GCP Permission Analyzer
Connect a read-only service account to map IAM bindings and roles on discovered GCP credentials.
Key Features
- Service-account-based authentication
- Organization, folder, and project-level analysis
- Inherited IAM role resolution
- Custom role binding detection
- Workload Identity Federation support
Requirements
- 1GCP organization admin or project owner
- 2Ability to create a service account with read-only IAM roles
- 3Cremit Argus account on Pro plan or above
Step-by-step setup guide
The exact flow you follow inside the dashboard.
Overview
The GCP Permission Analyzer connects a read-only service account to Argus so that every discovered GCP credential can be analyzed for its real IAM bindings, including inherited organization and folder-level roles. Supports traditional service-account keys and Workload Identity Federation.
Prerequisites
- GCP organization admin or project Owner
- Permission to create service accounts and grant read-only IAM roles
- A Cremit Argus account on the Pro plan or above
Step-by-Step Setup
Step 1: Create a dedicated service account
This account gives Argus read-only access to IAM metadata.
- In GCP Console, go to IAM & Admin > Service Accounts > Create service account
- Name it 'cremit-argus-analyzer' and give it a description
- Skip granting project access in this step; we grant org-scope roles next
Step 2: Grant the analyzer's required roles
Apply these at the organization level so the analyzer can see inherited bindings.
- iam.securityReviewer: read IAM policies across all resources
- iam.serviceAccountViewer: list service accounts and their metadata
- iam.roleViewer: read custom role definitions
- Optionally resourcemanager.folderViewer and resourcemanager.projectViewer for inventory
Step 3: Choose authentication method
Pick either a service-account key (simpler) or Workload Identity Federation (no long-lived keys).
- Service-account key: create a JSON key, download it, keep it secret
- Workload Identity Federation: set up a provider that trusts Argus's OIDC identity, then exchange tokens at runtime
Step 4: Register the analyzer in Argus
- In Argus, go to Security > Permission Analysis > Add GCP Analyzer
- Paste the service account email
- Upload the JSON key OR paste the Workload Identity Federation configuration
- Click Test Connection, then Register
Verification
To confirm the integration is configured correctly:
- The analyzer shows Connected under Registered Analyzers
- Analysis Results shows parsed bindings for existing GCP credentials
- Inherited roles from org and folder levels are listed, not only project-level
- GCP audit logs confirm the service account makes read-only IAM calls
Troubleshooting
Issue: Analysis misses inherited roles at the organization level.
- Solution: iam.securityReviewer must be granted at organization scope, not project scope. Re-grant at the org node and wait up to 7 minutes for IAM propagation.
Issue: 'Workload Identity Federation token exchange failed.'
- Solution: The audience claim in the provider configuration must match exactly what Argus issues. Regenerate the config from Argus and re-upload.
Key Benefits
- Read-only access via a dedicated, single-purpose service account
- Resolves inherited roles, so 'why does this key have BigQuery access?' is answerable
- Workload Identity Federation support avoids long-lived service-account keys entirely
- Auto re-analysis when bindings change keeps the picture current