Configure Google provider

Authentication for Google provider

To use iac describe, set up credentials to make authenticated requests to your GCP project.

Because the iac describe command uses the Cloud Asset API, you must use a service account.

For information on setting up a service account, see the GoogleCloud documentation.

GOOGLE_APPLICATION_CREDENTIALS=your-creds.json \
  CLOUDSDK_CORE_PROJECT=my-project \
  snyk iac describe --to="gcp+tf"

You can use any env var from the GoogleCloud sdk environment variables.

Least privilege policy​

The iac describe command uses the Google Asset API to enumerate resources on your account and the Cloud Resource Manager API to enumerate project IAM resources. Be sure to enable these APIs for the GCP project you are using as shown in the following screenshot.

To enumerate resources, you need at least the role Cloud Asset Viewer.

Required roles​

To use iac describe with deep mode, you need access to retrieve the details of a resource, and the Cloud Asset Viewer role is not enough. To be able to get the details, set up the basic role of Viewer on your project. To read your IAM policies you also need the role iam.securityReviewer on your project.

# Mandatory role to allow describe to enumerate resources
roles/cloudasset.viewer

# Required for deep mode only
roles/viewer