# GCP The OX GCP connector connects OX Security to your Google Cloud environment and provides cloud-level visibility, asset context, and Kubernetes deployment enrichment across the platform. The connector enables OX to collect metadata from your Google Cloud environment and correlate it with applications, workloads, container images, and security findings. The GCP connector is also required when [connecting Google Kubernetes Engine (GKE)](/ox-integrations/3rd-party-integrations/cloud-security/gcp-and-gke-1/gcp-and-gke.md) clusters to OX. ### What the GCP connector provides

Capability	Description
Cloud asset visibility	Identifies assets deployed in your Google Cloud environment
Kubernetes enrichment	Adds deployment and runtime context for GKE workloads
Internet exposure context	Detects whether workloads are publicly reachable
Cloud BOM generation	Builds a cloud-based bill of materials (Cloud BOM)
Runtime-aware prioritization	Enriches issues with severity context based on live deployment status
Attack path visibility	Extends Attack Path analysis with cloud reachability information

### Kubernetes connection models OX supports two Kubernetes connection models: | Connection model | Description | | --------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Direct cloud integration |

OX connects directly to GKE through Google Cloud APIs.
Use direct integration when the cluster is externally reachable.

| | Inspector-based integration |

The Inspector runs inside the environment and sends Kubernetes data to OX.
Use the Inspector when clusters are private, restricted, or not externally accessible.

| ### Enriched visibility across OX After the connector is configured, cloud deployment context is reflected across multiple areas in OX. | Area | Enrichment | | ------------------ | ---------------------------------------------------------------------------------- | | Applications | Displays Kubernetes deployment details, Application Flow data, and deployment Tags | | Active Issues | Adds Kubernetes reachability and runtime severity factors | | Attack Path | Displays cloud and Kubernetes reachability paths | | Artifact BOM | Shows where artifacts are deployed across cloud environments and clusters | | Artifact integrity | Detects images running from untrusted or unknown sources | ### Runtime-aware scanning OX scans the specific container image versions that are actively running in your cloud environment, not only the latest versions available in the registry. This improves prioritization accuracy and reduces unnecessary scanning noise. ### Supported environments The GCP connector supports: * Google Cloud Platform (GCP) * Google Kubernetes Engine (GKE) * Inspector-based Kubernetes deployments running in Google Cloud ## Prerequisites * A Google Cloud project with IAM permissions to: * Create service accounts * Manage service account keys * Enable required APIs (e.g., Compute Engine API, IAM API, Kubernetes Engine API). * Optional: `gcloud` CLI installed and configured. ## Step 1: Create a new service account \[Google] 1. Log in to the [Google Cloud Console](https://console.cloud.google.com). 2. Select your GCP project. 3. Navigate to **IAM & Admin**. 4. Select **Service Accounts**.

5. Select **+ Create Service Account**.

6. Add a meaningful name and an optional description. 7. Select **Create and Continue**.

8. Grant one of the following roles:

Role	Description
Access Approval Viewer	Read-only access to Access Approval settings and approval requests.
Access Context Manager Reader	Read-only access to Access Context Manager resources, including access policies, access levels, and service perimeters (VPC Service Controls).
Discovery Engine Viewer	Read-only access to Vertex AI Search & Conversation (Discovery Engine) resources.
Firebase Rules Viewer	Read-only access to Firebase Security Rules.
Firebase Viewer	Read-only access to all Firebase resources and configuration within a project, including databases, hosting, authentication settings, and functions.
Healthcare Dataset Viewer	Read-only access to Cloud Healthcare API datasets and their metadata.
Security Reviewer	Read-only access to all resources for the purpose of security auditing.
Storage Object Viewer	Read-only access to objects within Cloud Storage buckets.
Viewer	Read-only access to all Google Cloud resources within a project (basic role).

9. Select **Done**. The new service account appears in the **Service accounts** table.

10. In the **Actions** column, select the newly created service account, click the three dot menu related to it, and select **Manage keys**. 11. In the **Keys** pane, select **Add key > Create new key**.

12. Select **JSON** and then select **Create**. The file is automatically downloaded to your system. 13. Securely store the JSON key file. 14. To encode the Key File in Base64: * On **macOS/Linux**, run: `base64 -i .json` * On **Windows**, use a tool or plugin to convert the JSON to a one-line Base64 string. > **Note:** The Base64 encoding ensures multi-line keys are compacted into a single string. 15. To enable the required Google Cloud APIs, in the **Google Cloud Console**: 16. To enable the required Google Cloud APIs, in the **Google Cloud Console**: a. Navigate to **APIs & Services**. b. In the left pane, select **Library**. c. Search for and enable the following APIs: * Compute Engine API (`compute.googleapis.com`) * Kubernetes Engine API (`container.googleapis.com`) * Cloud Resource Manager API (`cloudresourcemanager.googleapis.com`)

d. Alternatively, use the `gcloud` CLI to enable all the required APIs at once: ```bash gcloud services enable \ aiplatform.googleapis.com \ appengine.googleapis.com \ artifactregistry.googleapis.com \ bigquery.googleapis.com \ cloudfunctions.googleapis.com \ cloudkms.googleapis.com \ cloudresourcemanager.googleapis.com \ compute.googleapis.com \ container.googleapis.com \ containerregistry.googleapis.com \ dataproc.googleapis.com \ datastore.googleapis.com \ discoveryengine.googleapis.com \ dns.googleapis.com \ firebase.googleapis.com \ firebasedatabase.googleapis.com \ firebaserules.googleapis.com \ firestore.googleapis.com \ healthcare.googleapis.com \ iam.googleapis.com \ logging.googleapis.com \ monitoring.googleapis.com \ pubsub.googleapis.com \ redis.googleapis.com \ run.googleapis.com \ secretmanager.googleapis.com \ spanner.googleapis.com \ sqladmin.googleapis.com \ storage.googleapis.com ``` > **Note:** The CLI command enables a broader set of APIs than the minimum required for GKE. The additional APIs (such as BigQuery, Cloud KMS, and Dataproc) support other GCP features that OX Security may scan. If you prefer to enable only the minimum required APIs, use the manual UI steps in step 16c above. e. To verify the APIs were enabled, run: ``` gcloud services list --enabled ``` ## Step 2: Connect to GCP 1. In the **Google Cloud Console**, locate the ID of the project in which you have created a service account.

2. In the **OX Security** platform, go to **Connectors** and search for **GCP**.

3. Select **GCP** and set the following parameters in the **Configure your GCP credentials** dialog.

| Parameter | Description | | ----------------- | ------------------------------ | | **Project ID** | Copy the value from the step 1 | | **API** **Token** | Base64-encoded key | 4. Select **CONNECT**. A success message appears. ## Multi-project access **To reuse one service account across multiple GCP projects:** 1. [Create a new service account](#creating-a-new-service-account). 2. In the source project, copy the email of the service account.

3. For each target project, navigate to **IAM & Admin** and select **Grant Access**.

4. In the **New principals** box, add the copied email address. 5. In the **Role** box, select the role that you want:

Role	Description
Access Approval Viewer	Read-only access to Access Approval settings and approval requests.
Access Context Manager Reader	Read-only access to Access Context Manager resources, including access policies, access levels, and service perimeters (VPC Service Controls).
Discovery Engine Viewer	Read-only access to Vertex AI Search & Conversation (Discovery Engine) resources.
Firebase Rules Viewer	Read-only access to Firebase Security Rules.
Firebase Viewer	Read-only access to all Firebase resources and configuration within a project, including databases, hosting, authentication settings, and functions.
Healthcare Dataset Viewer	Read-only access to Cloud Healthcare API datasets and their metadata.
Security Reviewer	Read-only access to all resources for the purpose of security auditing.
Storage Object Viewer	Read-only access to objects within Cloud Storage buckets.
Viewer	Read-only access to all Google Cloud resources within a project (basic role).

6. Click **Save**. 7. In the **OX Security** platform, go to **Connectors** and search for **GCP**. 8. Select **GCP** and set the following parameters in the **Configure your GCP credentials** dialog.

| Parameter | Description | | ----------------- | ------------------ | | **Project ID** | Add \* | | **API** **Token** | Base64-encoded key | 9. Select **CONNECT**. A success message appears. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.ox.security/ox-integrations/3rd-party-integrations/cloud-security/gcp-and-gke-1.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.