> For the complete documentation index, see [llms.txt](https://docs.forestall.io/fsprotect/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.forestall.io/fsprotect/settings/gcp-configurations/configuration-with-google-cloud-platform.md). # Configuration With Google Cloud Platform ### 1. Overview This document provides comprehensive, step-by-step instructions for configuring a new Google Cloud project and enabling the required APIs via the Google Cloud Console. These APIs are essential prerequisites for integrating Google Cloud services into your environment. The following APIs must be enabled on your project: | # | API Name | Purpose | | - | ---------------------------- | ----------------------------------------------------------------------------------- | | 1 | Cloud Identity API (IAM API) | Manages identity and access control for Google Cloud resources. | | 2 | Cloud Resource Manager API | Creates, reads, and updates metadata for Google Cloud Platform resource containers. | | 3 | Cloud Asset API | Manages the history and inventory of Google Cloud resources. | | 4 | Service Usage API | Enables and lists services that consumers want to use on Google Cloud Platform. | | 5 | Recommender API | Provides usage recommendations and insights for Google Cloud resources. | | 6 | Admin SDK API | Manages Google Workspace account resources and audit usage. | *** ### 2. Prerequisites Before proceeding with the configuration steps outlined in this document, ensure that the following prerequisites have been satisfied: * A valid Google account with access to the Google Cloud Console. * Sufficient permissions to create projects and enable APIs within the target Google Cloud organization. * Billing enabled on the target organization or project. *** ### 3. Creating a New Google Cloud Project A dedicated Google Cloud project must be created to host the required APIs and associated resources. Follow the steps below to create a new project within your organization. #### Step 3.1: Access the Project Selector

Navigate to the Google Cloud Console at [console.cloud.google.com](https://console.cloud.google.com/). In the top navigation bar, locate the project selector button — displayed as the name of the currently active project or organization (e.g., `labs.forestall.io`). Click this button to open the resource selection modal. #### Step 3.2: Initiate New Project Creation

In the resource selection modal, click the **"New project"** button located in the upper-right corner. This action will redirect you to the New Project creation form. #### Step 3.3: Configure the New Project Complete the New Project form as follows: | Field | Value / Instruction | | ------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------- | | **Project name** | Enter a descriptive name for the project (e.g., `Test Project`). Note that the Project ID is automatically generated and cannot be modified after creation. | | **Organization** | Select the appropriate organization from the dropdown menu (e.g., `labs.forestall.io`). This association cannot be changed after the project is created. | | **Parent resource** | Select the organization or folder under which this project will reside. This defines the hierarchy for access control and billing. | Once all fields have been completed, click the **"Create"** button to provision the new project.

#### Step 3.4: Select the Newly Created Project

After the project has been provisioned, return to the project selector in the navigation bar and select the newly created project from the list. Verify that the project name displayed in the top navigation bar reflects your selection before proceeding. *** ### 4. Enabling Required APIs All required APIs must be individually enabled for the newly created project. To access the API Library, perform the following:

1. Click the hamburger menu icon (**☰**) in the top-left corner to open the navigation sidebar. 2. In the sidebar, navigate to **APIs & Services** and select **"Enabled APIs & services"**. 3. On the APIs & Services overview page, click **"+ Enable APIs and services"** in the top toolbar to open the API Library.

**+ Enable APIs and services Button in APIs & Services**

*** #### 4.1 Enable Cloud Identity API (IAM API) The Cloud Identity API, accessed via the Identity and Access Management (IAM) API, manages identity and access control for Google Cloud resources, including the creation of service accounts and the management of access policies. **Option A — Command Line (Recommended):** Execute the following command in your terminal to enable this API programmatically: ```bash gcloud services enable cloudidentity.googleapis.com ``` **Option B — Google Cloud Console (Manual):** | Step | Action | Details | | ---- | ----------------------- | ------------------------------------------------------------------------------------------------------------ | | a | Navigate to API Library | In the APIs & Services section, click **"+ Enable APIs and services"** to open the API Library. | | b | Search for the API | Enter `Cloud Identity` in the search box and select the **Identity and Access Management (IAM) API** result. | | c | Enable the API | On the Product details page, click the **"Enable"** button to activate the API for your project. | *** #### 4.2 Enable Cloud Resource Manager API The Cloud Resource Manager API enables programmatic management of Google Cloud Platform resource containers, including the creation, reading, and updating of project and folder metadata.

| Step | Action | Details | | ---- | ----------------------- | ------------------------------------------------------------------------------------------------------------------- | | a | Navigate to API Library | In the APIs & Services section, click **"+ Enable APIs and services"** to open the API Library. | | b | Search for the API | Enter `cloudresourcemanager.googleapis.com` in the search box and select the **Cloud Resource Manager API** result. | | c | Enable the API | On the Product details page, click the **"Enable"** button to activate the API for your project. |

*** #### 4.3 Enable Cloud Asset API The Cloud Asset API provides functionality for managing the history and inventory of Google Cloud resources, enabling asset export, search, and change tracking across your project.

| Step | Action | Details | | ---- | ----------------------- | ------------------------------------------------------------------------------------------------ | | a | Navigate to API Library | In the APIs & Services section, click **"+ Enable APIs and services"** to open the API Library. | | b | Search for the API | Enter `cloud asset api` in the search box and select the **Cloud Asset API** result. | | c | Enable the API | On the Product details page, click the **"Enable"** button to activate the API for your project. |

*** #### 4.4 Enable Service Usage API The Service Usage API enables and lists services that consumers wish to use on Google Cloud Platform.

> **Note:** This API may already be enabled by default on newly created projects. If the Product details page displays **"API Enabled"** with a green checkmark alongside a **"Manage"** button, the API is already active and no further action is required.

| Step | Action | Details | | ---- | ----------------------- | --------------------------------------------------------------------------------------------------------------------------- | | a | Navigate to API Library | In the APIs & Services section, click **"+ Enable APIs and services"** to open the API Library. | | b | Search for the API | Enter `service usage api` in the search box and select the **Service Usage API** result. | | c | Verify or Enable | If the API is not yet enabled, click the **"Enable"** button. If it already shows **"API Enabled"**, no action is required. | *** #### 4.5 Enable Recommender API The Recommender API provides intelligent usage recommendations and insights for Google Cloud resources, helping optimize cost, security, and performance.

| Step | Action | Details | | ---- | ----------------------- | ------------------------------------------------------------------------------------------------------------------ | | a | Navigate to API Library | In the APIs & Services section, click **"+ Enable APIs and services"** to open the API Library. | | b | Search for the API | Enter `recommender api` in the search box and select the **Recommender API** result (not the GKE Recommender API). | | c | Enable the API | On the Product details page, click the **"Enable"** button to activate the API for your project. |

*** #### 4.6 Enable Admin SDK API The Admin SDK API enables programmatic management of Google Workspace account resources and audit usage, facilitating integration with directory services, reporting, and administrative controls.

| Step | Action | Details | | ---- | ----------------------- | ------------------------------------------------------------------------------------------------ | | a | Navigate to API Library | In the APIs & Services section, click **"+ Enable APIs and services"** to open the API Library. | | b | Search for the API | Enter `Admin api` in the search box and select the **Admin SDK API** result. | | c | Enable the API | On the Product details page, click the **"Enable"** button to activate the API for your project. |

*** ### 5. Creating a Service Account and Assigning Organization-Level Roles A service account must be created within the project and subsequently granted the required IAM roles at the organization level. This enables the service account to access and operate on resources across the organization hierarchy. #### Step 5.1: Navigate to Service Accounts

In the Google Cloud Console, open the navigation sidebar by clicking the hamburger menu icon (**☰**) in the top-left corner. Navigate to **IAM & Admin** and select **Service Accounts** from the submenu. The Service Accounts page for the current project will be displayed. *** #### Step 5.2: Create a New Service Account On the Service Accounts page, click **"+ Create service account"** in the top toolbar. The Create service account panel will open on the right side of the screen. Complete the form fields as follows: | Field | Value / Instruction | | ------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **Service account name** | Enter a descriptive display name (e.g., `Test Service Account`). | | **Service account ID** | This field is auto-populated based on the name (e.g., `test-service-account`). It forms part of the service account's email address and cannot be changed after creation. | | **Service account description** | Optionally, provide a brief description of the service account's intended purpose. |

> **Note:** Upon completion of this step, the service account's full email address will be generated in the format: `@.iam.gserviceaccount.com` This address is used to identify the service account when granting access to resources. Click **"Create and continue"** to proceed. The **Permissions** and **Principals with access** steps are optional and may be skipped at this stage. Click **"Done"** to finalize the service account creation. *** #### Step 5.3: Navigate to the Organization Level

The required roles must be assigned at the **organization** level, not at the project level. To switch context to the organization: 1. Click the project selector button in the top navigation bar. 2. In the resource selection modal, locate and select the **organization** entry (e.g., `labs.forestall.io`, Type: `Organization`). > **Note:** Ensure the organization entry is selected — not the project. Organization-level IAM changes apply to all projects and resources within that organization. *** #### Step 5.4: Grant Access to the Service Account at the Organization Level

Grant Access to the Service Account at the Organization Level

With the organization selected, navigate to **IAM & Admin > IAM** and click **"+ Grant access"** to open the Grant access panel. In the **"New principals"** field, enter the full email address of the service account created in Step 5.2: ``` test-service-account@.iam.gserviceaccount.com ``` *** #### Step 5.5: Assign Organization-Level Roles The following roles must be assigned to the service account at the organization level. Click **"+ Add another role"** for each role and use the search box to locate it by name.

| Role Name | Role ID | Description | | ---------------------------- | ------------------------------------------ | ------------------------------------------------------------------------------------- | | **Browser** | `roles/browser` | Provides read access to browse GCP resources. | | **Cloud Asset Viewer** | `roles/cloudasset.viewer` | Grants read-only access to Cloud Asset metadata. | | **Folder Viewer** | `roles/resourcemanager.folderViewer` | Grants access to view a folder and all of its child resources. | | **IAM Recommender Viewer** | `roles/recommender.iamViewer` | Provides viewer access to IAM recommendations. | | **Organization Role Viewer** | `roles/iam.organizationRoleViewer` | Grants read access to all custom roles in the organization and the projects below it. | | **Organization Viewer** | `roles/resourcemanager.organizationViewer` | Grants read-only access to view an organization. | | **Security Reviewer** | `roles/iam.securityReviewer` | Provides permissions to retrieve any IAM policy. | | **Service Usage Viewer** | `roles/serviceusage.serviceUsageViewer` | Grants the ability to inspect service states and operations for a consumer project. | Once all eight roles have been added, click **"Save"** to apply the role assignments to the service account. > **Note:** All roles listed above are read-only in nature. They grant the service account visibility into organizational resources and configurations without permitting any write or administrative operations. *** ### 6. Creating a Service Account Key A private key must be generated for the service account to enable authentication from external systems or applications. Follow the steps below to create and download the key. **Step 6.1 — Access the Service Account Actions Menu**

**Access the Service Account Actions Menu**

Return to **IAM & Admin > Serv**![](/files/lxvFHyg6X4qvX5Kkx1an)**ice Accounts** and ensure the correct project is selected in the navigation bar. Locate the service account created in Step 5.2 in the list. Click the **three-dot menu (⋮)** in the **Actions** column of that row to expand the context menu. Select **"Manage keys"** from the options presented. **Step 6.2 — Open the Keys Tab**

The service account detail page will open on the **Keys** tab. This tab displays all existing keys associated with the service account, along with their type, status, creation date, and expiration date. If no keys have been created previously, the list will show "No rows to display". > **Security Warning:** Service account keys can pose a security risk if compromised. Google recommends using Workload Identity Federation where possible as a more secure alternative to downloadable keys. Additionally, Google automatically disables service account keys detected in public repositories. **Step 6.3 — Initiate Key Creation** Click the **"Add key"** dropdown button and select **"Create new key"** from the menu.

**Step 6.4 — Select Key Type and Create** A modal dialog titled **"Create private key for \"** will appear. Select the key type as follows: | Key Type | Description | Recommendation | | -------- | ------------------------------------------------------------------------ | ------------------------------------------ | | **JSON** | Standard key format containing all credentials in a single file. | ✅ Recommended | | **P12** | Legacy format for backward compatibility with code using the P12 format. | Use only if required by the target system. |

Select **JSON** and click **"Create"**. The private key file will be automatically downloaded to your computer. **Step 6.5 — Store the Key Securely**

Upon successful key creation, a confirmation dialog will appear stating **"Private key saved to your computer"**. The downloaded file will be named in the format: ``` -.json ``` > **⚠️ Important:** This JSON file contains credentials that allow full access to your cloud resources under the service account's permissions. Store this file in a secure location. **It cannot be recovered if lost** — if the key is lost or compromised, it must be deleted and a new key must be generated. *** {% hint style="info" %} To complete the security handshake between Google Cloud and Google Workspace, ensure you have completed the Domain-Wide Delegation steps at the link below: {% endhint %} {% content-ref url="/pages/Pq05ANhIMvgqMsH30sI2" %} [Domain-Wide Delegation](/fsprotect/settings/gcp-configurations/domain-wide-delegation.md) {% endcontent-ref %} --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.forestall.io/fsprotect/settings/gcp-configurations/configuration-with-google-cloud-platform.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.