Ctrlk
Book a demo

GCP

The OX GCP connector connects OX Security to your Google Cloud environment and provides cloud-level visibility, asset context, and Kubernetes deployment enrichment across the platform.

The connector enables OX to collect metadata from your Google Cloud environment and correlate it with applications, workloads, container images, and security findings.

The GCP connector is also required when connecting Google Kubernetes Engine (GKE) clusters to OX.

What the GCP connector provides

Capability
Description

Cloud asset visibility

Identifies assets deployed in your Google Cloud environment

Kubernetes enrichment

Adds deployment and runtime context for GKE workloads

Internet exposure context

Detects whether workloads are publicly reachable

Cloud BOM generation

Builds a cloud-based bill of materials (Cloud BOM)

Runtime-aware prioritization

Enriches issues with severity context based on live deployment status

Attack path visibility

Extends Attack Path analysis with cloud reachability information

Kubernetes connection models

OX supports two Kubernetes connection models:

Connection model
Description

Direct cloud integration

OX connects directly to GKE through Google Cloud APIs. Use direct integration when the cluster is externally reachable.

Inspector-based integration

The Inspector runs inside the environment and sends Kubernetes data to OX. Use the Inspector when clusters are private, restricted, or not externally accessible.

Enriched visibility across OX

After the connector is configured, cloud deployment context is reflected across multiple areas in OX.

Area
Enrichment

Applications

Displays Kubernetes deployment details, Application Flow data, and deployment Tags

Active Issues

Adds Kubernetes reachability and runtime severity factors

Attack Path

Displays cloud and Kubernetes reachability paths

Artifact BOM

Shows where artifacts are deployed across cloud environments and clusters

Artifact integrity

Detects images running from untrusted or unknown sources

Runtime-aware scanning

OX scans the specific container image versions that are actively running in your cloud environment, not only the latest versions available in the registry.

This improves prioritization accuracy and reduces unnecessary scanning noise.

Supported environments

The GCP connector supports:

  • Google Cloud Platform (GCP)

  • Google Kubernetes Engine (GKE)

  • Inspector-based Kubernetes deployments running in Google Cloud

Prerequisites

  • A Google Cloud project with IAM permissions to:

    • Create service accounts

    • Manage service account keys

  • Enable required APIs (e.g., Compute Engine API, IAM API, Kubernetes Engine API).

  • Optional: gcloud CLI installed and configured.

Step 1: Create a new service account [Google]

  1. Log in to the Google Cloud Console.

  2. Select your GCP project.

  3. Navigate to IAM & Admin.

  4. Select Service Accounts.

  1. Select + Create Service Account.

  1. Add a meaningful name and an optional description.

  2. Select Create and Continue.

  1. Grant one of the following roles:

Role
Description

Access Approval Viewer

Read-only access to Access Approval settings and approval requests.

Access Context Manager Reader

Read-only access to Access Context Manager resources, including access policies, access levels, and service perimeters (VPC Service Controls).

Discovery Engine Viewer

Read-only access to Vertex AI Search & Conversation (Discovery Engine) resources.

Firebase Rules Viewer

Read-only access to Firebase Security Rules.

Firebase Viewer

Read-only access to all Firebase resources and configuration within a project, including databases, hosting, authentication settings, and functions.

Healthcare Dataset Viewer

Read-only access to Cloud Healthcare API datasets and their metadata.

Security Reviewer

Read-only access to all resources for the purpose of security auditing.

Storage Object Viewer

Read-only access to objects within Cloud Storage buckets.

Viewer

Read-only access to all Google Cloud resources within a project (basic role).

  1. Select Done. The new service account appears in the Service accounts table.

  1. In the Actions column, select the newly created service account, click the three dot menu related to it, and select Manage keys.

  2. In the Keys pane, select Add key > Create new key.

  1. Select JSON and then select Create. The file is automatically downloaded to your system.

  2. Securely store the JSON key file.

  3. To encode the Key File in Base64:

  • On macOS/Linux, run: base64 -i <filename>.json

  • On Windows, use a tool or plugin to convert the JSON to a one-line Base64 string.

Note: The Base64 encoding ensures multi-line keys are compacted into a single string.

  1. To enable the required Google Cloud APIs, in the Google Cloud Console:

  2. To enable the required Google Cloud APIs, in the Google Cloud Console:

    a. Navigate to APIs & Services.

    b. In the left pane, select Library.

    c. Search for and enable the following APIs:

    • Compute Engine API (compute.googleapis.com)

    • Kubernetes Engine API (container.googleapis.com)

    • Cloud Resource Manager API (cloudresourcemanager.googleapis.com)

d. Alternatively, use the gcloud CLI to enable all the required APIs at once:

Note: The CLI command enables a broader set of APIs than the minimum required for GKE. The additional APIs (such as BigQuery, Cloud KMS, and Dataproc) support other GCP features that OX Security may scan. If you prefer to enable only the minimum required APIs, use the manual UI steps in step 16c above.

e. To verify the APIs were enabled, run:

Step 2: Connect to GCP

  1. In the Google Cloud Console, locate the ID of the project in which you have created a service account.

  1. In the OX Security platform, go to Connectors and search for GCP.

  1. Select GCP and set the following parameters in the Configure your GCP credentials dialog.

Parameter
Description

Project ID

Copy the value from the step 1

API Token

Base64-encoded key

  1. Select CONNECT. A success message appears.

Multi-project access

To reuse one service account across multiple GCP projects:

  1. Create a new service account.

  2. In the source project, copy the email of the service account.

  1. For each target project, navigate to IAM & Admin and select Grant Access.

  1. In the New principals box, add the copied email address.

  2. In the Role box, select the role that you want:

Role
Description

Access Approval Viewer

Read-only access to Access Approval settings and approval requests.

Access Context Manager Reader

Read-only access to Access Context Manager resources, including access policies, access levels, and service perimeters (VPC Service Controls).

Discovery Engine Viewer

Read-only access to Vertex AI Search & Conversation (Discovery Engine) resources.

Firebase Rules Viewer

Read-only access to Firebase Security Rules.

Firebase Viewer

Read-only access to all Firebase resources and configuration within a project, including databases, hosting, authentication settings, and functions.

Healthcare Dataset Viewer

Read-only access to Cloud Healthcare API datasets and their metadata.

Security Reviewer

Read-only access to all resources for the purpose of security auditing.

Storage Object Viewer

Read-only access to objects within Cloud Storage buckets.

Viewer

Read-only access to all Google Cloud resources within a project (basic role).

  1. Click Save.

  2. In the OX Security platform, go to Connectors and search for GCP.

  3. Select GCP and set the following parameters in the Configure your GCP credentials dialog.

Parameter
Description

Project ID

Add *

API Token

Base64-encoded key

  1. Select CONNECT. A success message appears.

Last updated