Google Cloud Platform

Estimated reading: 3 minutes 1869 views

Set up Google Cloud Platform for automated tests with TrustCloud!


Once you set up your compliance program, TrustCloud TrustOps works to ensure that your systems remain compliant with your adopted controls. To do so, TrustCloud runs automated tests against systems in your product and business stack and verifies that they are properly configured.

This document outlines the steps you can take to grant TrustCloud access to only read metadata about the configuration settings for your GCP account so that TrustOps can validate and generate evidence for your compliance program.

Instructions to grant TrustCloud limited access to GCP metadata

  1. Go to Google Cloud Platform and select a project to create your service cloud
  2. In the console, navigate to IAM and click on ‘Service accounts’.google cloud service account
  3. Click on “Create Service Account”.create service account
  4. Enter a Service account name to display in the console and click on the “Create” button.service account details
  5. Grant access to the following roles:
    1. Viewer
    2. Security Reviewer
  6. After adding roles, click on the “Continue” button.
  7. Click on the “Create Key” button.private key
  8. Select the key type as JSON, and click on the “Create” button.json private key
  9. Save the private key.
    save private key
  10. Click on the “Done” button to finish creating the service account.
  11. Go to your IAM roles for the service account user. Confirm that the Viewer and Security Reviewer roles are enabled. Add the Organization Policy Viewer role. For each project in your GCP account, the service account should be assigned the role of Viewer.
  12. Optional: To run IAM tests, you need to add a custom user to your Google Workspace Domain that has a User Management Admin role. 💡 This account is used to delegate access to read specific metadata only. You need to explicitly grant this access below in step 5. This account delegation is required because accessing users requires the Google Admin API, which is only available via account delegation. If you do not want to run IAM tests, you can skip this step.
  13. Navigate to your Google Workspace admin console. From the console, navigate to Security and click on ‘API Controls’.  Click on ‘Domain-wide Delegation’. (Or click on this link: api control
  14. Click on the “Add New” button.
  15. Set Client ID to the client ID of your service client id
  16. Under Scopes, add the following:
      💡 These scopes, combined with the service account permissions, only allow TrustCloud to audit your GCP configuration settings in order to determine adherence to specified controls. They only allow TrustCloud to access your GCP metadata. They do not provide TrustCloud with the ability to read any GCP data. (See this document for a full list of Google scopes.)
  17. Click on the “Authorize” button.authorize
  18. Enable the required APIs for each project separately. Click on the following links to navigate to the respective URLs –
    1. Cloud Billing API
    2. Cloud Resource Manager API
    3. SQL Admin API
    4. Service Usage API
    5. Admin SDK API
  19. Enter your private key, the email address for your account delegate, and the names of all GCP projects you want to test.

Join the conversation