Skip to main content

GCP Integration Guide (Script Setup)

Use Drata’s automated script to connect GCP for access reviews and infrastructure monitoring.

Updated this week

At-a-Glance

  • What it does: Connects GCP with Drata to sync IAM users for Access Reviews and automate infrastructure monitoring/evidence collection.

  • Who it’s for: Security, compliance, and IT administrators managing GCP IAM and infrastructure.

  • Directionality: One-way (GCP → Drata). Drata only imports IAM users and infrastructure evidence.

Prerequisites & Data Access

  1. Google Workspace account (user): Must be a Super Admin.

    • Used in Step 2 to grant domain-wide delegation so Drata can read MFA status.

  2. GCP account (user running the script): Must have permissions that have the following roles granted

    • Organization Administrator

    • Organization Policy Administrator

    • Organization Role Administrator

    • Service Account Admin

    • Service Account Key Admin

    • Service Usage Admin

  3. Scope decision: Organization vs. Project level

    • When running the script or Terraform, you’ll be asked whether the service account should connect at the organization level (recommended) or the project level.

      • Organization level: One setup covers all projects.

      • Project level: You’ll need to repeat the setup for each project.

  4. Estimated setup time: ~30–45 minutes.

Permissions & Data Table

Permission / Scope

Why It’s Needed (and When)

Data Accessed (Read Only)

Compute Engine API

Monitors SSH access, firewall rules, load balancers, VM usage (Step 1).

VM configs, firewall rules, load balancer data

Cloud Resource Manager API

Reads IAM principals and org/project structure for Access Reviews (Step 1).

Org/project metadata, IAM principals

Admin SDK API (Workspace)

Verifies MFA status of IAM users (Step 2; required for Test 88).

MFA status, user/group directory info

Cloud SQL Admin API

Checks database encryption and backup settings (Step 1).

Note: Enabled by the setup script by default. Only used if your org runs Cloud SQL.

DB configs, encryption/backup settings

Cloud Monitoring API

Collects resource metrics (CPU, I/O, storage utilization, queue age) (Step 1).

Note: Enabled by the setup script by default. Only used if Infrastructure monitoring is enabled in Drata.

Monitoring metrics

Cloud Storage API

Ensures encryption and versioning for storage buckets (Step 1).

Storage configs, encryption, versioning

Enable (GCP) Google Cloud Platform

  1. Go to Drata’s Connections page. Then, search and select for GCP.

  2. Choose a connection type:

    • Access Review: Sync IAM users.

    • Infrastructure: Enable monitoring tests.

    • You can enable Access Review and/or Infrastructure later during the connection process in Drata as well.

Step 1: Connect your Google Cloud Platform (GCP)

You have two ways to connect your GCP. You can either connect using a script or connect manually. It is recommended to connect using a script.

  1. Script (Recommended)

  2. Connect manually

Step 2: Provision domain wide delegation client in Google Workspace

We need to grant the GCP service account access to your connected Google Workspace account.

  1. Please login to your Google Admin console with an account that has Super Admin privileges, then go to "Security → Access and data control → API controls." Scroll to the bottom to get to Domain wide delegation.

  2. In the Domain wide delegation section, click on Manage Domain Wide Delegation button.

    • Note: If you are using Google Workspace as your IdP and you have already connected it to Drata, you will see another entry in the Domain Wide Delegation list. It's OAuth scope will be:

      • https://www.googleapis.com/auth/admin.directory.user.readonly

    • Ensure this entry remains intact so as not to break your IdP connection.

  3. Click on the Add new button.

    • Enter the numeric client ID (unique ID - not the service account email address

      • For those that utilized the script or terraform, you can pull the client ID from the newly created "drata-key-file.json".

    • Leave the Overwrite existing client ID checkbox un-checked.

    • Copy and paste the Cloud Platform Scope into the OAuth scopes (comma-delimited) text field.

      • Cloud Platform Scope:

        https://www.googleapis.com/auth/admin.directory.user.readonly,https://www.googleapis.com/auth/admin.directory.group.readonly,https://www.googleapis.com/auth/admin.directory.group.member.readonly,https://www.googleapis.com/auth/cloud-identity.groups.readonly

      • For improved readability, the same scopes are listed without commas and separated by spaces: 

        https://www.googleapis.com/auth/admin.directory.user.readonly
        https://www.googleapis.com/auth/admin.directory.group.readonly
        https://www.googleapis.com/auth/admin.directory.group.member.readonly
        https://www.googleapis.com/auth/cloud-identity.groups.readonly

  4. Once done, click on the AUTHORIZE button.

This step can be completed after establishing the connection in Drata. If you fail to do it, the MFA test for GCP will fail.

Step 3: Upload JSON key

In Drata, upload the JSON key generated by the script (drata-key-file.json).

Important Notes & Edge Cases

  • Drata never writes back to GCP. All access is read-only.

  • Service account JSON keys should be rotated regularly.

  • Domain-wide delegation is required for MFA checks (Test 88).

  • Removing Workspace scopes breaks MFA checks.

  • If MFA is not enabled for IAM users, Test 88 will fail.

  • Duplicate users may appear if connected across multiple projects.

Monitoring tests covered

Note: These tests are only related if you enabled infrastructure on the connection drawer.

  • Test 4: SSL/TLS on Admin Page of Infrastructure Console

  • Test 30: Availability Zones Used

  • Test 68: Customer Data is Encrypted at Rest

  • Test 69: Customer Data in Cloud Storage is Encrypted at Rest

  • Test 88: MFA on Infrastructure Console

  • Test 95: Infrastructure Accounts Properly Removed

  • Test 98: Employees have Unique Infrastructure Accounts

  • Test 102: Public SSH Denied

  • Test 104: Cloud Data Storage Exposure

  • Test 107: Daily Database Backups

  • Test 108: Storage Data Versioned or Retained

  • Test 112: Database CPU Monitored

  • Test 118: Infrastructure Instance CPU Monitored

  • Test 119: Firewall Default Disallows Traffic

  • Test 122: Web Application Firewall in Place

  • Test 123: Cloud Infrastructure Linked to Drata

  • Test 130: Load Balancer Used

Summary of Monitor Tests Associated per each Permission

Related Articles
Test 88: MFA on Infrastructure Console
GCP (Google Cloud Platform) Connection (Manual)
Azure Integration Guide
AWS (Amazon Web Services) Connection
GCP Virtual Assets
Did this answer your question?