Overview
This guide walks you through how to identify and add missing GCP permissions when Drata tests enter an error state or new services are enabled. You'll locate the IAM role connected to Drata and update it using best practices.
Drata uses a default read-only permission set designed to support the most common monitoring and evidence collection use cases. While this set is broad enough for most setups, you may need to expand it as your environment evolves.
Prerequisites
Before you begin, confirm you have the following as prerequisites:
An existing GCP integration with Drata
You must already have GCP connected to Drata. To learn how to set up the integration, refer to the GCP connection set up guide.
Permission to manage IAM roles and policies
IAM roles and policy bindings
Service accounts
Name or email of the Drata service account
Current scope of the role (project or organization)
The specific missing permissions identified by Drata
These are provided in Drata error messages or test instructions.
Don’t have GCP access?
If you don’t have direct access to GCP or your organization uses Infrastructure as Code (IaC) to manage GCP, you’ll need to submit a request to your infrastructure or DevOps team.
When creating a ticket or request, include the following:
Drata service account email
GCP project ID or organization ID
The exact GCP permissions to be added
Source of the request (e.g., erroring test)
Current scope of the integration (project or organization)
Your team can apply changes using the Google Cloud Console, Terraform, or other supported tools.
Steps
Step 1: Identify the missing permissions
To find out which permissions are missing:
In Drata, go to the Monitoring page and locate the relevant test.
You can filter tests by an Error or Failed state to narrow the results.
Open the test and review the Latest result section in the Overview tab or go to the Findings tab to view the affected resources and the raw JSON output.
Make a note of the specific GCP actions (e.g., compute.instances.list).
Note: To view the test instructions, select the test from the Monitoring page, then in the Overview tab, go to the Details section and select View instructions. A modal opens with specific guidance on the permissions required to pass the test.
Step 2: Determine if scope needs to change (optional)
Most updates can be made at the current scope. You only need to expand scope if:
You're adding additional projects
A test requires organization-level access
You want to manage access centrally
To expand the scope:
In GCP, locate the custom IAM role assigned to the Drata service account.
Reassign the role at the organization or folder level.
Confirm the broader assignment is active before removing narrower ones.
You can also create a new integration in Drata using a different scope, if preferred.
Step 3: Locate the Drata service account
You need to locate the service account used by the Drata integration so you can confirm:
Which custom IAM role is assigned
Where that role is applied (project or organization)
That you are updating the correct identity
To locate the service account:
Sign in to the Google Cloud Console.
Navigate to IAM & Admin.
Navigate to Service Accounts.
Locate the service account used for the Drata integration.
You will use this service account in the next steps to verify role assignments and apply updates.
Step 4: Update the custom IAM role
Go to IAM & Admin > Roles.
Find the custom role used by Drata.
Confirm that the role is assigned to the Drata service account.
Edit the role and add the required permission(s).
Save the role.
The updates take effect wherever the role is already assigned.
Step 5: Confirm the update
Verify the updated permissions appear under the IAM role
Confirm the service account has the role at the correct scope
Confirm no organization policies are blocking the required access
Step 6: Confirm required APIs are enabled (if applicable)
Some Drata tests depend on specific GCP APIs.
Go to APIs & Services > Enabled APIs & services.
Confirm required APIs are enabled for the connected project.
Verification
After updating permissions:
Return to Drata.
Go to the affected test or integration status view.
Re-run the test.
If the permissions were added correctly, the test should now execute successfully.
Next Steps
Check other erroring tests for additional permission gaps.
Add new permissions as needed for expanded service coverage.
For background on how Drata uses permissions, review the Understanding GCP Permissions and the Drata Integration article.