Documentation Index
Fetch the complete documentation index at: https://support.configview.com/llms.txt
Use this file to discover all available pages before exploring further.
ConfigView pulls Google Cloud data through one organization-scoped service account plus a few *_ID secrets. The service account uses the Cloud Asset API to enumerate resources across every project in your organization in a single call per asset type — no per-project iteration, no per-region loops.
You will end up with 3 secrets in ConfigView (GCP_ORG_ID, GCP_CUSTOMER_ID, GCP_WORKSPACE_ADMIN_EMAIL) plus one uploaded JSON file (google_cloud.json, the service account key).
Prerequisite. All 27 endpoints require the Cloud Asset Inventory API to be enabled on at least one project that the service account can read from — that’s where the Asset API queries are billed/quoted. Enable it on the same project you create the service account in.
Step 1: Identify your IDs
You need three identifiers up-front:
GCP_ORG_ID — Open https://console.cloud.google.com/iam-admin/settings, switch to your organization in the picker, copy the Organization ID (e.g. 123456789012).GCP_CUSTOMER_ID — In the same Organization Settings page, copy the Directory customer ID (begins with C, e.g. C03az79cb). This is your Cloud Identity / Workspace customer ID.GCP_WORKSPACE_ADMIN_EMAIL — Only required for the Cloud Identity Users endpoint. The email of a Workspace admin the service account will impersonate via DWD. Skip this if you’re not enabling Cloud Identity Users.
Step 2: Create the service account
- Open https://console.cloud.google.com/iam-admin/serviceaccounts
- Pick (or create) a project to host the service account —
configview-integration is conventional, but any project the SA can use as its “home” works
- Click Create Service Account
- Name:
configview
- Click Create and Continue — we’ll add roles in the next step
- Click Done (you can skip the optional grant-users step)
Step 3: Grant the service account org-level roles
Switch to IAM at the organization level (not project): https://console.cloud.google.com/iam-admin/iam → pick your organization in the picker → click Grant Access.
Add the service account email as a principal and assign:
| Role | Why | Endpoints it unlocks |
|---|
Browser (roles/browser) | Read project/folder/org metadata | Projects, Organizations, Folders |
Cloud Asset Viewer (roles/cloudasset.viewer) | Bulk inventory via Asset API | Compute (all), Storage, SQL, BigQuery, Run, GKE, Functions, Pub/Sub, DNS, KMS, Secret Manager, Service Accounts, IAM Bindings |
Service Usage Viewer (roles/serviceusage.serviceUsageViewer) | List enabled APIs per project | APIs Enabled (per Project) |
Billing Account Viewer (roles/billing.viewer) | Read billing account list | Billing Accounts |
Security Reviewer (roles/iam.securityReviewer) | Read IAM policies + service account keys | IAM Bindings, Service Account Keys |
Cloud Identity Reader (roles/cloudidentity.viewer) — optional | Read groups via Cloud Identity | (Not used directly; future expansion) |
About Cloud Asset Viewer. This role alone covers most of the heavy lifting. If you want a single-role install and don’t mind slightly less granular reads, you can grant roles/cloudasset.viewer + roles/browser and the majority of the 27 endpoints will function. The other roles fix the gaps for billing, service-usage, IAM policy, and SA keys.
Step 4: Create + upload the JSON key
- From the service account list, click your
configview service account
- Open the Keys tab → Add Key → Create new key → JSON
- Click Create — the JSON file downloads automatically
- Upload the JSON to your ConfigView satellite at
<satellite-root>/json/google_cloud.json (your ConfigView administrator can do this — it’s NOT a Secret Manager secret because the file is bigger and is referenced directly by all scripts)
Where the file lives. The scripts look for <project_root>/json/google_cloud.json (relative to the master-scripts checkout). On a satellite this is typically /home/configview/json/google_cloud.json. Permissions: chmod 400, owner configview:configview.
Step 5: Add the secrets to ConfigView
- Go to your ConfigView dashboard:
https://{companyname}.configview.com/admin/secret/
- Click Add Secret and create:
GCP_ORG_ID: from Step 1.1 (numeric, e.g. 123456789012)GCP_CUSTOMER_ID: from Step 1.2 (starts with C)GCP_WORKSPACE_ADMIN_EMAIL: from Step 1.3 (admin email to impersonate, only needed for Cloud Identity Users)
- Click Save
Step 6: Domain-Wide Delegation (only for Cloud Identity Users)
Skip this step if you’re not enabling the Cloud Identity Users endpoint. The endpoint duplicates google-workspace data, so most customers already running google-workspace can leave it disabled.
If you do want it:
- From the service account list, click your
configview SA → Details → expand Advanced settings → copy the Client ID
- Sign in to your Google Workspace admin console as a super admin: https://admin.google.com
- Go to Security → Access and data control → API controls → Manage Domain Wide Delegation
- Click Add new and paste:
- Client ID: (from above)
- OAuth scopes:
https://www.googleapis.com/auth/admin.directory.user.readonly
- Click Authorize
The SA can now impersonate the admin email you set in GCP_WORKSPACE_ADMIN_EMAIL to read the user directory.
Step 7: Enable the Google Cloud scripts
- Go to:
https://{companyname}.configview.com/admin/cron/
- You should see google-cloud in the list of available apps
- Enable scripts by tier — turn on the parents first; children will run automatically after them:
Identity & governance
| Script | Notes |
|---|
| Projects | All projects across the org. Most other scripts implicitly depend on this list. |
| Organizations | Usually one row. Enable for completeness. |
| Folders | Folder hierarchy. Depends on Organizations. |
| Billing Accounts | All accounts the SA can view |
| APIs Enabled (per Project) | One row per (project × enabled service). Depends on Projects. Can be large — hundreds to thousands of rows. |
| IAM Bindings (Org + Folder + Project) | Flattened binding × member rows across every resource the SA can see |
| Service Accounts | All SAs across the org |
| Service Account Keys | One row per (SA × key). Depends on Service Accounts. Lists keyType (USER_MANAGED is the audit target) |
| IAM Principals (Derived) | One row per unique principal aggregated from IAM Bindings. Depends on IAM Bindings. No API call — pure SQL aggregation. |
| Cloud Identity Users | Same data as google-workspace users. Enable only if google-workspace isn’t running. Requires DWD (Step 6). |
Compute
| Script | Notes |
|---|
| Compute Instances (VMs) | Renamed from gcp_get_org_vm; historical data preserved via migration if you ran the old script |
| Compute Disks | All persistent disks |
| Compute Networks (VPCs) | All VPC networks |
| Compute Subnetworks | All subnetworks |
| Compute Firewalls | All firewall rules — useful for security audits |
| Compute External IPs | Static + ephemeral external IPs (Address resources) |
| Load Balancers (Forwarding Rules) | All forwarding rules across global + regional LBs |
Storage & data
| Script | Notes |
|---|
| Cloud Storage Buckets | All GCS buckets |
| Cloud SQL Instances | All SQL instances (MySQL, Postgres, SQL Server) |
| BigQuery Datasets | All BQ datasets |
| Cloud Run Services | All Cloud Run services |
| GKE Clusters | All GKE clusters |
| Cloud Functions | Gen-1 (CloudFunction) + Gen-2 (Function) |
| Pub/Sub Topics | All Pub/Sub topics |
| Cloud DNS Zones | All managed DNS zones |
Security
| Script | Notes |
|---|
| KMS Crypto Keys | All keys across all key rings |
| Secret Manager Secrets (Metadata) | Names + replication settings only — never the secret payload |
- Click Save
Step 8: Verify
- Go to:
https://{companyname}.configview.com/admin/status/
- Run the Google Cloud health check
- Projects, Organizations, and at least one Asset-API endpoint (e.g. Compute Instances) should pass
If a check fails:
PERMISSION_DENIED on Asset API — roles/cloudasset.viewer not granted at the organization level (project-level isn’t enough). Re-do Step 3 against the org.SERVICE_DISABLED: Cloud Asset API has not been used in project X — Enable Cloud Asset API on the project you put the SA in. The Asset API queries are billed against that project.PERMISSION_DENIED on Service Usage — Missing roles/serviceusage.serviceUsageViewer.PERMISSION_DENIED on billing — Missing roles/billing.viewer. Billing is granted at the billing account level, not org level, depending on your account structure.PERMISSION_DENIED on Service Account Keys — Missing roles/iam.securityReviewer OR the customer turned off SA key listing via org policy (constraints/iam.disableServiceAccountKeyCreation is unrelated; the relevant constraint is on read).unauthorized_client: Client is unauthorized to retrieve access tokens on Cloud Identity Users — DWD client ID not authorized, or wrong scope. Re-do Step 6.
Data Tables
Selected highlights. See manifest.json for the full 27-table list.
| Table | Source | Key Columns |
|---|
gcp_projects | Cloud Resource Manager v3 | project_id, parent, state, display_name, labels |
gcp_organizations | Cloud Resource Manager v3 | organization_id, display_name, directory_customer_id |
gcp_folders | Cloud Resource Manager v3 | folder_id, parent, display_name |
gcp_billing_accounts | Cloud Billing v1 | name, display_name, open_account, currency_code |
gcp_project_services | Service Usage v1 | project_id, service_name, state |
gcp_iam_bindings | Cloud Asset SearchAllIamPolicies | resource, project, role, member, member_type |
gcp_service_accounts | Cloud Asset (iam.googleapis.com/ServiceAccount) | email, project_id, disabled, oauth2_client_id |
gcp_service_account_keys | IAM v1 keys.list | service_account_email, key_id, key_type, valid_before_time |
gcp_iam_principals | Derived from gcp_iam_bindings | member, member_type, email_domain, binding_count, roles_json |
gcp_cloud_identity_users | Admin Directory v1 (impersonated) | primary_email, suspended, archived, is_admin |
gcp_compute_instances | Cloud Asset (Compute Instance) | name, project, location, state, labels_json |
gcp_compute_firewalls | Cloud Asset (Firewall) | name, project, raw_json |
gcp_gcs_buckets | Cloud Asset (Bucket) | name, project, location, labels_json |
gcp_kms_keys | Cloud Asset (CryptoKey) | name, project, location, additional_attributes_json |
gcp_secret_manager_secrets | Cloud Asset (Secret) | name, project, labels_json |
What you can’t ingest with this setup
- Audit Logs. Cloud Audit Logs go to Cloud Logging, which has a separate API and a different access model. Not in this version.
- Per-resource detailed metrics (CPU, network throughput, etc.). The Asset API gives configuration + metadata. Real-time metrics live in Cloud Monitoring.
- GCS bucket object listings. Buckets yes; objects no — that would multiply the row count by many orders of magnitude.
- Secret Manager secret payloads. ConfigView reads names and metadata only. Payloads stay in GCP.
If audit logs are a hard requirement, ask your ConfigView contact — Cloud Logging ingestion is a tracked roadmap item.
