search
Sprinto DashboardAPI Reference

GCP Integration

Connect Sprinto with Google Cloud Platform (GCP) to automate infrastructure monitoring and compliance checks using Workload Identity Federation or legacy JSON key-based authentication.

Sprinto integrates with Google Cloud Platform (GCP) to automatically monitor your cloud infrastructure for security and compliance requirements.

When connected, Sprinto:

  • Reads your GCP resources to evaluate compliance controls.

  • Tracks configuration changes across projects.

  • Flags non-compliant settings and misconfigurations.

  • Allows selective monitoring of specific projects.

circle-info

hashtag
Note

If your organisation has inherited users in GCP assigned via groups, please contact your Customer Success Manager (CSM) or email [email protected] to enable this feature for your account.

Once the feature is enabled, you must grant Group Reader permissions to the Sprinto service account in Google Admin:

  1. Go to https://admin.google.com/arrow-up-right

  2. Navigate to Account → Admin roles → Group reader.

  3. Open Admins → Assign service accounts.

  4. Enter the client_email of the Sprinto service account.

  5. Click Add.

  6. Assign the role.

  7. Refresh Sprinto CAS users.

This permission allows Sprinto to fetch users inherited via GCP groups.

GCP API Resources

Cloud Asset API

Compute Engine API

Cloud Pub/Sub API

Cloud Logging API

Identity and Access Management (IAM) API

Service Usage API

Cloud Spanner API

BigQuery API

Cloud Bigtable API

Firebase Management API

Cloud Datastore API

Cloud Firestore API

Cloud SQL Admin API

Cloud Storage API

Container Registry API

Google Cloud APIs

Kubernetes Engine API

Service Management API

Stackdriver API

hashtag
Important: New & Improved GCP Integration (Workload Identity Federation December 6, 2024)

We have introduced a new and more secure authentication method for integrating GCP using Workload Identity Federation (WIF).

hashtag
What’s new?

  • No long-lived JSON service account keys.

  • Secure token-based authentication.

  • Reduced operational overhead (no 90-day key rotation required).

  • Improved security posture aligned with Google best practices.

We recommend using the new Cloud Shell (WIF) method unless you are an existing customer using the legacy JSON key-based setup.

hashtag
Connect GCP Using Workload Identity Federation (New Flow)

This connection method securely links your GCP account with Sprinto without requiring a JSON key upload. It leverages Workload Identity Federation (WIF) to grant Sprinto temporary, read-only access for monitoring and compliance checks.

Even in this new flow, you begin by choosing one of the two familiar integration options:

  • Option 1: Google Cloud Shell (Recommended)

  • Option 2: Set up Service Account manually

After you choose either method, Sprinto automatically uses WIF to complete the secure connection.

hashtag
New Integration Methods (Recommended)

hashtag
Prerequisites

  • Production project IDs

  • Project number

  • Review the permissions required for this integration here.

Before running the GCP setup script, ensure the required IAM permissions and roles are assigned.

hashtag
Required IAM Permissions (for setup script)

The following permissions are required to successfully execute the setup script:

Permission
GCP Role that includes it

iam.workloadIdentityPools.create / iam.workloadIdentityPools.update

IAM Workload Identity Pool Admin

iam.serviceAccounts.create

Service Account Admin

resourcemanager.projects.setIamPolicy

Project IAM Admin

iam.serviceAccounts.setIamPolicy

Service Account Admin

serviceusage.services.enable

Service Usage Admin

resourcemanager.organizations.setIamPolicy

Organisation Admin (only if Cloud Asset Viewer needs to be assigned at organisation level)

These permissions are required only for initial configuration and role assignment.

hashtag
Required GCP Predefined Roles (Post-Setup Access)

Sprinto requires the following predefined roles on the configured project(s):

Role
Access Level
Purpose

roles/monitoring.editor

Write access

Allows Sprinto to create and manage Cloud Monitoring policies.

roles/compute.viewer

Read-only

Allows Sprinto to read compute resource configuration.

roles/iam.securityReviewer

Read-only

Allows Sprinto to review IAM policies and security posture.

Access clarification:

  • roles/monitoring.editor provides write access, which is required to create Cloud Monitoring policies from Sprinto.

  • All other roles grant read-only access and are used strictly for visibility and compliance checks.

  • These roles are required by Sprinto when integrating with GCP.

hashtag
Method 1: Use Google Cloud Shell (Recommended – WIF Based)

This is the fastest and most secure method.

hashtag
Step 1: Navigate to GCP Integration

  1. Log in to the Sprinto dashboard.

  2. Go to Settings → Integrations.

  3. In the All tab, search for GCP.

  4. Click Connect.

You will see:

  • Controls automated

  • Checks automated

  • Required permissions (Security Reviewer)

  • Data accessed by Sprinto

Click Next.

hashtag
Step 2: Add GCP Project IDs

  1. Enter your production Project ID(s).

  2. Press Enter to add multiple projects.

  3. Select the Use Google Cloud Shell (Recommended) check box.

  4. Click Continue.

hashtag
Step 3: Add Project Details

Enter:

  • Project ID

  • Project Number

A single service account created under this project can connect all listed projects.

hashtag
Step 4: Run the Bash Script in Cloud Shell

  1. Copy the provided bash script.

  2. Open Google Cloud Shell in your GCP Console.

  3. Paste and run the script.

The script will:

  • Create a service account.

  • Assign required roles.

  • Create Workload Identity Pool and Provider.

  • Configure impersonation access.

  • Enable required APIs.

Wait 1–2 minutes for provisioning.

hashtag
Step 5: Complete Integration

Return to Sprinto and click Connect.

Your GCP integration is now active.

circle-info

You can optionally adjust API permissions before running the script. Copy the bash code again if you make any changes.

hashtag
Method 2: Set Up Service Account Manually (WIF Based)

Use this method if you prefer manual configuration.

hashtag
Step A: Add GCP Project in Sprinto

  1. Enter your production Project ID(s).

  2. Press Enter to add multiple projects.

  3. Select the Set up service account manually check box.

  4. Click Continue.

  1. Enter:

    • Project ID

    • Project Number

circle-exclamation

hashtag
Important

Ensure that the service account used by Sprinto is granted the following roles at the organisation level:

  • Cloud Asset Viewer

  • Service Usage Consumer

Without these organisation-level permissions, Sprinto may not be able to discover users or assets across all linked projects, which can result in sync errors during access reviews or asset discovery.

hashtag
Step B: Create a Service Account in GCP

  1. Log in to GCP Console.

  2. Navigate to IAM & Admin → Service Accounts.

  3. Select your production project.

  4. Click Create service account.

Enter:

  • Service Account Name: sprinto-serviceaccount

  • Description (optional): Sprinto uses this to monitor production resources.

Click Create and continue.

hashtag
Grant Roles

Assign the following roles:

  • Security Reviewer

  • Compute Viewer

  • Monitoring Editor

Click Continue.

Skip “Grant users access to this service account” and click Done.

hashtag
Step C: Create Workload Identity Pool and Provider

  1. Navigate to IAM & Admin → Workload Identity Federation.

  2. Select the same project.

  3. Click Create Pool.

hashtag
Pool Details

  • Pool Name: sprinto-wif-pool

  • Pool ID: Auto-generated

  • Description: Sprinto GCP Identity Pool

Click Continue.

hashtag
Create Provider

  • Provider Type: OpenID Connect (OIDC)

  • Provider Name: sprinto-wif-pool-provider

  • Provider ID: Auto-generated

  • Issuer URL: As shown in Sprinto UI

  • Audience Type: Allowed Audience

  • Audience: As shown in Sprinto UI

Click Continue.

circle-exclamation

hashtag
Important

Select OpenID Connect (OIDC) as the provider type. Other provider types such as AWS or SAML are not supported for this setup.

hashtag
Configure Attributes

Add:

Attribute Key
Attribute Value

google.subject

assertion.sub

attribute.username

assertion.preferred_username

Click Save.

hashtag
Grant Access Using Service Account Impersonation

  1. Click Grant Access.

  2. Select Grant access using Service Account impersonation.

  3. Choose the previously created service account.

  4. Add the Subject (value shown in Sprinto UI).

  5. Click Save.

  1. Dismiss the “Configure your application” popup.

  2. Wait 1 minute.

hashtag
Step D: Enable Required APIs

For each production project:

  • Enable the APIs listed in Sprinto.

  • If you do not use a service, you may ignore its API.

Click Connect in Sprinto to complete the setup.

circle-info

This replaces the previous JSON upload step. Once complete, return to Sprinto and click Connect to finalise the setup.

hashtag
Result

Once integrated:

  • Sprinto securely connects to GCP using Workload Identity Federation.

  • You no longer need to upload or rotate JSON key files.

  • All data retrieval happens using short-lived, federated credentials for enhanced security.

hashtag
Connect GCP Using Previous Methods

(For Customers Onboarded Before December 6, 2024)

These methods are for customers who integrated before the WIF upgrade.

We strongly recommend migrating to the new WIF-based method.

hashtag
Legacy Method 1: Cloud Shell (JSON Key-Based)

hashtag
Step 1: Run Bash Script in Cloud Shell

  1. Log in to the Sprinto dashboard.

  2. Go to Settings → Integrations.

  3. In the All tab, search for GCP.

  4. Click Connect.

  1. Review the permissions and data used by Sprinto.

  2. Click Next.

  3. Enter the Project Id.

  4. Select the Use Google Cloud Shell check box.

  5. Click Continue.

  1. Copy the provided script.

  2. Run it in Google Cloud Shell.

  3. The script creates:

    • Service account

    • Security Reviewer role assignment

    • Required APIs

hashtag
Step 2: Download JSON Key

When prompted:

  • Download the generated JSON private key file.

hashtag
Step 3: Upload Key in Sprinto

  1. Upload the JSON file in Sprinto.

  2. The Connect button becomes active.

  3. Click Connect.

hashtag
Important

Rotate this key every 90 days.

hashtag
Legacy Method 2: Manual (JSON Key-Based)

hashtag
Step 1: Create Service Account

  1. Log in to the Sprinto dashboard.

  2. Go to Settings → Integrations.

  3. In the All tab, search for GCP.

  4. Click Connect.

  5. Review the permissions and data used by Sprinto.

  6. Click Next.

  7. Enter the Project Id.

  8. Select the Set up service account manually check box.

  9. Click Continue.

  1. Log in to GCP.

  2. Navigate to IAM & Admin → Service Accounts.

  3. Click Create service account.

  4. Assign roles:

    • Security Reviewer

    • Compute Viewer

    • Monitoring Editor

  5. Click Done.

hashtag
Step 2: Create Access Keys

  1. Open the newly created service account.

  2. Click Actions → Manage Keys.

  3. Click Add Key → Create new key.

  4. Select JSON.

  5. Click Create.

  1. Download the key file.

hashtag
Step 3: Enable Required APIs

Enable the required APIs in each production project.

hashtag
Step 4: Upload JSON Key in Sprinto

  1. Upload the downloaded JSON key file.

  2. Click Connect.

hashtag
Important

Rotate this API key every 90 days.

hashtag
Post-Connection Flow

Once connected:

  • Sprinto begins scanning configured projects.

  • Controls and checks are automatically mapped.

  • Non-compliant findings appear in your compliance dashboard.

  • You can scope projects under Monitoring settings.

hashtag
Comparison: New vs Old GCP Integration Flows

Feature / Aspect
New Flow (Workload Identity Federation)
Old Flow (JSON Key Based)

Availability

For customers onboarded on or after Dec 6 2024

For customers onboarded before Dec 6 2024

Authentication Type

Workload Identity Federation (WIF)

Service Account Key (JSON file)

JSON File Required

No

Yes

Setup Options

Cloud Shell or Manual Service Account → WIF auto-setup

Cloud Shell or Manual Service Account → Upload JSON

Key Rotation Needed

No

Yes

Security Level

High — Uses short-lived federated tokens

Moderate — Depends on static key management

Recommended By Google

Yes

Deprecated for new projects

Integration Speed

Fast (1–2 minutes setup)

Moderate (Manual upload step required)

hashtag
Troubleshooting

If your GCP integration fails or does not reflect data correctly, review the following checks.

hashtag
1. “Permission Denied” or Insufficient Access Errors

Possible causes:

  • Required IAM roles were not assigned.

  • Service account impersonation was not configured correctly (WIF method).

  • APIs were not enabled in all production projects.

Resolution:

For WIF-based setup:

  • Verify the service account has:

    • Security Reviewer

    • Compute Viewer

    • Monitoring Editor

  • Confirm:

    • Workload Identity Pool exists.

    • Provider is configured correctly.

    • Service account impersonation is granted.

    • Subject value matches the one shown in Sprinto.

For JSON key-based setup:

  • Ensure the correct service account key was uploaded.

  • Confirm the key belongs to the intended project.

  • Re-upload the key if necessary.

hashtag
2. APIs Not Enabled Error

Sprinto requires specific APIs to read infrastructure data.

Resolution:

  • Navigate to APIs & Services → Enabled APIs & Services in GCP.

  • Enable all required APIs listed in Sprinto.

  • Repeat this for each production project.

  • Note: GCP does not support bulk enabling across projects.

hashtag
3. “Connect” Button Not Activating (Legacy JSON Method)

Possible causes:

  • Incorrect file format.

  • Corrupted or expired JSON key.

  • Key does not belong to the created service account.

Resolution:

  • Ensure file format is .json.

  • Generate a new key in: IAM & Admin → Service Accounts → Manage Keys.

  • Upload the newly generated key.

  • Confirm the key is active and not revoked.

hashtag
4. No Data Appearing After Successful Connection

Possible causes:

  • Incorrect project ID entered.

  • Monitoring scope not configured.

  • Delay in initial sync.

Resolution:

  • Verify all production project IDs were added.

  • Check Monitoring settings in Sprinto.

  • Wait 5–10 minutes for initial ingestion.

  • Refresh the dashboard.

hashtag
5. Workload Identity Federation Errors (New Method)

If you see impersonation or token exchange failures:

  • Confirm:

    • Pool and Provider IDs match Sprinto configuration.

    • Issuer URL is correct.

    • Audience value matches exactly.

    • Attribute mappings are configured correctly.

  • Ensure the correct Subject was added during impersonation.

  • Wait 1–2 minutes after configuration before clicking Connect.

hashtag
6. JSON Key Expired (Legacy Method)

JSON service account keys must be rotated every 90 days.

Resolution:

  1. Generate a new key.

  2. Upload it in Sprinto.

  3. Delete the old key from GCP for security.

We recommend migrating to the WIF-based method to avoid key rotation management.

hashtag
When to Contact Support

Contact Sprinto Support if:

  • Integration remains in error state after retries.

  • WIF configuration appears correct but authentication fails.

  • Data ingestion does not begin after 15 minutes.

  • You need help migrating from JSON key-based integration to WIF.

Include:

  • Project ID

  • Integration method used

  • Screenshot of error (if any)

  • Timestamp of attempt

PreviousGCP Integration (via Cloud Shell)NextGithub + Dependabot Integration

Last updated