About UsProwler App
Step 1: Get the GCP Project ID
- Go to the GCP Console
- Locate the Project ID on the welcome screen
Step 2: Access Prowler Cloud or Prowler App
- Navigate to Prowler Cloud or launch Prowler App
-
Go to “Configuration” > “Cloud Providers”
-
Click “Add Cloud Provider”
-
Select “Google Cloud Platform”
-
Add the Project ID and optionally provide a provider alias, then click “Next”
Step 3: Set Up GCP Authentication
Choose the preferred authentication mode before proceeding: User Credentials (Application Default Credentials)- Quick scan as current user
- Uses Google Cloud CLI authentication
- Credentials may time out
- Authenticates as a service identity
- Stable and auditable
- Recommended for production
-
Once credentials are configured, return to Prowler App and enter the required values:
For “Service Account Key”:
Service Account Key JSON
client_idclient_secretrefresh_token
-
Click “Next”, then “Launch Scan”
Prowler CLI
Credentials Lookup Order
Prowler follows the same credential search process as Google authentication libraries, checking credentials in this order:GOOGLE_APPLICATION_CREDENTIALSenvironment variableCLOUDSDK_AUTH_ACCESS_TOKEN+ optionalGOOGLE_CLOUD_PROJECT- User credentials set up by using the Google Cloud CLI
- Attached service account (e.g., Cloud Run, GCE, Cloud Functions)
The credentials must belong to a user or service account with the necessary permissions.
For detailed instructions on how to set the permissions, see Authentication > Required Permissions.
Prowler will use the enabled Google Cloud APIs to get the information needed to perform the checks.
Configure GCP Credentials
To authenticate with GCP, use one of the following methods:Project Specification
To scan specific projects, specify them with the following command:Service Account Impersonation
For service account impersonation, use the--impersonate-service-account flag: