Skip to main content
Prowler for Google Cloud supports multiple authentication methods. To use a specific method, configure the appropriate credentials during execution:

Required Permissions

Prowler for Google Cloud requires the following permissions:

IAM Roles

  • Viewer (roles/viewer) – Must be granted at the project, folder, or organization level to allow scanning of target projects.
  • Service Usage Consumer (roles/serviceusage.serviceUsageConsumer) IAM Role – Required for resource scanning.
  • Custom ProwlerRole – Include granular permissions that are not included in the Viewer role:
    • storage.buckets.getIamPolicy

Project-Level Settings

At least one project must have the following configurations:
  • Identity and Access Management (IAM) API (iam.googleapis.com) – Must be enabled via: 
    gcloud services enable iam.googleapis.com --project <your-project-id>
  • Service Usage Consumer (roles/serviceusage.serviceUsageConsumer) IAM Role – Required for resource scanning.
  • Quota Project Setting – Define a quota project using either:
    • The gcloud CLI:
    gcloud auth application-default set-quota-project <project-id>
    • Setting an environment variable:
    export GOOGLE_CLOUD_QUOTA_PROJECT=<project-id>
Prowler will scan the GCP project associated with the credentials.

Application Default Credentials (User Credentials)

This method uses the Google Cloud CLI to authenticate and is suitable for development and testing environments.

Setup Application Default Credentials

  1. In the GCP Console, click on “Activate Cloud Shell” Activate Cloud Shell
  2. Click “Authorize Cloud Shell” Authorize Cloud Shell
  3. Run the following command: 
    gcloud auth application-default login
    • Type Y when prompted
    Run Gcloud Auth
  4. Open the authentication URL provided in a browser and select your Google account Choose the account
  5. Follow the steps to obtain the authentication code Copy auth code
  6. Paste the authentication code back in Cloud Shell Enter Auth Code
  7. Use cat <file_name> to view the temporary credentials file Get the FileName
  8. Extract the following values for Prowler Cloud/App:
    • client_id
    • client_secret
    • refresh_token
    Get the values

Using with Prowler CLI

Once application default credentials are set up, run Prowler directly: 
prowler gcp --project-ids <project-id>

Service Account Key File

This method uses a service account with a downloaded key file for authentication.

Step 1: Create ProwlerRole

To keep permissions focused:
  1. Create a custom role named ProwlerRole that explicitly includes the permissions your compliance team approves. Click Create role, set the title to ProwlerRole, keep the ID readable (for example, prowler_role)
  2. Add the required permission storage.buckets.getIamPolicy (the permission highlighted in the screenshots). To make it easier, filter the permissions by Storage Admin role.
Create a custom Prowler role Sample permissions for a custom Prowler role

Step 2: Create the Service Account

  1. Navigate to IAM & Admin > Service Accounts and make sure the correct project is selected. Service accounts landing page
  2. Select Create service account, provide a name, ID, and a short description that states the purpose (for example, “Service account to execute Prowler”), then click Create and continue. Create service account wizard
  3. Assign the roles you prepared earlier:
    • ProwlerRole for cloudstorage service checks.
    • Viewer for broad read-only visibility.
    • Service Usage Consumer so Prowler can inspect API states.
    Assign roles to the service account
  4. Continue through the wizard and finish. No principals need to be granted access in step 3 unless you want other identities to impersonate this account.

Step 3: Generate a JSON Key

  1. Open the newly created service account, move to the Keys tab, and choose Add key > Create new key. Add a new key to the service account
  2. Select JSON as the key type and click Create. The browser downloads the file exactly once. Select JSON as the key type
  3. Once created, make sure to store the Key securely.

Using with Prowler CLI

Set the GOOGLE_APPLICATION_CREDENTIALS environment variable: 
export GOOGLE_APPLICATION_CREDENTIALS="/path/to/service-account-key.json"
prowler gcp --project-ids <project-id>

Access Token

For existing access tokens (e.g., generated with gcloud auth print-access-token), run Prowler with: 
export CLOUDSDK_AUTH_ACCESS_TOKEN=$(gcloud auth print-access-token)
prowler gcp --project-ids <project-id>
When using this method, also set the default project explicitly:
export GOOGLE_CLOUD_PROJECT=<project-id>

Service Account Impersonation

To impersonate a GCP service account, use the --impersonate-service-account argument followed by the service account email: 
prowler gcp --impersonate-service-account <service-account-email>
This command leverages the default credentials to impersonate the specified service account.

Prerequisites for Impersonation

The identity running Prowler must have the following permission on the target service account:
  • roles/iam.serviceAccountTokenCreator
Or the more specific permission:
  • iam.serviceAccounts.generateAccessToken