proper permissions depending on whether it’s Console projects linking flow or Console org linking flow, the Terraform flow uses the ID VantaOrganizationScanner for Terraform projects linking flow and VantaExtensiveOrganizationScanner for Terraform org linking flow

Please note:

  • If the project ID exists for any reason, the Terraform script will fail. The following scenarios might require you to change the project ID of the Terraform script first before they can run the plan and apply:

    • Connected to GCP on Vanta previously and already had a project created with the above ID.

    • Connected to GCP using Terraform and disconnected but did not clean up resources.

    • You cleaned up resources but then reconnected quickly, so the project ID might only be soft-deleted for up to 30 days and not available for reuse (yet).

  • Vanta currently doesn't support officially connecting multiple projects from different multi-organizations

Related Articles
Connecting A GCP Organization
Minimum Required permissions for GCP integration script
How to configure the GCP integration to only scan projects in a specific folder
Reconnect individual GCP Projects
Reconnecting your GCP integration