Skip to main content
NEW: RSAC 2026 NHI Field Report. How Non-Human Identity became cybersecurity's central axis
Integrations//
Setup Guide

GCP Permission Analyzer

Attach a read-only GCP service account to Cremit Argus to analyze IAM bindings, inherited roles, and over-privilege on discovered GCP credentials.

About this guide

This comprehensive guide will walk you through the complete setup process. Expected completion time: 5-10 minutes.

Overview

The GCP Permission Analyzer connects a read-only service account to Argus so that every discovered GCP credential can be analyzed for its real IAM bindings, including inherited organization and folder-level roles. Supports traditional service-account keys and Workload Identity Federation.

Prerequisites

  • GCP organization admin or project Owner
  • Permission to create service accounts and grant read-only IAM roles
  • A Cremit Argus account on the Pro plan or above

Step-by-Step Setup

Step 1: Create a dedicated service account

This account gives Argus read-only access to IAM metadata.

  • In GCP Console, go to IAM & Admin > Service Accounts > Create service account
  • Name it 'cremit-argus-analyzer' and give it a description
  • Skip granting project access in this step; we grant org-scope roles next

Step 2: Grant the analyzer's required roles

Apply these at the organization level so the analyzer can see inherited bindings.

  • iam.securityReviewer: read IAM policies across all resources
  • iam.serviceAccountViewer: list service accounts and their metadata
  • iam.roleViewer: read custom role definitions
  • Optionally resourcemanager.folderViewer and resourcemanager.projectViewer for inventory

Step 3: Choose authentication method

Pick either a service-account key (simpler) or Workload Identity Federation (no long-lived keys).

  • Service-account key: create a JSON key, download it, keep it secret
  • Workload Identity Federation: set up a provider that trusts Argus's OIDC identity, then exchange tokens at runtime

Step 4: Register the analyzer in Argus

  • In Argus, go to Security > Permission Analysis > Add GCP Analyzer
  • Paste the service account email
  • Upload the JSON key OR paste the Workload Identity Federation configuration
  • Click Test Connection, then Register

Verification

To confirm the integration is configured correctly:

  • The analyzer shows Connected under Registered Analyzers
  • Analysis Results shows parsed bindings for existing GCP credentials
  • Inherited roles from org and folder levels are listed, not only project-level
  • GCP audit logs confirm the service account makes read-only IAM calls

Troubleshooting

Issue: Analysis misses inherited roles at the organization level.

  • Solution: iam.securityReviewer must be granted at organization scope, not project scope. Re-grant at the org node and wait up to 7 minutes for IAM propagation.

Issue: 'Workload Identity Federation token exchange failed.'

  • Solution: The audience claim in the provider configuration must match exactly what Argus issues. Regenerate the config from Argus and re-upload.

Key Benefits

  • Read-only access via a dedicated, single-purpose service account
  • Resolves inherited roles, so 'why does this key have BigQuery access?' is answerable
  • Workload Identity Federation support avoids long-lived service-account keys entirely
  • Auto re-analysis when bindings change keeps the picture current
Ready to connect

Start securing your infrastructure

Connect this integration to Cremit and start protecting your machine identities in minutes

Quick Links

All IntegrationsAll Setup GuidesCremit Dashboard

Need help?

Our support team is here to assist you with the integration process.

By the numbers

5-10 min
Setup time
24/7
Monitoring
Real-time
Alerts
GCP Permission Analyzer | Cremit Integration Guide