Skip to main content
ConfigView pulls Google Cloud data through one organization-scoped service account plus a few *_ID secrets. The service account uses the Cloud Asset API to enumerate resources across every project in your organization in a single call per asset type — no per-project iteration, no per-region loops. You will end up with a handful of secrets in ConfigView — the 3 core IDs (GCP_ORG_ID, GCP_CUSTOMER_ID, GCP_WORKSPACE_ADMIN_EMAIL), plus the 3 GCP_BILLING_* secrets if you enable billing detail — plus one uploaded JSON file (google_cloud.json, the service account key). Prerequisite — enable the required APIs on the project that hosts the service account (the one you pick in Step 2). Every call is billed/quoted against that project, and on a fresh project several of these are off by default:
  • cloudasset.googleapis.com — all Asset-API endpoints (compute, storage, IAM bindings, …); the bulk of the 27
  • cloudresourcemanager.googleapis.com — Projects, Organizations, Folders
  • cloudbilling.googleapis.com — Billing Accounts
  • iam.googleapis.com — Service Accounts, Service Account Keys
  • serviceusage.googleapis.com — APIs Enabled (per Project); usually already on
  • logging.googleapis.com — Audit Logs (Admin Activity)
  • bigquery.googleapis.com — billing cost + pricing (queries the BigQuery export)
  • billingbudgets.googleapis.com — Billing Budgets
  • admin.googleapis.comonly for Cloud Identity Users (optional, Step 6)
Enable them in one command (swap in your SA’s host project):
gcloud services enable cloudasset.googleapis.com cloudresourcemanager.googleapis.com \
  cloudbilling.googleapis.com iam.googleapis.com serviceusage.googleapis.com \
  logging.googleapis.com bigquery.googleapis.com billingbudgets.googleapis.com \
  --project=YOUR_SA_HOST_PROJECT
Propagation. After enabling, SERVICE_DISABLED 403s can persist intermittently for ~10–15 minutes — some calls succeed while others still fail as the change rolls out across Google’s systems. Wait it out before assuming a misconfiguration.

Step 1: Identify your IDs

You need three identifiers up-front:
  1. GCP_ORG_ID — Open https://console.cloud.google.com/iam-admin/settings, switch to your organization in the picker, copy the Organization ID (e.g. 123456789012).
  2. GCP_CUSTOMER_ID — In the same Organization Settings page, copy the Directory customer ID (begins with C, e.g. C03az79cb). This is your Cloud Identity / Workspace customer ID.
  3. GCP_WORKSPACE_ADMIN_EMAIL — Only required for the Cloud Identity Users endpoint. The email of a Workspace admin the service account will impersonate via DWD. Skip this if you’re not enabling Cloud Identity Users.

Step 2: Create the service account

  1. Open https://console.cloud.google.com/iam-admin/serviceaccounts
  2. Pick (or create) a project to host the service account — configview-integration is conventional, but any project the SA can use as its “home” works
  3. Click Create Service Account
  4. Name: configview
  5. Click Create and Continue — we’ll add roles in the next step
  6. Click Done (you can skip the optional grant-users step)

Step 3: Grant the service account org-level roles

Switch to IAM at the organization level (not project): https://console.cloud.google.com/iam-admin/iam → pick your organization in the picker → click Grant Access. Add the service account email as a principal and assign:
RoleWhyEndpoints it unlocks
Browser (roles/browser)Read project/folder/org metadataProjects, Organizations, Folders
Cloud Asset Viewer (roles/cloudasset.viewer)Bulk inventory via Asset APICompute (all), Storage, SQL, BigQuery, Run, GKE, Functions, Pub/Sub, DNS, KMS, Secret Manager, Service Accounts, IAM Bindings
Service Usage Viewer (roles/serviceusage.serviceUsageViewer)List enabled APIs per projectAPIs Enabled (per Project)
Billing Account Viewer (roles/billing.viewer)Read billing account listBilling Accounts
Security Reviewer (roles/iam.securityReviewer)Read IAM policies + service account keysIAM Bindings, Service Account Keys
Logging Viewer (roles/logging.viewer) — at the orgRead Admin Activity audit logs across all projectsAudit Logs — Admin Activity
For the billing detail endpoints (Cost Summary/Detailed, Pricing, Budgets) the service account also needs, not at the org but on the project that hosts the BigQuery billing export:
RoleWhereWhy
BigQuery Data Viewer (roles/bigquery.dataViewer)the billing-export project (e.g. my-billing)Read the export + pricing tables
BigQuery Job User (roles/bigquery.jobUser)the SA’s own host projectRun the aggregation queries
No billing export, no cost data. GCP has no cost API — detailed spend only exists if you’ve enabled Billing → BigQuery export (Standard + Detailed usage cost, and optionally Pricing). If you haven’t, set it up first (console → Billing export), then point ConfigView at it via the secrets in Step 5. Budgets and the account→project map work without the export.
Click Save.
About Cloud Asset Viewer. This role alone covers most of the heavy lifting. If you want a single-role install and don’t mind slightly less granular reads, you can grant roles/cloudasset.viewer + roles/browser and the majority of the 27 endpoints will function. The other roles fix the gaps for billing, service-usage, IAM policy, and SA keys.
Cloud Identity Users needs no org role. That endpoint reads the user directory through the Admin Directory API via domain-wide delegation (Step 6), not a GCP IAM grant — so there’s nothing to add here for it. (There is no roles/cloudidentity.viewer; the predefined Cloud Identity roles are roles/cloudidentity.groups.readonly and friends, none of which this integration uses.)

Step 4: Create + upload the JSON key

  1. From the service account list, click your configview service account
  2. Open the Keys tab → Add KeyCreate new keyJSON
  3. Click Create — the JSON file downloads automatically
  4. Upload the JSON to your ConfigView satellite at <satellite-root>/json/google_cloud.json (your ConfigView administrator can do this — it’s NOT a Secret Manager secret because the file is bigger and is referenced directly by all scripts)
Where the file lives. The scripts resolve <project_root>/json/google_cloud.json, where <project_root> is the dashboard-backend root. On a satellite this is /opt/configview-dashboard-backend/json/google_cloud.json — the same directory that already holds secret-manager.json and google_admin.json. Permissions: chmod 400, owner configview:configview.

Step 5: Add the secrets to ConfigView

  1. Go to your ConfigView dashboard: https://{companyname}.configview.com/admin/secret/
  2. Click Add Secret and create:
    • GCP_ORG_ID: from Step 1.1 (numeric, e.g. 123456789012)
    • GCP_CUSTOMER_ID: from Step 1.2 (starts with C)
    • GCP_WORKSPACE_ADMIN_EMAIL: from Step 1.3 (admin email to impersonate, only needed for Cloud Identity Users)
  3. For the billing detail endpoints, also add (skip if you’re not enabling cost/pricing/budgets):
    • GCP_BILLING_BQ_PROJECT: the project that holds the BigQuery billing export (e.g. my-billing)
    • GCP_BILLING_BQ_DATASET: the dataset name within it (e.g. billing)
    • GCP_BILLING_ACCOUNT_ID: the billing account ID with dashes (e.g. 01ABCD-23EFGH-45IJKL)
    • (optional) GCP_BILLING_DETAILED_DAYS (default 7), GCP_AUDIT_LOOKBACK_HOURS (default 24), GCP_AUDIT_MAX_ENTRIES (default 100000)
  4. Click Save

Step 6: Domain-Wide Delegation (only for Cloud Identity Users)

Skip this step if you’re not enabling the Cloud Identity Users endpoint. The endpoint duplicates google-workspace data, so most customers already running google-workspace can leave it disabled. If you do want it:
  1. From the service account list, click your configview SA → Details → expand Advanced settings → copy the Client ID
  2. Sign in to your Google Workspace admin console as a super admin: https://admin.google.com
  3. Go to SecurityAccess and data controlAPI controlsManage Domain Wide Delegation
  4. Click Add new and paste:
    • Client ID: (from above)
    • OAuth scopes: https://www.googleapis.com/auth/admin.directory.user.readonly
  5. Click Authorize
The SA can now impersonate the admin email you set in GCP_WORKSPACE_ADMIN_EMAIL to read the user directory.

Step 7: Enable the Google Cloud scripts

  1. Go to: https://{companyname}.configview.com/admin/cron/
  2. You should see google-cloud in the list of available apps
  3. Enable scripts by tier — turn on the parents first; children will run automatically after them:

Identity & governance

ScriptNotes
ProjectsAll projects across the org. Most other scripts implicitly depend on this list.
OrganizationsUsually one row. Enable for completeness.
FoldersFolder hierarchy. Depends on Organizations.
Billing AccountsAll accounts the SA can view
APIs Enabled (per Project)One row per (project × enabled service). Depends on Projects. Can be large — hundreds to thousands of rows.
IAM Bindings (Org + Folder + Project)Flattened binding × member rows across every resource the SA can see
Service AccountsAll SAs across the org
Service Account KeysOne row per (SA × key). Depends on Service Accounts. Lists keyType (USER_MANAGED is the audit target)
IAM Principals (Derived)One row per unique principal aggregated from IAM Bindings. Depends on IAM Bindings. No API call — pure SQL aggregation.
Cloud Identity UsersSame data as google-workspace users. Enable only if google-workspace isn’t running. Requires DWD (Step 6).

Compute

ScriptNotes
Compute Instances (VMs)Renamed from gcp_get_org_vm; historical data preserved via migration if you ran the old script
Compute DisksAll persistent disks
Compute Networks (VPCs)All VPC networks
Compute SubnetworksAll subnetworks
Compute FirewallsAll firewall rules — useful for security audits
Compute External IPsStatic + ephemeral external IPs (Address resources)
Load Balancers (Forwarding Rules)All forwarding rules across global + regional LBs

Storage & data

ScriptNotes
Cloud Storage BucketsAll GCS buckets
Cloud SQL InstancesAll SQL instances (MySQL, Postgres, SQL Server)
BigQuery DatasetsAll BQ datasets
Cloud Run ServicesAll Cloud Run services
GKE ClustersAll GKE clusters
Cloud FunctionsGen-1 (CloudFunction) + Gen-2 (Function)
Pub/Sub TopicsAll Pub/Sub topics
Cloud DNS ZonesAll managed DNS zones

Security

ScriptNotes
KMS Crypto KeysAll keys across all key rings
Secret Manager Secrets (Metadata)Names + replication settings only — never the secret payload
Audit Logs — Admin ActivityWho created/changed/deleted resources, across every project + the org, for the last 24h (rolling). Depends on Projects. Needs roles/logging.viewer at the org.

Cost & billing

These query the BigQuery billing export (see the export note in Step 3) and need the GCP_BILLING_* secrets.
ScriptNotes
Billing Cost — Summary (Monthly)Net cost (cost + credits) by invoice month × project × service, current + previous month. The lightweight history table.
Billing Cost — Detailed (Daily / SKU / Resource)Per resource × SKU × day for the last 7 days (GCP_BILLING_DETAILED_DAYS). High row count; keeps only the latest snapshot.
Billing Pricing (Rate Card)List + negotiated SKU prices, restricted to SKUs you’ve used in the last 60 days.
Billing BudgetsBudget amounts, threshold alert rules, and scope filters. Needs billingbudgets.googleapis.com.
Billing — Projects on AccountWhich projects bill to the account and whether billing is enabled — catches drift.
  1. Click Save

Step 8: Verify

  1. Go to: https://{companyname}.configview.com/admin/cron/
  2. Expand google-cloud and click the Health check button on the app header
  3. A passing run reports overall: ok. On failure, the toast lists the failing checks — and the same result is written to the Activity log and emailed to your alert address. The health check also runs automatically right after any google-cloud script fails, so failures are captured even if you don’t trigger it by hand.
  4. Projects, Organizations, and at least one Asset-API endpoint (e.g. Compute Instances) should pass
If a check fails:
  • PERMISSION_DENIED on Asset APIroles/cloudasset.viewer not granted at the organization level (project-level isn’t enough). Re-do Step 3 against the org.
  • SERVICE_DISABLED: <API> has not been used in project X — That API isn’t enabled on the SA’s host project (X is the project number). Applies to cloudasset, cloudresourcemanager, cloudbilling, and iam — enable the full set from the Prerequisite at the top. Calls are billed/quoted against the SA’s host project, not the org. Expect intermittent SERVICE_DISABLED for ~10–15 min after enabling while it propagates.
  • PERMISSION_DENIED on Service Usage — Missing roles/serviceusage.serviceUsageViewer.
  • PERMISSION_DENIED on billing — Missing roles/billing.viewer. Billing is granted at the billing account level, not org level, depending on your account structure.
  • PERMISSION_DENIED on Service Account Keys — Missing roles/iam.securityReviewer OR the customer turned off SA key listing via org policy (constraints/iam.disableServiceAccountKeyCreation is unrelated; the relevant constraint is on read).
  • unauthorized_client: Client is unauthorized to retrieve access tokens on Cloud Identity Users — DWD client ID not authorized, or wrong scope. Re-do Step 6.
  • Billing cost/pricing returns Access Denied or Not found: Table — the SA is missing roles/bigquery.dataViewer on the billing-export project or roles/bigquery.jobUser on its own project, or a GCP_BILLING_* secret is wrong (project/dataset/account ID). Confirm the export table exists: bq ls <project>:<dataset>.
  • Audit Logs returns few/no rowsroles/logging.viewer must be at the org so it covers all projects; Admin Activity is always on, but check the GCP_AUDIT_LOOKBACK_HOURS window. Transient 500 Internal error on entries.list is retried and bad projects are skipped automatically.

Data Tables

Selected highlights. See manifest.json for the full 33-table list.
TableSourceKey Columns
gcp_projectsCloud Resource Manager v3project_id, parent, state, display_name, labels
gcp_billing_cost_summaryBigQuery standard exportinvoice_month, project_id, service, cost, credits, net_cost
gcp_billing_cost_detailedBigQuery detailed exportusage_date, project_id, service, sku_id, resource_name, net_cost
gcp_billing_pricingBigQuery pricing exportsku_id, service, pricing_unit, list_price_usd, account_price, discount_percent
gcp_billing_budgetsBilling Budgets v1name, display_name, budget_amount, currency_code, threshold_rules_json
gcp_billing_account_projectsCloud Billing v1billing_account, project_id, billing_enabled
gcp_audit_admin_activityCloud Logging entries.listlog_timestamp, principal_email, method_name, resource_name, project_id, status_code
gcp_organizationsCloud Resource Manager v3organization_id, display_name, directory_customer_id
gcp_foldersCloud Resource Manager v3folder_id, parent, display_name
gcp_billing_accountsCloud Billing v1name, display_name, open_account, currency_code
gcp_project_servicesService Usage v1project_id, service_name, state
gcp_iam_bindingsCloud Asset SearchAllIamPoliciesresource, project, role, member, member_type
gcp_service_accountsCloud Asset (iam.googleapis.com/ServiceAccount)email, project_id, disabled, oauth2_client_id
gcp_service_account_keysIAM v1 keys.listservice_account_email, key_id, key_type, valid_before_time
gcp_iam_principalsDerived from gcp_iam_bindingsmember, member_type, email_domain, binding_count, roles_json
gcp_cloud_identity_usersAdmin Directory v1 (impersonated)primary_email, suspended, archived, is_admin
gcp_compute_instancesCloud Asset (Compute Instance)name, project, location, state, labels_json
gcp_compute_firewallsCloud Asset (Firewall)name, project, raw_json
gcp_gcs_bucketsCloud Asset (Bucket)name, project, location, labels_json
gcp_kms_keysCloud Asset (CryptoKey)name, project, location, additional_attributes_json
gcp_secret_manager_secretsCloud Asset (Secret)name, project, labels_json

What you can’t ingest with this setup

  • Data Access / System Event / Policy Denied audit logs. Only Admin Activity audit logs are ingested (config changes). Data Access logs are off by default, very high volume, and not pulled in this version.
  • Per-resource detailed metrics (CPU, network throughput, etc.). The Asset API gives configuration + metadata. Real-time metrics live in Cloud Monitoring.
  • GCS bucket object listings. Buckets yes; objects no — that would multiply the row count by many orders of magnitude.
  • Secret Manager secret payloads. ConfigView reads names and metadata only. Payloads stay in GCP.
If you need Data Access audit logs or live metrics, ask your ConfigView contact — both are tracked roadmap items.