# GCP Integration Sprinto integrates with Google Cloud Platform (GCP) to automatically monitor your cloud infrastructure for security and compliance requirements. When connected, Sprinto: * Reads your GCP resources to evaluate compliance controls. * Tracks configuration changes across projects. * Flags non-compliant settings and misconfigurations. * Allows selective monitoring of specific projects. ### Manage API Permissions Sprinto enables the following APIs in your GCP account if they are not enabled already. * **Cloud Resource Manager API** Additionally, optionally enabling these APIs allows Sprinto to read an monitor the resources associated with cloud platform services.
GCP API Resources
Cloud Asset API
Compute Engine API
Cloud Pub/Sub API
Cloud Logging API
Identity and Access Management (IAM) API
Service Usage API
Cloud Spanner API
BigQuery API
Cloud Bigtable API
Firebase Management API
Cloud Datastore API
Cloud Firestore API
Cloud SQL Admin API
Cloud Storage API
Container Registry API
Google Cloud APIs
Kubernetes Engine API
Service Management API
Stackdriver API
We have introduced a **new and more secure authentication method** for integrating GCP using **Workload Identity Federation (WIF)**. #### What’s new? * No long-lived JSON service account keys. * Secure token-based authentication. * Reduced operational overhead (no 90-day key rotation required). * Improved security posture aligned with Google best practices. We recommend using the **new Cloud Shell (WIF) method** unless you are an existing customer using the legacy JSON key-based setup. ### Connect GCP Using Workload Identity Federation This connection method securely links your GCP account with Sprinto **without requiring a JSON key upload**.\ It leverages **Workload Identity Federation (WIF)** to grant Sprinto temporary, read-only access for monitoring and compliance checks. Even in this new flow, you begin by choosing one of the two familiar integration options: * **Option 1:** Google Cloud Shell (Recommended) * **Option 2:** Set up Service Account manually After you choose either method, Sprinto automatically uses **WIF** to complete the secure connection. ### Prerequisites * Production project IDs * Project number Before running the GCP setup script, ensure the required IAM permissions and roles are assigned. #### Required IAM Permissions (for setup script) The following permissions are required to successfully execute the setup script: | Permission | GCP Role that includes it | | ----------------------------------------------------------------------- | ------------------------------------------------------------------------------------------ | | `iam.workloadIdentityPools.create` / `iam.workloadIdentityPools.update` | IAM Workload Identity Pool Admin | | `iam.serviceAccounts.create` | Service Account Admin | | `resourcemanager.projects.setIamPolicy` | Project IAM Admin | | `iam.serviceAccounts.setIamPolicy` | Service Account Admin | | `serviceusage.services.enable` | Service Usage Admin | | `resourcemanager.organizations.setIamPolicy` | Organisation Admin (only if Cloud Asset Viewer needs to be assigned at organisation level) | These permissions are required only for initial configuration and role assignment. *** #### Required GCP Predefined Roles Sprinto requires the following predefined roles on the configured project(s):
RoleAccess LevelPurpose
roles/monitoring.editorWrite accessAllows Sprinto to create and manage Cloud Monitoring policies.
roles/compute.viewerRead-onlyAllows Sprinto to read compute resource configuration.
roles/iam.securityReviewerRead-onlyAllows Sprinto to review IAM policies and security posture.
**Access clarification:** * `roles/monitoring.editor` provides **write access**, which is required to create Cloud Monitoring policies from Sprinto. * All other roles grant **read-only access** and are used strictly for visibility and compliance checks. * These roles are required by Sprinto when integrating with GCP. *** ### Method 1: Use Google Cloud Shell This is the fastest and most secure method. #### Step 1: Navigate to GCP Integration 1. Log in to the Sprinto dashboard. 2. Go to **Settings → Integrations**. 3. In the **All** tab, search for **GCP**. 4. Click **Connect**.
You will see: * Controls automated * Checks automated * Required permissions * Data accessed by Sprinto Click **Next**.
*** #### Step 2: Add GCP Project IDs 1. Enter your production **Project ID(s)**. 2. Press Enter to add multiple projects. 3. Select the **Use Google Cloud Shell (Recommended)** check box. 4. Click **Continue**.
*** #### Step 3: Add Project Details Enter: * **Project ID** * **Project Number** A single service account created under this project can connect all listed projects. *** #### Step 4: Run the Bash Script in Cloud Shell 1. Copy the provided bash script. 2. Open **Google Cloud Shell** in your GCP Console. 3. Paste and run the script. The script will: * Create a service account. * Assign required roles. * Create Workload Identity Pool and Provider. * Configure impersonation access. * Enable required APIs. Wait 1–2 minutes for provisioning. {% hint style="info" %} #### Note If your organisation has **inherited users in GCP assigned via groups**, please contact your Customer Success Manager (CSM) or email **** to enable this feature for your account. Once the feature is enabled, you must grant **Group Reader** permissions to the Sprinto service account in Google Admin: 1. Go to [**https://admin.google.com/**](https://admin.google.com/) 2. Navigate to **Account → Admin roles → Group reader.** 3. Open **Admins → Assign service accounts.** 4. Enter the `client_email` of the Sprinto service account. 5. Click **Add.** 6. Assign the role. 7. Refresh Sprinto CAS users. This permission allows Sprinto to fetch users inherited via GCP groups. {% endhint %} *** #### Step 5: Complete Integration Return to Sprinto and click **Connect**. Your GCP integration is now active.
*** ### Method 2: Set Up Service Account Manually Use this method if you prefer manual configuration. #### Step A: Add GCP Project in Sprinto 1. Enter your production **Project ID(s)**. 2. Press Enter to add multiple projects. 3. Select the **Set up service account manually** check box. 4. Click **Continue**.
5. Enter: * Project ID * Project Number
{% hint style="warning" %} #### Important Ensure that the service account used by Sprinto is granted the following roles **at the organisation level**: * **Cloud Asset Viewer** Without these organisation-level permissions, Sprinto may not be able to discover users or assets across all linked projects, which can result in sync errors during access reviews or asset discovery. {% endhint %} #### Step B: Create a Service Account in GCP 1. Log in to GCP Console. 2. Navigate to **IAM & Admin → Service Accounts**. 3. Select your production project. 4. Click **Create service account**. Enter: * **Service Account Name:** `sprinto-serviceaccount` * Description (optional): Sprinto uses this to monitor production resources. Click **Create and continue**.
#### Grant Roles Assign the following roles: * Security Reviewer * Compute Viewer * Monitoring Editor Click **Continue**.
Skip “Grant users access to this service account” and click **Done**. *** #### Step C: Create Workload Identity Pool and Provider 1. Navigate to **IAM & Admin → Workload Identity Federation**. 2. Select the same project. 3. Click **Create Pool**.
#### Pool Details * Pool Name: `sprinto-wif-pool` * Pool ID: Auto-generated * Description: Sprinto GCP Identity Pool Click **Continue**.
*** #### Create Provider * Provider Type: OpenID Connect (OIDC) * Provider Name: `sprinto-wif-pool-provider` * Provider ID: Auto-generated * Issuer URL: As shown in Sprinto UI * Audience Type: Allowed Audience * Audience: As shown in Sprinto UI Click **Continue**.
{% hint style="warning" %} #### Important Select **OpenID Connect (OIDC)** as the provider type. Other provider types such as AWS or SAML are not supported for this setup. {% endhint %} *** #### Configure Attributes Add:
Attribute KeyAttribute Value
google.subjectassertion.sub
attribute.usernameassertion.preferred_username
Click **Save**.
*** #### Grant Access Using Service Account Impersonation 1. Click **Grant Access**. 2. Select **Grant access using Service Account impersonation**. 3. Choose the previously created service account. 4. Add the Subject (value shown in Sprinto UI). 5. Click **Save**.
6. Dismiss the “Configure your application” popup. 7. Wait 1 minute. *** #### Step D: Enable Required APIs For each production project: * Enable the APIs listed in Sprinto. * If you do not use a service, you may ignore its API. Click **Connect** in Sprinto to complete the setup.
#### Result Once integrated: * Sprinto securely connects to GCP using **Workload Identity Federation**. * You no longer need to upload or rotate JSON key files. * All data retrieval happens using short-lived, federated credentials for enhanced security. *** #### Post-Connection Flow Once connected: * Sprinto begins scanning configured projects. * Controls and checks are automatically mapped. * Non-compliant findings appear in your compliance dashboard. * You can scope projects under Monitoring settings. * Click **Sync all** to msync all the data points.
*** ### Comparison: New vs Old GCP Integration Flows
Feature / AspectNew Flow (Workload Identity Federation)Old Flow (JSON Key Based)
AvailabilityFor customers onboarded on or after Dec 6 2024For customers onboarded before Dec 6 2024
Authentication TypeWorkload Identity Federation (WIF)Service Account Key (JSON file)
JSON File RequiredNoYes
Setup OptionsCloud Shell or Manual Service Account → WIF auto-setupCloud Shell or Manual Service Account → Upload JSON
Key Rotation NeededNoYes
Security LevelHigh — Uses short-lived federated tokensModerate — Depends on static key management
Recommended By GoogleYesDeprecated for new projects
Integration SpeedFast (1–2 minutes setup)Moderate (Manual upload step required)
## Troubleshooting If your GCP integration fails or does not reflect data correctly, review the following checks. #### 1. “Permission Denied” or Insufficient Access Errors **Possible causes:** * Required IAM roles were not assigned. * Service account impersonation was not configured correctly (WIF method). * APIs were not enabled in all production projects. **Resolution:** For **WIF-based setup**: * Verify the service account has: * Security Reviewer * Compute Viewer * Monitoring Editor * Confirm: * Workload Identity Pool exists. * Provider is configured correctly. * Service account impersonation is granted. * Subject value matches the one shown in Sprinto. For **JSON key-based setup**: * Ensure the correct service account key was uploaded. * Confirm the key belongs to the intended project. * Re-upload the key if necessary. *** #### 2. APIs Not Enabled Error Sprinto requires specific APIs to read infrastructure data. **Resolution:** * Navigate to **APIs & Services → Enabled APIs & Services** in GCP. * Enable all required APIs listed in Sprinto. * Repeat this for each production project. * Note: GCP does not support bulk enabling across projects. *** #### 3. “Connect” Button Not Activating (Legacy JSON Method) **Possible causes:** * Incorrect file format. * Corrupted or expired JSON key. * Key does not belong to the created service account. **Resolution:** * Ensure file format is `.json`. * Generate a new key in:\ IAM & Admin → Service Accounts → Manage Keys. * Upload the newly generated key. * Confirm the key is active and not revoked. *** #### 4. No Data Appearing After Successful Connection **Possible causes:** * Incorrect project ID entered. * Monitoring scope not configured. * Delay in initial sync. **Resolution:** * Verify all production project IDs were added. * Check Monitoring settings in Sprinto. * Wait 5–10 minutes for initial ingestion. * Refresh the dashboard. *** #### 5. Workload Identity Federation Errors (New Method) If you see impersonation or token exchange failures: * Confirm: * Pool and Provider IDs match Sprinto configuration. * Issuer URL is correct. * Audience value matches exactly. * Attribute mappings are configured correctly. * Ensure the correct Subject was added during impersonation. * Wait 1–2 minutes after configuration before clicking Connect. *** #### 6. JSON Key Expired (Legacy Method) JSON service account keys must be rotated every 90 days. **Resolution:** 1. Generate a new key. 2. Upload it in Sprinto. 3. Delete the old key from GCP for security. We recommend migrating to the **WIF-based method** to avoid key rotation management. *** #### 7. Reconnect or Disconnect the GCP Integration If the integration stops syncing data or fails validation checks, you may need to reconnect the integration. To reconnect the integration: 1. Log in to the **Sprinto dashboard**. 2. Navigate to **Settings → Integrations**. 3. Search for **Google Cloud Platform (GCP)**. 4. Click the **Disconnect** option to remove the existing connection. 5. Click **Connect** again and follow the setup steps to reconnect the integration. Reconnecting the integration refreshes the authentication and can resolve issues caused by expired credentials or configuration changes in your GCP project. *** #### When to Contact Support Contact Sprinto Support if: * Integration remains in error state after retries. * WIF configuration appears correct but authentication fails. * Data ingestion does not begin after 15 minutes. * You need help migrating from JSON key-based integration to WIF. Include: * Project ID * Integration method used * Screenshot of error (if any) * Timestamp of attempt