> ## Documentation Index
> Fetch the complete documentation index at: https://docs.prowler.com/llms.txt
> Use this file to discover all available pages before exploring further.
## Submitting Feedback
If you encounter incorrect, outdated, or confusing documentation on this page, submit feedback:
POST https://docs.prowler.com/feedback
```json
{
"path": "/user-guide/providers/gcp/authentication",
"feedback": "Description of the issue"
}
```
Only submit feedback when you have something specific and actionable to report.
# GCP Authentication in Prowler
Prowler for Google Cloud supports multiple authentication methods. To use a specific method, configure the appropriate credentials during execution:
* [**User Credentials** (Application Default Credentials)](#application-default-credentials-user-credentials)
* [**Service Account Key File**](#service-account-key-file)
* [**Access Token**](#access-token)
* [**Service Account Impersonation**](#service-account-impersonation)
## Required Permissions
Prowler for Google Cloud requires the following permissions:
### IAM Roles
* **Viewer (`roles/viewer`)** – Must be granted at the **project, folder, or organization** level to allow scanning of target projects.
* **Service Usage Consumer (`roles/serviceusage.serviceUsageConsumer`)** IAM Role – Required for resource scanning.
* **Custom `ProwlerRole`** – Include granular permissions that are not included in the Viewer role:
* `storage.buckets.getIamPolicy`
### Project-Level Settings
At least one project must have the following configurations:
* **Identity and Access Management (IAM) API (`iam.googleapis.com`)** – Must be enabled via:
* The [Google Cloud API UI](https://console.cloud.google.com/apis/api/iam.googleapis.com/metrics), or
* The `gcloud` CLI:
```sh theme={null}
gcloud services enable iam.googleapis.com --project
```
* **Service Usage Consumer (`roles/serviceusage.serviceUsageConsumer`)** IAM Role – Required for resource scanning.
* **Quota Project Setting** – Define a quota project using either:
* The `gcloud` CLI:
```sh theme={null}
gcloud auth application-default set-quota-project
```
* Setting an environment variable:
```sh theme={null}
export GOOGLE_CLOUD_QUOTA_PROJECT=
```
Prowler will scan the GCP project associated with the credentials.
## Application Default Credentials (User Credentials)
This method uses the Google Cloud CLI to authenticate and is suitable for development and testing environments.
### Setup Application Default Credentials
1. In the [GCP Console](https://console.cloud.google.com/), click on "Activate Cloud Shell"
2. Click "Authorize Cloud Shell"
3. Run the following command:
```bash theme={null}
gcloud auth application-default login
```
* Type `Y` when prompted
4. Open the authentication URL provided in a browser and select your Google account
5. Follow the steps to obtain the authentication code
6. Paste the authentication code back in Cloud Shell
7. Use `cat ` to view the temporary credentials file
8. Extract the following values for Prowler Cloud/App:
* `client_id`
* `client_secret`
* `refresh_token`
### Using with Prowler CLI
Once application default credentials are set up, run Prowler directly:
```console theme={null}
prowler gcp --project-ids
```
## Service Account Key File
This method uses a service account with a downloaded key file for authentication.
### Step 1: Create ProwlerRole
To keep permissions focused:
1. Create a custom role named **ProwlerRole** that explicitly includes the permissions your compliance team approves. Click **Create role**, set the title to *ProwlerRole*, keep the ID readable (for example, `prowler_role`)
2. Add the required permission `storage.buckets.getIamPolicy` (the permission highlighted in the screenshots). To make it easier, filter the permissions by `Storage Admin` role.
### Step 2: Create the Service Account
1. Navigate to **IAM & Admin > Service Accounts** and make sure the correct project is selected.
2. Select **Create service account**, provide a name, ID, and a short description that states the purpose (for example, “Service account to execute Prowler”), then click **Create and continue**.
3. Assign the roles you prepared earlier:
* **ProwlerRole** for `cloudstorage` service checks.
* **Viewer** for broad read-only visibility.
* **Service Usage Consumer** so Prowler can inspect API states.
4. Continue through the wizard and finish. No principals need to be granted access in step 3 unless you want other identities to impersonate this account.
### Step 3: Generate a JSON Key
1. Open the newly created service account, move to the **Keys** tab, and choose **Add key > Create new key**.
2. Select **JSON** as the key type and click **Create**. The browser downloads the file exactly once.
3. Once created, make sure to store the Key securely.
### Using with Prowler CLI
Set the `GOOGLE_APPLICATION_CREDENTIALS` environment variable:
```console theme={null}
export GOOGLE_APPLICATION_CREDENTIALS="/path/to/service-account-key.json"
prowler gcp --project-ids
```
## Access Token
For existing access tokens (e.g., generated with `gcloud auth print-access-token`), run Prowler with:
```bash theme={null}
export CLOUDSDK_AUTH_ACCESS_TOKEN=$(gcloud auth print-access-token)
prowler gcp --project-ids
```
When using this method, also set the default project explicitly:
```bash theme={null}
export GOOGLE_CLOUD_PROJECT=
```
## Service Account Impersonation
To impersonate a GCP service account, use the `--impersonate-service-account` argument followed by the service account email:
```console theme={null}
prowler gcp --impersonate-service-account
```
This command leverages the default credentials to impersonate the specified service account.
### Prerequisites for Impersonation
The identity running Prowler must have the following permission on the target service account:
* `roles/iam.serviceAccountTokenCreator`
Or the more specific permission:
* `iam.serviceAccounts.generateAccessToken`