At-a-Glance
What it does: Connects GCP with Drata to sync IAM users for Access Reviews and automate infrastructure monitoring/evidence collection.
Who it’s for: Security, compliance, and IT administrators managing GCP IAM and infrastructure.
Directionality: One-way (GCP → Drata). Drata only imports IAM users and infrastructure evidence.
Prerequisites & Data Access
Google Workspace account (user): Must be a Super Admin.
Used in Step 2 to grant domain-wide delegation so Drata can read MFA status.
GCP account (user running the script): Must have permissions that have the following roles granted
Organization Administrator
Organization Policy Administrator
Organization Role Administrator
Service Account Admin
Service Account Key Admin
Service Usage Admin
Scope decision: Organization vs. Project level
When running the script or Terraform, you’ll be asked whether the service account should connect at the organization level (recommended) or the project level.
Organization level: One setup covers all projects.
Project level: You’ll need to repeat the setup for each project.
Estimated setup time: ~30–45 minutes.
Permissions & Data Table
Permission / Scope | Why It’s Needed (and When) | Data Accessed (Read Only) |
Compute Engine API | Monitors SSH access, firewall rules, load balancers, VM usage (Step 1). | VM configs, firewall rules, load balancer data |
Cloud Resource Manager API | Reads IAM principals and org/project structure for Access Reviews (Step 1). | Org/project metadata, IAM principals |
Admin SDK API (Workspace) | Verifies MFA status of IAM users (Step 2; required for Test 88). | MFA status, user/group directory info |
Cloud SQL Admin API | Checks database encryption and backup settings (Step 1).
Note: Enabled by the setup script by default. Only used if your org runs Cloud SQL. | DB configs, encryption/backup settings |
Cloud Monitoring API | Collects resource metrics (CPU, I/O, storage utilization, queue age) (Step 1).
Note: Enabled by the setup script by default. Only used if Infrastructure monitoring is enabled in Drata. | Monitoring metrics |
Cloud Storage API | Ensures encryption and versioning for storage buckets (Step 1). | Storage configs, encryption, versioning |
Enable (GCP) Google Cloud Platform
Go to Drata’s Connections page. Then, search and select for GCP.
Choose a connection type:
Access Review: Sync IAM users.
Infrastructure: Enable monitoring tests.
You can enable Access Review and/or Infrastructure later during the connection process in Drata as well.
Step 1: Connect your Google Cloud Platform (GCP)
You have two ways to connect your GCP. You can either connect using a script or connect manually. It is recommended to connect using a script.
Script (Recommended)
GCP native script instructions: https://github.com/drata/gcp-shell-drata-setup
Terraform script instructions: https://github.com/drata/gcp-terraform-drata-setup
Connect manually
Go to Manually connect GCP for step by step instructions.
Step 2: Provision domain wide delegation client in Google Workspace
Please login to your Google Admin console with an account that has Super Admin privileges, then go to "Security → Access and data control → API controls." Scroll to the bottom to get to Domain wide delegation.
In the Domain wide delegation section, click on Manage Domain Wide Delegation button.
Note: If you are using Google Workspace as your IdP and you have already connected it to Drata, you will see another entry in the Domain Wide Delegation list. It's OAuth scope will be:
Ensure this entry remains intact so as not to break your IdP connection.
Click on the Add new button.
Enter the numeric client ID (unique ID - not the service account email address
For those that utilized the script or terraform, you can pull the
client IDfrom the newly created "drata-key-file.json".
Leave the Overwrite existing client ID checkbox un-checked.
Copy and paste the Cloud Platform Scope into the OAuth scopes (comma-delimited) text field.
Cloud Platform Scope:
https://www.googleapis.com/auth/admin.directory.user.readonly,https://www.googleapis.com/auth/admin.directory.group.readonly,https://www.googleapis.com/auth/admin.directory.group.member.readonly,https://www.googleapis.com/auth/cloud-identity.groups.readonly
For improved readability, the same scopes are listed without commas and separated by spaces:
https://www.googleapis.com/auth/admin.directory.user.readonly
https://www.googleapis.com/auth/admin.directory.group.readonly
https://www.googleapis.com/auth/admin.directory.group.member.readonly
https://www.googleapis.com/auth/cloud-identity.groups.readonly
Once done, click on the AUTHORIZE button.
In Drata, upload the JSON key generated by the script (drata-key-file.json).
This step can be completed after establishing the connection in Drata. If you fail to do it, the MFA test for GCP will fail.
Step 3: Finalizing the Connection & Scoping Projects
After running your scripts and setting up Google Workspace, return to Drata to upload your credentials and define exactly which GCP projects are monitored.
Initialize the Connection
Navigate to the Connections page in Drata.
Search for and select Google Cloud Platform (GCP).
Start the connection process.
A four-step wizard guides you through the entire connection process.
Step 1: Configure
Select your Workspace within Drata.
Toggle User Access Reviews (UAR) on or off.
Step 2: Connect
Enter/upload the JSON key file (drata-key-file.json) generated by your script (Step 2: Provision domain wide delegation client in Google Workspace).
Step 3: Scope
The Scope stage determines which GCP projects Drata will audit. You can choose to monitor your entire organization or pick and choose specific projects.
Selecting and Syncing Specific Projects
If you prefer not to monitor your entire organization, you can manually refine your project scope.
Choose Specific Projects > Add Projects to open the selection modal. The modal is designed to help you find and select projects quickly. It is divided into two primary sections:
The Selection Pane (Left Side) Choose between two views to find your projects:
List View: A flat, alphabetical list of all detected GCP projects. Use the search bar to quickly locate a project by its Name or Project ID.
Hierarchy View: Displays projects according to your GCP folder structure.
Expand/Collapse: Use the arrows to drill down into specific folders.
Bulk Selection: Selecting a folder automatically includes all current and future projects within that folder.
Individual Selection: You can select specific projects within a folder without including the entire group.
The Review Pane (Right Side) This acts as your "summary" or "shopping cart":
Selection Summary: View every project you have picked from the left side in one consolidated list.
Select the status for the selected projects
In Scope: Drata will actively run all automated tests and collect evidence for these projects.
Out of Scope: Drata will ignore these projects. They will appear in your connection settings but will not impact your compliance scores.
Step 4: Confirm & Finalize
The final step is a summary of your entire setup.
Review the Connection Summary: Verify that the Service Account is active and that the count of In Scope projects matches your expectations.
Finish: Click Confirm to establish the final link. Drata will begin its initial sync and monitoring tests immediately.
Important Notes & Edge Cases
Drata never writes back to GCP. All access is read-only.
Service account JSON keys should be rotated regularly.
Domain-wide delegation is required for MFA checks (Test 88).
Removing Workspace scopes breaks MFA checks.
If MFA is not enabled for IAM users, Test 88 will fail.
Duplicate users may appear if connected across multiple projects.
Monitoring tests covered
Note: These tests are only related if you enabled infrastructure.
Summary of Monitor Tests Associated per each Permission
Compute Engine API
Cloud Resource Manager API
Admin SDK API
Cloud SQL Admin API
Cloud Monitoring API (may also be called "Stackdriver Monitoring API")
Cloud Storage API (comes natively with the Project Viewer role)
Other
Drata runs an SSL cert check on https://console.cloud.google.com
A successful GCP connection satisfies this test
GCP Resource
Test Name | GCP Resource(s) |
Test 4: SSL/TLS on Admin Page of Infrastructure Console | GCP Admin Console (console.cloud.google.com) |
Test 30: Availability Zones Used | Cloud SQL Instances |
Test 68: Customer Data is Encrypted at Rest | Cloud SQL Instances |
Test 69: Customer Data in Cloud Storage is Encrypted at Rest | Cloud Storage Buckets |
Test 88: MFA on Infrastructure Console | Google Workspace Users (via Admin SDK) |
Test 95: Infrastructure Accounts Properly Removed | IAM Principals (Cloud Resource Manager) |
Test 98: Employees Have Unique Infrastructure Accounts | IAM Principals (Cloud Resource Manager) |
Test 102: Public SSH Denied | Compute Engine Firewall Rules |
Test 104: Cloud Data Storage Exposure | Cloud Storage Buckets |
Test 107: Daily Database Backups | Cloud SQL Instances |
Test 108: Storage Data Versioned or Retained | Cloud Storage Buckets |
Test 112: Database CPU Monitored | Cloud Monitoring Metrics (Cloud SQL) |
Test 118: Infrastructure Instance CPU Monitored | Cloud Monitoring Metrics (Compute Engine) |
Test 119: Firewall Default Disallows Traffic | Compute Engine Firewall Rules |
Test 122: Web Application Firewall in Place | Load Balancers / Security Policies (WAF-equivalent) |
Test 123: Cloud Infrastructure Linked to Drata | Drata ↔ GCP Integration |
Test 130: Load Balancer Used | Compute Engine Load Balancers |