Ctrlk
Sprinto DashboardAPI Reference
For the complete documentation index, see llms.txt. This page is also available as Markdown.

GCP Integration

Connect Sprinto with Google Cloud Platform (GCP) to automate infrastructure monitoring and compliance checks using Workload Identity Federation or legacy JSON key-based authentication.

Sprinto integrates with Google Cloud Platform (GCP) to automatically monitor your cloud infrastructure for security and compliance requirements.

When connected, Sprinto:

  • Reads your GCP resources to evaluate compliance controls.

  • Tracks configuration changes across projects.

  • Flags non-compliant settings and misconfigurations.

  • Allows selective monitoring of specific projects.

Manage API Permissions

Sprinto enables the following APIs in your GCP account if they are not enabled already.

  • Cloud Resource Manager API

Additionally, optionally enabling these APIs allows Sprinto to read an monitor the resources associated with cloud platform services.

GCP API Resources

Cloud Asset API

Compute Engine API

Cloud Pub/Sub API

Cloud Logging API

Identity and Access Management (IAM) API

Service Usage API

Cloud Spanner API

BigQuery API

Cloud Bigtable API

Firebase Management API

Cloud Datastore API

Cloud Firestore API

Cloud SQL Admin API

Cloud Storage API

Container Registry API

Google Cloud APIs

Kubernetes Engine API

Service Management API

Stackdriver API

We have introduced a new and more secure authentication method for integrating GCP using Workload Identity Federation (WIF).

What’s new?

  • No long-lived JSON service account keys.

  • Secure token-based authentication.

  • Reduced operational overhead (no 90-day key rotation required).

  • Improved security posture aligned with Google best practices.

We recommend using the new Cloud Shell (WIF) method unless you are an existing customer using the legacy JSON key-based setup.

Connect GCP Using Workload Identity Federation

This connection method securely links your GCP account with Sprinto without requiring a JSON key upload. It leverages Workload Identity Federation (WIF) to grant Sprinto temporary, read-only access for monitoring and compliance checks.

Even in this new flow, you begin by choosing one of the two familiar integration options:

  • Option 1: Google Cloud Shell (Recommended)

  • Option 2: Set up Service Account manually

After you choose either method, Sprinto automatically uses WIF to complete the secure connection.

Prerequisites

  • Production project IDs

  • Project number

Before running the GCP setup script, ensure the required IAM permissions and roles are assigned.

Required IAM Permissions (for setup script)

The following permissions are required to successfully execute the setup script:

Permission
GCP Role that includes it

iam.workloadIdentityPools.create / iam.workloadIdentityPools.update

IAM Workload Identity Pool Admin

iam.serviceAccounts.create

Service Account Admin

resourcemanager.projects.setIamPolicy

Project IAM Admin

iam.serviceAccounts.setIamPolicy

Service Account Admin

serviceusage.services.enable

Service Usage Admin

resourcemanager.organizations.setIamPolicy

Organisation Admin (only if Cloud Asset Viewer needs to be assigned at organisation level)

These permissions are required only for initial configuration and role assignment.

Required GCP Predefined Roles

Sprinto requires the following predefined roles on the configured project(s):

Role
Access Level
Purpose

roles/monitoring.editor

Write access

Allows Sprinto to create and manage Cloud Monitoring policies.

roles/compute.viewer

Read-only

Allows Sprinto to read compute resource configuration.

roles/iam.securityReviewer

Read-only

Allows Sprinto to review IAM policies and security posture.

Access clarification:

  • roles/monitoring.editor provides write access, which is required to create Cloud Monitoring policies from Sprinto.

  • All other roles grant read-only access and are used strictly for visibility and compliance checks.

  • These roles are required by Sprinto when integrating with GCP.

Method 1: Use Google Cloud Shell

This is the fastest and most secure method.

Step 1: Navigate to GCP Integration

  1. Log in to the Sprinto dashboard.

  2. Go to Settings → Integrations.

  3. In the All tab, search for GCP.

  4. Click Connect.

You will see:

  • Controls automated

  • Checks automated

  • Required permissions

  • Data accessed by Sprinto

Click Next.

Step 2: Add GCP Project IDs

  1. Enter your production Project ID(s).

  2. Press Enter to add multiple projects.

  3. Select the Use Google Cloud Shell (Recommended) check box.

  4. Click Continue.

Step 3: Add Project Details

Enter:

  • Project ID

  • Project Number

A single service account created under this project can connect all listed projects.

Step 4: Run the Bash Script in Cloud Shell

  1. Copy the provided bash script.

  2. Open Google Cloud Shell in your GCP Console.

  3. Paste and run the script.

The script will:

  • Create a service account.

  • Assign required roles.

  • Create Workload Identity Pool and Provider.

  • Configure impersonation access.

  • Enable required APIs.

Wait 1–2 minutes for provisioning.

Note

If your organisation has inherited users in GCP assigned via groups, please contact your Customer Success Manager (CSM) or email support@sprinto.com to enable this feature for your account.

Once the feature is enabled, you must grant Group Reader permissions to the Sprinto service account in Google Admin:

  1. Go to https://admin.google.com/

  2. Navigate to Account → Admin roles → Group reader.

  3. Open Admins → Assign service accounts.

  4. Enter the client_email of the Sprinto service account.

  5. Click Add.

  6. Assign the role.

  7. Refresh Sprinto CAS users.

This permission allows Sprinto to fetch users inherited via GCP groups.

Step 5: Complete Integration

Return to Sprinto and click Connect.

Your GCP integration is now active.

Method 2: Set Up Service Account Manually

Use this method if you prefer manual configuration.

Step A: Add GCP Project in Sprinto

  1. Enter your production Project ID(s).

  2. Press Enter to add multiple projects.

  3. Select the Set up service account manually check box.

  4. Click Continue.

  1. Enter:

    • Project ID

    • Project Number

Important

Ensure that the service account used by Sprinto is granted the following roles at the organisation level:

  • Cloud Asset Viewer

Without these organisation-level permissions, Sprinto may not be able to discover users or assets across all linked projects, which can result in sync errors during access reviews or asset discovery.

Step B: Create a Service Account in GCP

  1. Log in to GCP Console.

  2. Navigate to IAM & Admin → Service Accounts.

  3. Select your production project.

  4. Click Create service account.

Enter:

  • Service Account Name: sprinto-serviceaccount

  • Description (optional): Sprinto uses this to monitor production resources.

Click Create and continue.

Grant Roles

Assign the following roles:

  • Security Reviewer

  • Compute Viewer

  • Monitoring Editor

Click Continue.

Skip “Grant users access to this service account” and click Done.

Step C: Create Workload Identity Pool and Provider

  1. Navigate to IAM & Admin → Workload Identity Federation.

  2. Select the same project.

  3. Click Create Pool.

Pool Details

  • Pool Name: sprinto-wif-pool

  • Pool ID: Auto-generated

  • Description: Sprinto GCP Identity Pool

Click Continue.

Create Provider

  • Provider Type: OpenID Connect (OIDC)

  • Provider Name: sprinto-wif-pool-provider

  • Provider ID: Auto-generated

  • Issuer URL: As shown in Sprinto UI

  • Audience Type: Allowed Audience

  • Audience: As shown in Sprinto UI

Click Continue.

Important

Select OpenID Connect (OIDC) as the provider type. Other provider types such as AWS or SAML are not supported for this setup.

Configure Attributes

Add:

Attribute Key
Attribute Value

google.subject

assertion.sub

attribute.username

assertion.preferred_username

Click Save.

Grant Access Using Service Account Impersonation

  1. Click Grant Access.

  2. Select Grant access using Service Account impersonation.

  3. Choose the previously created service account.

  4. Add the Subject (value shown in Sprinto UI).

  5. Click Save.

  1. Dismiss the “Configure your application” popup.

  2. Wait 1 minute.

Step D: Enable Required APIs

For each production project:

  • Enable the APIs listed in Sprinto.

  • If you do not use a service, you may ignore its API.

Click Connect in Sprinto to complete the setup.

Result

Once integrated:

  • Sprinto securely connects to GCP using Workload Identity Federation.

  • You no longer need to upload or rotate JSON key files.

  • All data retrieval happens using short-lived, federated credentials for enhanced security.

Post-Connection Flow

Once connected:

  • Sprinto begins scanning configured projects.

  • Controls and checks are automatically mapped.

  • Non-compliant findings appear in your compliance dashboard.

  • You can scope projects under Monitoring settings.

  • Click Sync all to msync all the data points.

Comparison: New vs Old GCP Integration Flows

Feature / Aspect
New Flow (Workload Identity Federation)
Old Flow (JSON Key Based)

Availability

For customers onboarded on or after Dec 6 2024

For customers onboarded before Dec 6 2024

Authentication Type

Workload Identity Federation (WIF)

Service Account Key (JSON file)

JSON File Required

No

Yes

Setup Options

Cloud Shell or Manual Service Account → WIF auto-setup

Cloud Shell or Manual Service Account → Upload JSON

Key Rotation Needed

No

Yes

Security Level

High — Uses short-lived federated tokens

Moderate — Depends on static key management

Recommended By Google

Yes

Deprecated for new projects

Integration Speed

Fast (1–2 minutes setup)

Moderate (Manual upload step required)

Troubleshooting

If your GCP integration fails or does not reflect data correctly, review the following checks.

1. “Permission Denied” or Insufficient Access Errors

Possible causes:

  • Required IAM roles were not assigned.

  • Service account impersonation was not configured correctly (WIF method).

  • APIs were not enabled in all production projects.

Resolution:

For WIF-based setup:

  • Verify the service account has:

    • Security Reviewer

    • Compute Viewer

    • Monitoring Editor

  • Confirm:

    • Workload Identity Pool exists.

    • Provider is configured correctly.

    • Service account impersonation is granted.

    • Subject value matches the one shown in Sprinto.

For JSON key-based setup:

  • Ensure the correct service account key was uploaded.

  • Confirm the key belongs to the intended project.

  • Re-upload the key if necessary.

2. APIs Not Enabled Error

Sprinto requires specific APIs to read infrastructure data.

Resolution:

  • Navigate to APIs & Services → Enabled APIs & Services in GCP.

  • Enable all required APIs listed in Sprinto.

  • Repeat this for each production project.

  • Note: GCP does not support bulk enabling across projects.

3. “Connect” Button Not Activating (Legacy JSON Method)

Possible causes:

  • Incorrect file format.

  • Corrupted or expired JSON key.

  • Key does not belong to the created service account.

Resolution:

  • Ensure file format is .json.

  • Generate a new key in: IAM & Admin → Service Accounts → Manage Keys.

  • Upload the newly generated key.

  • Confirm the key is active and not revoked.

4. No Data Appearing After Successful Connection

Possible causes:

  • Incorrect project ID entered.

  • Monitoring scope not configured.

  • Delay in initial sync.

Resolution:

  • Verify all production project IDs were added.

  • Check Monitoring settings in Sprinto.

  • Wait 5–10 minutes for initial ingestion.

  • Refresh the dashboard.

5. Workload Identity Federation Errors (New Method)

If you see impersonation or token exchange failures:

  • Confirm:

    • Pool and Provider IDs match Sprinto configuration.

    • Issuer URL is correct.

    • Audience value matches exactly.

    • Attribute mappings are configured correctly.

  • Ensure the correct Subject was added during impersonation.

  • Wait 1–2 minutes after configuration before clicking Connect.

6. JSON Key Expired (Legacy Method)

JSON service account keys must be rotated every 90 days.

Resolution:

  1. Generate a new key.

  2. Upload it in Sprinto.

  3. Delete the old key from GCP for security.

We recommend migrating to the WIF-based method to avoid key rotation management.

7. Reconnect or Disconnect the GCP Integration

If the integration stops syncing data or fails validation checks, you may need to reconnect the integration.

To reconnect the integration:

  1. Log in to the Sprinto dashboard.

  2. Navigate to Settings → Integrations.

  3. Search for Google Cloud Platform (GCP).

  4. Click the Disconnect option to remove the existing connection.

  5. Click Connect again and follow the setup steps to reconnect the integration.

Reconnecting the integration refreshes the authentication and can resolve issues caused by expired credentials or configuration changes in your GCP project.

When to Contact Support

Contact Sprinto Support if:

  • Integration remains in error state after retries.

  • WIF configuration appears correct but authentication fails.

  • Data ingestion does not begin after 15 minutes.

  • You need help migrating from JSON key-based integration to WIF.

Include:

  • Project ID

  • Integration method used

  • Screenshot of error (if any)

  • Timestamp of attempt

PreviousGCP Integration (via Cloud Shell)NextGithub + Dependabot Integration

Last updated