GCP authentication¶
Prowler will use by default your User Account credentials, you can configure it using:
gcloud init
to use a new accountgcloud config set account <account>
to use an existing accountgcloud auth application-default login
This will generate Application Default Credentials (ADC) that Prowler will use automatically.
Using a Service Account key file¶
Otherwise, you can generate and download Service Account keys in JSON format (refer to https://cloud.google.com/iam/docs/creating-managing-service-account-keys) and provide the location of the file with the following argument:
Note
prowler
will scan the GCP project associated with the credentials.
Using an access token¶
If you already have an access token (e.g., generated with gcloud auth print-access-token
), you can run Prowler with:
export CLOUDSDK_AUTH_ACCESS_TOKEN=$(gcloud auth print-access-token)
prowler gcp --project-ids <project-id>
Note
If using this method, it's recommended to also set the default project explicitly:
Credentials lookup order¶
Prowler follows the same search order as Google authentication libraries:
GOOGLE_APPLICATION_CREDENTIALS
environment variableCLOUDSDK_AUTH_ACCESS_TOKEN
+ optionalGOOGLE_CLOUD_PROJECT
- User credentials set up by using the Google Cloud CLI
- Attached service account (e.g., Cloud Run, GCE, Cloud Functions)
Note
The credentials must belong to a user or service account with the necessary permissions. To ensure full access, assign the roles/viewer IAM role to the identity being used.
Note
Prowler will use the enabled Google Cloud APIs to get the information needed to perform the checks.
Needed permissions¶
Prowler for Google Cloud needs the following permissions to be set:
-
Viewer (
roles/viewer
) IAM role: granted at the project / folder / org level in order to scan the target projects -
Project level settings: you need to have at least one project with the below settings:
- Identity and Access Management (IAM) API (
iam.googleapis.com
) enabled by either using the Google Cloud API UI or by using the gcloud CLIgcloud services enable iam.googleapis.com --project <your-project-id>
command - Service Usage Consumer (
roles/serviceusage.serviceUsageConsumer
) IAM role - Set the quota project to be this project by either running
gcloud auth application-default set-quota-project <project-id>
or by setting an environment variable:export GOOGLE_CLOUD_QUOTA_PROJECT=<project-id>
- Identity and Access Management (IAM) API (
The above settings must be associated to a user or service account.
Note
Prowler will use the enabled Google Cloud APIs to get the information needed to perform the checks.
Impersonate Service Account¶
If you want to impersonate a GCP service account, you can use the --impersonate-service-account
argument:
This argument will use the default credentials to impersonate the service account provided.