GCP Authentication in Prowler¶
Required Permissions¶
Prowler for Google Cloud requires the following permissions:
IAM Roles¶
- Reader (
roles/reader
) – Must be granted at the project, folder, or organization level to allow scanning of target projects.
Project-Level Settings¶
At least one project must have the following configurations:
-
Identity and Access Management (IAM) API (
iam.googleapis.com
) – Must be enabled via:- The Google Cloud API UI, or
- The
gcloud
CLI:
-
Service Usage Consumer (
roles/serviceusage.serviceUsageConsumer
) IAM Role – Required for resource scanning. -
Quota Project Setting – Define a quota project using either:
- The
gcloud
CLI: - Setting an environment variable:
- The
Note
prowler
will scan the GCP project associated with the credentials.
Credentials lookup order¶
Prowler follows the same credential search process as Google authentication libraries, checking credentials in this order:
GOOGLE_APPLICATION_CREDENTIALS
environment variableCLOUDSDK_AUTH_ACCESS_TOKEN
+ optionalGOOGLE_CLOUD_PROJECT
- User credentials set up by using the Google Cloud CLI
- Attached service account (e.g., Cloud Run, GCE, Cloud Functions)
Note
The credentials must belong to a user or service account with the necessary permissions. To ensure full access, assign the roles/reader IAM role to the identity being used.
Note
Prowler will use the enabled Google Cloud APIs to get the information needed to perform the checks.
Using an Access Token¶
For existing access tokens (e.g., generated with gcloud auth print-access-token
), run Prowler with:
export CLOUDSDK_AUTH_ACCESS_TOKEN=$(gcloud auth print-access-token)
prowler gcp --project-ids <project-id>
Note
When using this method, also set the default project explicitly:
Impersonating a GCP Service Account¶
To impersonate a GCP service account, use the --impersonate-service-account
argument followed by the service account email:
This command leverages the default credentials to impersonate the specified service account.