Add a GCP Adapter

Connect a Google Cloud Platform project to AttackLens for automatic resource discovery. This guide walks through creating a service account with the required roles and configuring the adapter in AttackLens.

INFO

Requires Admin role or higher.

Prerequisites

Before you begin, ensure you have:

• Google Cloud Console access with permissions to create service accounts and assign IAM roles.
• The Project ID of the GCP project you want to discover.
• Access to AttackLens with an Admin account.

Step 1: Create a Service Account in GCP

AttackLens authenticates to GCP using a service account. You need the Project ID, the service account's client email, and its private key.

1. Sign in to the Google Cloud Console.
2. Select the project you want AttackLens to discover.
3. Navigate to IAM & Admin > Service Accounts.
4. Click Create Service Account.
5. Enter a service account name (e.g., attacklens-discovery).
6. Enter a description (e.g., Read-only access for AttackLens resource discovery).
7. Click Create and Continue.

Create a Key

1. After the service account is created, click on it to open the detail page.
2. Go to the Keys tab.
3. Click Add Key > Create new key.
4. Select JSON as the key type.
5. Click Create.
6. The JSON key file will be downloaded automatically. Store it securely: it contains the private key.

WARNING

The JSON key file contains sensitive credentials. Store it in a secure location and delete it from your local machine after entering the values into AttackLens. If the key is compromised, delete it immediately in the GCP Console and create a new one.

The JSON key file contains the values you need:

{
  "type": "service_account",
  "project_id": "my-project-123",
  "private_key_id": "...",
  "private_key": "-----BEGIN PRIVATE KEY-----\n...\n-----END PRIVATE KEY-----\n",
  "client_email": "attacklens-discovery@my-project-123.iam.gserviceaccount.com",
  "client_id": "...",
  ...
}

You will need:

• project_id: The GCP project ID.
• client_email: The service account email address.
• private_key: The RSA private key.

Step 2: Assign IAM Roles

AttackLens requires read-only access to discover resources. Assign the following roles to the service account at the project level.

Required IAM Roles

Role	Role ID	Purpose
Viewer	roles/viewer	Read access to all GCP resources and their configurations
Security Reviewer	roles/iam.securityReviewer	Read access to IAM policies, roles, and service accounts

To assign the roles:

1. Navigate to IAM & Admin > IAM in the GCP Console.
2. Click Grant Access.
3. In the New principals field, enter the service account email (e.g., attacklens-discovery@my-project-123.iam.gserviceaccount.com).
4. Under Assign roles, click Select a role and choose Viewer.
5. Click Add another role and choose Security Reviewer.
6. Click Save.

Required APIs

The following Google Cloud APIs must be enabled on the project for discovery to work. Most are enabled by default, but verify them if discovery fails for specific resource types.

API	Purpose
Cloud Resource Manager API	Project and organization metadata
Compute Engine API	VMs, disks, networks, firewalls, load balancers
Cloud Asset API	Asset inventory enumeration
Kubernetes Engine API	GKE clusters
Cloud SQL Admin API	Cloud SQL instances
Cloud Storage API	Storage buckets
Cloud Functions API	Cloud Functions
Cloud IAM API	IAM roles, service accounts, policies
Cloud KMS API	Encryption keys
Cloud DNS API	DNS zones and records
Cloud Logging API	Log sinks and metrics
Cloud Monitoring API	Alert policies and uptime checks

To enable an API:

1. Navigate to APIs & Services > Library in the GCP Console.
2. Search for the API name.
3. Click Enable.

TIP

If you are unsure which APIs are enabled, you can check at APIs & Services > Enabled APIs. AttackLens will skip resource types for which the required API is not enabled and report a warning in the discovery log.

Optional: Sensor Deployment Capability

If you want AttackLens to deploy sensors to Compute Engine VMs via OS Config, add:

Role	Role ID	Purpose
OS Config Guest Policy Admin	roles/osconfig.guestPolicyAdmin	Execute OS Config commands on VMs

This is optional. If not granted, the adapter will still discover resources but will not be able to deploy sensors remotely.

Step 3: Configure the Adapter in AttackLens

1. In AttackLens, navigate to Discovery > Adapters.
2. Click Add Adapter.

3. Select GCP as the provider.

4. Enter a descriptive Name (e.g., Production GCP Project).
5. Fill in the GCP credentials:

Field	Value	Example
Project ID	Your GCP project ID	my-project-123
Client Email	The service account email	attacklens-discovery@my-project-123.iam.gserviceaccount.com
Private Key	The RSA private key from the JSON key file	-----BEGIN PRIVATE KEY-----\n...\n-----END PRIVATE KEY-----

TIP

When pasting the private key, include the full key including the -----BEGIN PRIVATE KEY----- and -----END PRIVATE KEY----- markers. You can copy it directly from the downloaded JSON key file.

Step 4: Test the Connection

1. Click Test Connection.
2. AttackLens will attempt to authenticate with the service account and verify read access to the project.
3. The test result shows:
   • Whether the connection is valid.
   • Which permissions were detected.
   • Whether sensor deployment capability (OS Config) is available.

WARNING

If the test fails, verify that:

• The Project ID matches the project where the service account was created.
• The Client Email is correct (check for typos).
• The Private Key is complete and correctly formatted (including header and footer lines).
• The Viewer and Security Reviewer roles are assigned at the project level.
• The required APIs are enabled on the project.

Step 5: Save and Run Discovery

1. Click Save to create the adapter.
2. The first discovery run begins automatically after the adapter is saved.
3. You will be redirected to the adapter detail page where you can monitor the sync progress.

Discovery typically takes 2-5 minutes depending on the number of resources in the project.

Discovered GCP Resource Types

AttackLens discovers 65+ GCP resource types across multiple service categories:

Category	Examples
Compute	Compute Engine VMs, Instance Templates, Instance Groups, Disks, Snapshots, Images
Kubernetes	GKE Clusters, Node Pools
Network	VPC Networks, Subnets, Firewalls, Routes, Cloud NAT, Load Balancers, Cloud Armor, Cloud DNS, VPN Tunnels
Storage	Cloud Storage Buckets (with IAM, encryption, and lifecycle policies)
Databases	Cloud SQL (MySQL, PostgreSQL, SQL Server), Cloud Spanner, Bigtable, Firestore, Memorystore
Security & Identity	Service Accounts, IAM Roles, IAM Policies, KMS Key Rings, KMS Keys
Serverless	Cloud Functions, Cloud Run, App Engine
Monitoring	Cloud Logging Sinks, Alert Policies, Uptime Checks
Messaging	Pub/Sub Topics, Pub/Sub Subscriptions
Data	BigQuery Datasets, Dataflow Jobs, Dataproc Clusters

Security Best Practices

• Use a dedicated service account: Do not reuse service accounts from other integrations.
• Follow the principle of least privilege: The Viewer + Security Reviewer combination provides the minimum access needed.
• Delete the JSON key file after entering the credentials into AttackLens. The credentials are stored encrypted in AttackLens.
• Rotate keys regularly: Create a new key, update the adapter in AttackLens, then delete the old key.
• Monitor service account usage: Enable Cloud Audit Logs to track API calls made by the service account.

Next Steps

• View discovery snapshots to inspect the discovered resources.
• Manage adapters to edit, deactivate, or delete the adapter.
• Trigger a manual discovery if you make infrastructure changes.