*_ID secrets. The service account uses the Cloud Asset API to enumerate resources across every project in your organization in a single call per asset type — no per-project iteration, no per-region loops.
You will end up with a handful of secrets in ConfigView — the 3 core IDs (GCP_ORG_ID, GCP_CUSTOMER_ID, GCP_WORKSPACE_ADMIN_EMAIL), plus the 3 GCP_BILLING_* secrets if you enable billing detail — plus one uploaded JSON file (google_cloud.json, the service account key).
Prerequisite — enable the required APIs on the project that hosts the service account (the one you pick in Step 2). Every call is billed/quoted against that project, and on a fresh project several of these are off by default:
cloudasset.googleapis.com— all Asset-API endpoints (compute, storage, IAM bindings, …); the bulk of the 27cloudresourcemanager.googleapis.com— Projects, Organizations, Folderscloudbilling.googleapis.com— Billing Accountsiam.googleapis.com— Service Accounts, Service Account Keysserviceusage.googleapis.com— APIs Enabled (per Project); usually already onlogging.googleapis.com— Audit Logs (Admin Activity)bigquery.googleapis.com— billing cost + pricing (queries the BigQuery export)billingbudgets.googleapis.com— Billing Budgetsadmin.googleapis.com— only for Cloud Identity Users (optional, Step 6)
Propagation. After enabling, SERVICE_DISABLED 403s can persist intermittently for ~10–15 minutes — some calls succeed while others still fail as the change rolls out across Google’s systems. Wait it out before assuming a misconfiguration.
Step 1: Identify your IDs
You need three identifiers up-front:GCP_ORG_ID— Open https://console.cloud.google.com/iam-admin/settings, switch to your organization in the picker, copy the Organization ID (e.g.123456789012).GCP_CUSTOMER_ID— In the same Organization Settings page, copy the Directory customer ID (begins withC, e.g.C03az79cb). This is your Cloud Identity / Workspace customer ID.GCP_WORKSPACE_ADMIN_EMAIL— Only required for the Cloud Identity Users endpoint. The email of a Workspace admin the service account will impersonate via DWD. Skip this if you’re not enabling Cloud Identity Users.
Step 2: Create the service account
- Open https://console.cloud.google.com/iam-admin/serviceaccounts
- Pick (or create) a project to host the service account —
configview-integrationis conventional, but any project the SA can use as its “home” works - Click Create Service Account
- Name:
configview - Click Create and Continue — we’ll add roles in the next step
- Click Done (you can skip the optional grant-users step)
Step 3: Grant the service account org-level roles
Switch to IAM at the organization level (not project): https://console.cloud.google.com/iam-admin/iam → pick your organization in the picker → click Grant Access. Add the service account email as a principal and assign:| Role | Why | Endpoints it unlocks |
|---|---|---|
Browser (roles/browser) | Read project/folder/org metadata | Projects, Organizations, Folders |
Cloud Asset Viewer (roles/cloudasset.viewer) | Bulk inventory via Asset API | Compute (all), Storage, SQL, BigQuery, Run, GKE, Functions, Pub/Sub, DNS, KMS, Secret Manager, Service Accounts, IAM Bindings |
Service Usage Viewer (roles/serviceusage.serviceUsageViewer) | List enabled APIs per project | APIs Enabled (per Project) |
Billing Account Viewer (roles/billing.viewer) | Read billing account list | Billing Accounts |
Security Reviewer (roles/iam.securityReviewer) | Read IAM policies + service account keys | IAM Bindings, Service Account Keys |
Logging Viewer (roles/logging.viewer) — at the org | Read Admin Activity audit logs across all projects | Audit Logs — Admin Activity |
| Role | Where | Why |
|---|---|---|
BigQuery Data Viewer (roles/bigquery.dataViewer) | the billing-export project (e.g. my-billing) | Read the export + pricing tables |
BigQuery Job User (roles/bigquery.jobUser) | the SA’s own host project | Run the aggregation queries |
No billing export, no cost data. GCP has no cost API — detailed spend only exists if you’ve enabled Billing → BigQuery export (Standard + Detailed usage cost, and optionally Pricing). If you haven’t, set it up first (console → Billing export), then point ConfigView at it via the secrets in Step 5. Budgets and the account→project map work without the export.Click Save.
AboutCloud Asset Viewer. This role alone covers most of the heavy lifting. If you want a single-role install and don’t mind slightly less granular reads, you can grantroles/cloudasset.viewer+roles/browserand the majority of the 27 endpoints will function. The other roles fix the gaps for billing, service-usage, IAM policy, and SA keys.
Cloud Identity Users needs no org role. That endpoint reads the user directory through the Admin Directory API via domain-wide delegation (Step 6), not a GCP IAM grant — so there’s nothing to add here for it. (There is noroles/cloudidentity.viewer; the predefined Cloud Identity roles areroles/cloudidentity.groups.readonlyand friends, none of which this integration uses.)
Step 4: Create + upload the JSON key
- From the service account list, click your
configviewservice account - Open the Keys tab → Add Key → Create new key → JSON
- Click Create — the JSON file downloads automatically
- Upload the JSON to your ConfigView satellite at
<satellite-root>/json/google_cloud.json(your ConfigView administrator can do this — it’s NOT a Secret Manager secret because the file is bigger and is referenced directly by all scripts)
Where the file lives. The scripts resolve<project_root>/json/google_cloud.json, where<project_root>is the dashboard-backend root. On a satellite this is/opt/configview-dashboard-backend/json/google_cloud.json— the same directory that already holdssecret-manager.jsonandgoogle_admin.json. Permissions:chmod 400, ownerconfigview:configview.
Step 5: Add the secrets to ConfigView
- Go to your ConfigView dashboard:
https://{companyname}.configview.com/admin/secret/ - Click Add Secret and create:
GCP_ORG_ID: from Step 1.1 (numeric, e.g.123456789012)GCP_CUSTOMER_ID: from Step 1.2 (starts withC)GCP_WORKSPACE_ADMIN_EMAIL: from Step 1.3 (admin email to impersonate, only needed for Cloud Identity Users)
- For the billing detail endpoints, also add (skip if you’re not enabling cost/pricing/budgets):
GCP_BILLING_BQ_PROJECT: the project that holds the BigQuery billing export (e.g.my-billing)GCP_BILLING_BQ_DATASET: the dataset name within it (e.g.billing)GCP_BILLING_ACCOUNT_ID: the billing account ID with dashes (e.g.01ABCD-23EFGH-45IJKL)- (optional)
GCP_BILLING_DETAILED_DAYS(default7),GCP_AUDIT_LOOKBACK_HOURS(default24),GCP_AUDIT_MAX_ENTRIES(default100000)
- Click Save
Step 6: Domain-Wide Delegation (only for Cloud Identity Users)
Skip this step if you’re not enabling the Cloud Identity Users endpoint. The endpoint duplicates google-workspace data, so most customers already running google-workspace can leave it disabled. If you do want it:- From the service account list, click your
configviewSA → Details → expand Advanced settings → copy the Client ID - Sign in to your Google Workspace admin console as a super admin: https://admin.google.com
- Go to Security → Access and data control → API controls → Manage Domain Wide Delegation
- Click Add new and paste:
- Client ID: (from above)
- OAuth scopes:
https://www.googleapis.com/auth/admin.directory.user.readonly
- Click Authorize
GCP_WORKSPACE_ADMIN_EMAIL to read the user directory.
Step 7: Enable the Google Cloud scripts
- Go to:
https://{companyname}.configview.com/admin/cron/ - You should see google-cloud in the list of available apps
- Enable scripts by tier — turn on the parents first; children will run automatically after them:
Identity & governance
| Script | Notes |
|---|---|
| Projects | All projects across the org. Most other scripts implicitly depend on this list. |
| Organizations | Usually one row. Enable for completeness. |
| Folders | Folder hierarchy. Depends on Organizations. |
| Billing Accounts | All accounts the SA can view |
| APIs Enabled (per Project) | One row per (project × enabled service). Depends on Projects. Can be large — hundreds to thousands of rows. |
| IAM Bindings (Org + Folder + Project) | Flattened binding × member rows across every resource the SA can see |
| Service Accounts | All SAs across the org |
| Service Account Keys | One row per (SA × key). Depends on Service Accounts. Lists keyType (USER_MANAGED is the audit target) |
| IAM Principals (Derived) | One row per unique principal aggregated from IAM Bindings. Depends on IAM Bindings. No API call — pure SQL aggregation. |
| Cloud Identity Users | Same data as google-workspace users. Enable only if google-workspace isn’t running. Requires DWD (Step 6). |
Compute
| Script | Notes |
|---|---|
| Compute Instances (VMs) | Renamed from gcp_get_org_vm; historical data preserved via migration if you ran the old script |
| Compute Disks | All persistent disks |
| Compute Networks (VPCs) | All VPC networks |
| Compute Subnetworks | All subnetworks |
| Compute Firewalls | All firewall rules — useful for security audits |
| Compute External IPs | Static + ephemeral external IPs (Address resources) |
| Load Balancers (Forwarding Rules) | All forwarding rules across global + regional LBs |
Storage & data
| Script | Notes |
|---|---|
| Cloud Storage Buckets | All GCS buckets |
| Cloud SQL Instances | All SQL instances (MySQL, Postgres, SQL Server) |
| BigQuery Datasets | All BQ datasets |
| Cloud Run Services | All Cloud Run services |
| GKE Clusters | All GKE clusters |
| Cloud Functions | Gen-1 (CloudFunction) + Gen-2 (Function) |
| Pub/Sub Topics | All Pub/Sub topics |
| Cloud DNS Zones | All managed DNS zones |
Security
| Script | Notes |
|---|---|
| KMS Crypto Keys | All keys across all key rings |
| Secret Manager Secrets (Metadata) | Names + replication settings only — never the secret payload |
| Audit Logs — Admin Activity | Who created/changed/deleted resources, across every project + the org, for the last 24h (rolling). Depends on Projects. Needs roles/logging.viewer at the org. |
Cost & billing
These query the BigQuery billing export (see the export note in Step 3) and need theGCP_BILLING_* secrets.
| Script | Notes |
|---|---|
| Billing Cost — Summary (Monthly) | Net cost (cost + credits) by invoice month × project × service, current + previous month. The lightweight history table. |
| Billing Cost — Detailed (Daily / SKU / Resource) | Per resource × SKU × day for the last 7 days (GCP_BILLING_DETAILED_DAYS). High row count; keeps only the latest snapshot. |
| Billing Pricing (Rate Card) | List + negotiated SKU prices, restricted to SKUs you’ve used in the last 60 days. |
| Billing Budgets | Budget amounts, threshold alert rules, and scope filters. Needs billingbudgets.googleapis.com. |
| Billing — Projects on Account | Which projects bill to the account and whether billing is enabled — catches drift. |
- Click Save
Step 8: Verify
- Go to:
https://{companyname}.configview.com/admin/cron/ - Expand google-cloud and click the Health check button on the app header
- A passing run reports
overall: ok. On failure, the toast lists the failing checks — and the same result is written to the Activity log and emailed to your alert address. The health check also runs automatically right after any google-cloud script fails, so failures are captured even if you don’t trigger it by hand. - Projects, Organizations, and at least one Asset-API endpoint (e.g. Compute Instances) should pass
PERMISSION_DENIEDon Asset API —roles/cloudasset.viewernot granted at the organization level (project-level isn’t enough). Re-do Step 3 against the org.SERVICE_DISABLED: <API> has not been used in project X— That API isn’t enabled on the SA’s host project (Xis the project number). Applies tocloudasset,cloudresourcemanager,cloudbilling, andiam— enable the full set from the Prerequisite at the top. Calls are billed/quoted against the SA’s host project, not the org. Expect intermittentSERVICE_DISABLEDfor ~10–15 min after enabling while it propagates.PERMISSION_DENIEDon Service Usage — Missingroles/serviceusage.serviceUsageViewer.PERMISSION_DENIEDon billing — Missingroles/billing.viewer. Billing is granted at the billing account level, not org level, depending on your account structure.PERMISSION_DENIEDon Service Account Keys — Missingroles/iam.securityReviewerOR the customer turned off SA key listing via org policy (constraints/iam.disableServiceAccountKeyCreationis unrelated; the relevant constraint is on read).unauthorized_client: Client is unauthorized to retrieve access tokenson Cloud Identity Users — DWD client ID not authorized, or wrong scope. Re-do Step 6.- Billing cost/pricing returns
Access DeniedorNot found: Table— the SA is missingroles/bigquery.dataVieweron the billing-export project orroles/bigquery.jobUseron its own project, or aGCP_BILLING_*secret is wrong (project/dataset/account ID). Confirm the export table exists:bq ls <project>:<dataset>. - Audit Logs returns few/no rows —
roles/logging.viewermust be at the org so it covers all projects; Admin Activity is always on, but check theGCP_AUDIT_LOOKBACK_HOURSwindow. Transient500 Internal erroronentries.listis retried and bad projects are skipped automatically.
Data Tables
Selected highlights. Seemanifest.json for the full 33-table list.
| Table | Source | Key Columns |
|---|---|---|
gcp_projects | Cloud Resource Manager v3 | project_id, parent, state, display_name, labels |
gcp_billing_cost_summary | BigQuery standard export | invoice_month, project_id, service, cost, credits, net_cost |
gcp_billing_cost_detailed | BigQuery detailed export | usage_date, project_id, service, sku_id, resource_name, net_cost |
gcp_billing_pricing | BigQuery pricing export | sku_id, service, pricing_unit, list_price_usd, account_price, discount_percent |
gcp_billing_budgets | Billing Budgets v1 | name, display_name, budget_amount, currency_code, threshold_rules_json |
gcp_billing_account_projects | Cloud Billing v1 | billing_account, project_id, billing_enabled |
gcp_audit_admin_activity | Cloud Logging entries.list | log_timestamp, principal_email, method_name, resource_name, project_id, status_code |
gcp_organizations | Cloud Resource Manager v3 | organization_id, display_name, directory_customer_id |
gcp_folders | Cloud Resource Manager v3 | folder_id, parent, display_name |
gcp_billing_accounts | Cloud Billing v1 | name, display_name, open_account, currency_code |
gcp_project_services | Service Usage v1 | project_id, service_name, state |
gcp_iam_bindings | Cloud Asset SearchAllIamPolicies | resource, project, role, member, member_type |
gcp_service_accounts | Cloud Asset (iam.googleapis.com/ServiceAccount) | email, project_id, disabled, oauth2_client_id |
gcp_service_account_keys | IAM v1 keys.list | service_account_email, key_id, key_type, valid_before_time |
gcp_iam_principals | Derived from gcp_iam_bindings | member, member_type, email_domain, binding_count, roles_json |
gcp_cloud_identity_users | Admin Directory v1 (impersonated) | primary_email, suspended, archived, is_admin |
gcp_compute_instances | Cloud Asset (Compute Instance) | name, project, location, state, labels_json |
gcp_compute_firewalls | Cloud Asset (Firewall) | name, project, raw_json |
gcp_gcs_buckets | Cloud Asset (Bucket) | name, project, location, labels_json |
gcp_kms_keys | Cloud Asset (CryptoKey) | name, project, location, additional_attributes_json |
gcp_secret_manager_secrets | Cloud Asset (Secret) | name, project, labels_json |
What you can’t ingest with this setup
- Data Access / System Event / Policy Denied audit logs. Only Admin Activity audit logs are ingested (config changes). Data Access logs are off by default, very high volume, and not pulled in this version.
- Per-resource detailed metrics (CPU, network throughput, etc.). The Asset API gives configuration + metadata. Real-time metrics live in Cloud Monitoring.
- GCS bucket object listings. Buckets yes; objects no — that would multiply the row count by many orders of magnitude.
- Secret Manager secret payloads. ConfigView reads names and metadata only. Payloads stay in GCP.