Skip to main content

Prowler App

Step 1: Get the GCP Project ID

  1. Go to the GCP Console
  2. Locate the Project ID on the welcome screen
Get the Project ID

Step 2: Access Prowler Cloud or Prowler App

  1. Navigate to Prowler Cloud or launch Prowler App
  2. Go to “Configuration” > “Cloud Providers” Cloud Providers Page
  3. Click “Add Cloud Provider” Add a Cloud Provider
  4. Select “Google Cloud Platform” Select GCP
  5. Add the Project ID and optionally provide a provider alias, then click “Next” Add Project ID

Step 3: Set Up GCP Authentication

For Google Cloud, first enter your GCP Project ID and then select the authentication method you want to use:
  • Service Account Authentication (Recommended)
    • Authenticates as a service identity
    • Stable and auditable
    • Recommended for production
  • Application Default Credentials
    • Quick scan as current user
    • Uses Google Cloud CLI authentication
    • Credentials may time out
Service Account Authentication is the recommended authentication method for automated systems and machine-to-machine interactions, like Prowler. For detailed information about this, refer to the Google Cloud documentation. GCP Authentication Methods
  • Service Account Authentication
  • Application Default Credentials
First of all, in the same project that you selected in the previous step, you need to create a service account and then generate a key in JSON format for it. For more information about this, you can follow the next Google Cloud documentation tutorials:GCP Service Account CredentialsFor detailed instructions on how to setup Service Account authentication, see the Authentication page.
  1. Click “Next”, then “Launch Scan” Launch Scan GCP

Prowler CLI

Credentials Lookup Order

Prowler follows the same credential search process as Google authentication libraries, checking credentials in this order:
  1. GOOGLE_APPLICATION_CREDENTIALS environment variable
  2. CLOUDSDK_AUTH_ACCESS_TOKEN + optional GOOGLE_CLOUD_PROJECT
  3. User credentials set up by using the Google Cloud CLI
  4. Attached service account (e.g., Cloud Run, GCE, Cloud Functions)
The credentials must belong to a user or service account with the necessary permissions. For detailed instructions on how to set the permissions, see Authentication > Required Permissions.
Prowler will use the enabled Google Cloud APIs to get the information needed to perform the checks.

Configure GCP Credentials

To authenticate with GCP, use one of the following methods: 
gcloud auth application-default login
or set the credentials file path: 
export GOOGLE_APPLICATION_CREDENTIALS="/path/to/credentials.json"
These credentials must belong to a user or service account with the necessary permissions to perform security checks. For more authentication details, see the Authentication page.

Project Specification

To scan specific projects, specify them with the following command: 
prowler gcp --project-ids <project-id-1> <project-id-2>

Service Account Impersonation

For service account impersonation, use the --impersonate-service-account flag: 
prowler gcp --impersonate-service-account <service-account-email>
More details on authentication methods in the Authentication page.