Connect GCP

This guide shows you how to create a GCP service account with the roles VikingCloud needs to scan your project. Choose either the Console (GUI) method or the CLI method below.

Required Roles

Method 1: Google Cloud Console (GUI)

Step 1: Create a Service Account

1. Go to the Google Cloud Console
2. Select your project from the project dropdown
3. Navigate to IAM & Admin > Service Accounts
4. Click Create Service Account
5. Enter:
   • Name: vikingcloud-platform-sa
   • Description: VikingCloud Platform Scanner
6. Click Create and Continue

Step 2: Assign Roles

1. Click Add Another Role and add each of the following roles:
   • Viewer
   • Artifact Registry Reader
   • Compute Storage Admin
   • Compute Instance Admin (v1)
2. Click Continue, then Done

Step 3: Create a JSON Key

1. Click on the service account you just created
2. Go to the Keys tab
3. Click Add Key > Create new key
4. Select JSON format
5. Click Create — the key file downloads automatically
6. Store this file securely — you will upload it to VikingCloud

Step 4: Enter Credentials in VikingCloud

1. In VikingCloud, go to Settings > Connections
2. Click Add Connection and select GCP
3. Upload the JSON key file from Step 3
4. Click Save

Method 2: gcloud CLI

Prerequisites

• Google Cloud SDK installed and authenticated

Step 1: Create the Service Account and Assign Roles

# Set your project ID
PROJECT_ID=$(gcloud config get-value project)

# Create the service account
gcloud iam service-accounts create vikingcloud-platform-sa \
  --display-name="VikingCloud Platform Scanner"

SA_EMAIL="vikingcloud-platform-sa@${PROJECT_ID}.iam.gserviceaccount.com"

# Grant Viewer role (resource discovery)
gcloud projects add-iam-policy-binding ${PROJECT_ID} \
  --member="serviceAccount:${SA_EMAIL}" \
  --role="roles/viewer"

# Grant Artifact Registry Reader (container scanning)
gcloud projects add-iam-policy-binding ${PROJECT_ID} \
  --member="serviceAccount:${SA_EMAIL}" \
  --role="roles/artifactregistry.reader"

# Grant Compute Storage Admin (VM scanning — snapshots and disks)
gcloud projects add-iam-policy-binding ${PROJECT_ID} \
  --member="serviceAccount:${SA_EMAIL}" \
  --role="roles/compute.storageAdmin"

# Grant Compute Instance Admin (VM scanning — scanner VMs)
gcloud projects add-iam-policy-binding ${PROJECT_ID} \
  --member="serviceAccount:${SA_EMAIL}" \
  --role="roles/compute.instanceAdmin.v1"

# Create the JSON key file
gcloud iam service-accounts keys create vikingcloud-key.json \
  --iam-account=${SA_EMAIL}

echo "Key file created: vikingcloud-key.json"

Step 2: Enter Credentials in VikingCloud

Upload the vikingcloud-key.json file in VikingCloud under Settings > Connections > Add Connection > GCP.

Verification

Verify the service account has all required roles:

gcloud projects get-iam-policy ${PROJECT_ID} \
  --flatten="bindings[].members" \
  --filter="bindings.members:${SA_EMAIL}" \
  --format="table(bindings.role)"

Expected output:

ROLE
roles/artifactregistry.reader
roles/compute.instanceAdmin.v1
roles/compute.storageAdmin
roles/viewer

Troubleshooting

Permission Denied Errors

Check that all roles are assigned:

gcloud projects get-iam-policy $(gcloud config get-value project) \
  --flatten="bindings[].members" \
  --filter="bindings.members:vikingcloud-platform-sa@"

No Container Images Found

Ensure your container images are stored in Artifact Registry (not the legacy Container Registry). VikingCloud scans Artifact Registry repositories.

Security Notes

• Scoped by tags: All VikingCloud-created resources (scanner VMs, snapshots, disks) are tagged with owner=vikingcloud
• Ephemeral resources: Scanner VMs and snapshots exist only during scans, typically under 10 minutes
• No network access: Scanner VMs have no external IP and cannot access the internet
• Read-only data access: VikingCloud reads disk data via snapshots but never modifies your VMs