GCP Integration FAQ

Which resources does Vanta fetch from GCP?

  • Artifact Registry repositories
  • Bigquery datasets
  • Bigtable instances
  • CloudSQL instances
  • Cloud Task Queues
  • Compute instances
  • Container repositories
  • Datastore projects
  • Firestore projects
  • Log buckets
  • Log sinks
  • Monitoring policies
  • Networks
  • Role grants
  • Roles
  • Spanner instances
  • Storage buckets
  • Subnets
  • Subscriptions
  • Topics

Which APIs need to be enabled on the Vanta-scanner project for the Integration?

The following APIs are required for the Integration:

  • bigquery.googleapis.com
  • cloudresourcemanager.googleapis.com
  • containeranalysis.googleapis.com
  • firestore.googleapis.com
  • iam.googleapis.com
  • logging.googleapis.com
  • monitoring.googleapis.com
  • pubsub.googleapis.com
  • serviceusage.googleapis.com
  • sqladmin.googleapis.com
  • storage-api.googleapis.com

Which permissions need to be granted for the integration? 


Is it possible to connect Vanta without enabling all the APIs listed above?

  • No, but these APIs only need to be enabled on the vanta-scanner project created by the script, and billing will not be enabled on the vanta-scanner project.

What permissions are required to run the script in GCP?

Does Vanta integrate with Google Firebase?

  • Vanta will run a limited scope of tests on Firebase,  looking at the overall configuration of GCP (e.g., user access that MFA is enabled)

What does the GCP linking flow script do?

  • Create a Vanta-scanner project under your organization.
  • Enable the required APIs on the created Vanta-scanner project.
  • Create a custom role, VantaOrganizationScanner, for listing IAM policies inherited by a GCP project.
  • Create a new service account, vanta-scanner-service-account, in the vanta-scanner project.
  • Download a key for vanta-scanner-service-account as vanta-scanner-key.json.
  • Grant vanta-scanner-service-account the VantaOrganizationScanner role in the organization that houses your projects.

If you are linking individual projects, the script will additionally:

  • Create a custom role, VantaProjectScanner, for listing resources in a GCP project
    • For each specified project:
      • Grant vanta-scanner-service-account the VantaProjectScanner role.
      • Grant vanta-scanner-service-account the roles/iam.securityReviewer standard role.

If you are linking an organization, the script will additionally:

  • Grant vanta-scanner-service-account the roles/iam.securityReviewer standard role for the organization.

How does Vanta determine vulnerability priority from GCP?

  • Vulnerability priority is determined by the CVSS score. Here's the Vanta metric mapping to the CVSS score:
    • Low: 0-3.9
      Medium: 4 - 6.9
      High: 7 - 8.9
      Urgent: 9 - 10

Notes for Terraform flow

  • Customers download our Terraform script, make any necessary changes and place the script in their codebase or wherever they place their infrastructure code.
  • If customers disconnect GCP in Vanta, they should also clean up using Terraform destroy.
  • Just like console flow, we don’t support projects outside of organizations.

How is Terraform script different from the Shell script from the Console flow?

  • Project ID would be use vanta-scanner-{organizationId} as project ID for the project Vanta creates on behalf of the customers to pull in resources
  • GCP pWhens click on “Shut down”, wouldGCP project  be soft-deleted, and it could take up to 30 days for Google to completely shut it down. During that soft delete period, the project ID of that soft-deleted project would not be available for re-use. You might need to come up with a different unique ID for your project ID if you were to connect with GCP using Terraform again within 30 days. Once the project is fully shut down, you can reuse that project ID.
  • Terraform does not support conditionally creating or updating resources easily compared to Shell script (Console flow), hence compared to Shell script, instead of conditionally creating and update the custom role VantaOrganizationScanner with proper permissions depending on whether it’s Console projects linking flow or Console org linking flow, the Terraform flow uses the ID VantaOrganizationScanner for Terraform projects linking flow and VantaExtensiveOrganizationScanner for Terraform org linking flow

Please note:

  • If the project ID exists for any reason, the Terraform script would fail. The following scenarios might require you to change the project ID of the Terraform script first before they can run the plan and apply:
    • Connected to GCP on Vanta previously and already had a project created with the above ID.
    • Connected to GCP using Terraform and then disconnected but did not clean up resources.
    • You cleaned up resources but then reconnected quickly hence the project ID might only be soft-deleted up to 30 days and not available for reuse (yet).
  • Vanta currently doesn't support connecting multiple projects from different multi-organizations officially at the moment.