Configure Google provider

Authentication

To use iac describe, set up credentials to make authenticated requests to your GCP project.
Because the iac describe command uses the Cloud Asset API, you must use a service account.
For information on setting up a service account, see the GoogleCloud documentation.
1
GOOGLE_APPLICATION_CREDENTIALS=your-creds.json \
2
CLOUDSDK_CORE_PROJECT=my-project \
3
snyk iac describe --to="gcp+tf"
Copied!
You can use any env var from the GoogleCloud sdk environment variables.

Least privileged policy​

The iac describe command uses the Google Asset API to enumerate resources on your account and the Cloud Resource Manager API to enumerate project IAM resources. Be sure to enable these APIs for the GCP project you are using as shown in the following screenshot.
Enable Cloud Asset API
To enumerate resources, you need at least the role Cloud Asset Viewer.

Required roles​

To use iac describe with deep mode, you need access to retrieve the details of a resource and the Cloud Asset Viewer role is not enough. To be able to get the details, set up the basic role of Viewer on your project. To read your IAM policies you also need the role iam.securityReviewer on your project.
1
# Mandatory role to allow describe to enumerate resources
2
roles/cloudasset.viewer
3
4
# Required for deep mode only
5
roles/viewer
Copied!
Export as PDF
Copy link
Edit on GitHub