Ctrlk

GCP Configurations

Configuration With Google CLIConfiguration With Google Cloud Platform

Once you have finished the configurations above, proceed to the Forestall GCP Configuration page. You will need to complete several required fields on this page before initiating a scan.

GCP Configuration Page

1. Upload the Service Account Key

The most critical part of this page is the .json file you generated earlier.

  • Locate your file: Find the forestall-scanner-sa-key.json file on your computer (the one you downloaded from Cloud Shell).

  • Action: Drag and drop this file into the box labeled "Drag & drop or click to select your service account key file."

  • Purpose: This allows the application to authenticate as the Service Account and perform the scanning tasks defined by the roles you granted.

GCP Configuration With Uploaded Service Account Key and Admin Email

2. Enter Admin Email

  • Field: Admin Email

  • Action: Enter the email address of a Super Administrator for your Google Workspace/Cloud Identity account.

  • Why? The "Required Permissions" listed on the right (like AdminDirectoryUserReadonly) often require Domain-Wide Delegation. The app uses this email address to "impersonate" an admin to read your user and group directories.

3. Organization & Customer Details

GCP Configuration After Tested

  • Organization Display Name: Enter a friendly name for your company (e.g., "My Enterprise Org"). This is for internal labeling only.

  • Customer ID: * This is a unique identifier for your Google Workspace account (usually starts with C).

    • How to find it: Go to the Google Admin Console > Account > Account Settings. Look for the "Customer ID" field.

4. Verify "Required Permissions"

The list on the right shows specific API scopes the app needs:

  • AdminDirectoryUserReadonly: To see user accounts.

  • AdminDirectoryGroupReadonly: To see group memberships.

  • AdminDirectoryCustomerReadonly: To see organization-level settings.

  • CloudIdentityDevicesReadonly: To see managed devices.

If these items have orange question marks or red icons, it means you may still need to enable the Admin SDK API in your Google Cloud Project or set up Domain-Wide Delegation in the Google Admin Console for your Service Account's Client ID.

5. Test and Save

  1. Click "Test": Before saving, click the blue Test button. This triggers a dry-run connection using the key and the Admin Email you provided.

  2. Success Check: Look for a green success message. If it fails, double-check that the admin.googleapis.com and cloudidentity.googleapis.com APIs are enabled in your GCP project.

  3. Click "Save": Once the test passes, click Save to finalize the configuration.

PreviousAWS ConfigurationsNextConfiguration With Google CLI

Last updated

Was this helpful?