The Coralogix GCP Infrastructure Explorer integration connects a GCP project to Coralogix and periodically collects resource metadata for Compute Engine, Google Kubernetes Engine (GKE), and Cloud Storage. The collected metadata enriches Infrastructure Explorer with cloud context so you can audit, search, and investigate GCP resources alongside the telemetry related to them. ## Overview GCP Infrastructure Explorer authenticates with a Google Cloud service account, then scans the selected project on a configurable schedule. For every supported resource found, the integration sends a metadata record to Coralogix that includes the raw Google Cloud resource description plus standard cloud attributes such as `cloud.provider`, `cloud.account.id`, `cloud.region`, and `cloud.availability_zone`. The default poll interval is `10` minutes, which is also the minimum allowed value. Each integration scans 1 GCP project. To scan multiple projects, create 1 integration per project. ### Supported resources The integration currently collects metadata for the following GCP resource types: | Resource group | Resource types | | ------------------------------ | ------------------------------------------------------------------------------- | | Compute Engine | Instances, disks, images, instance groups, networks, subnets, firewalls, routes | | Google Kubernetes Engine (GKE) | Clusters, node pools | | Cloud Storage | Buckets, objects | ### Authentication methods The integration supports 2 authentication methods: - **Account key**: upload a service account key file to Coralogix - **Impersonation**: grant the Coralogix principal permission to impersonate your service account ## Prerequisites - A GCP project that contains the resources you want to scan - A Google Cloud service account for this integration - GCP Identity and Access Management (IAM) permissions that match the resource types you select for scanning - The [`INTEGRATIONS:DEPLOY`](https://coralogix.com/docs/user-guides/aaa/access-control/permissions/permissions-list/index.md) permission in Coralogix ## Configure a service account Create or reuse a Google Cloud service account for the project you want to scan. Grant the service account a predefined role or custom role that includes the permissions required by your selected scan options. If you use impersonation, also grant the `Service Account Token Creator` role to the Coralogix principal shown during setup. For general Google Cloud service account setup, see [GCP - getting started](https://coralogix.com/docs/integrations/gcp/gcp-getting-started/index.md). ### Required GCP permissions Grant only the permissions required by the scan options you select: | Scan option | Required permissions | | ---------------------------- | --------------------------------------------------- | | Scan compute instances | `compute.instances.list` | | Scan compute disks | `compute.disks.list` | | Scan compute images | `compute.images.list` | | Scan compute instance groups | `compute.instanceGroups.list` | | Scan compute networks | `compute.networks.list` | | Scan compute subnets | `compute.subnetworks.list` | | Scan compute firewalls | `compute.firewalls.list` | | Scan compute routes | `compute.routes.list` | | Scan clusters | `container.clusters.list` | | Scan node pools | `container.clusters.list`, `container.clusters.get` | | Scan storage buckets | `storage.buckets.list` | | Scan storage objects | `storage.buckets.list`, `storage.objects.list` | | GCP billing project ID | `serviceusage.services.use` on the billing project | The `serviceusage.services.use` permission applies only when you provide a caller-specified billing project. ## GCP Infrastructure Explorer integration deployment **STEP 1.** Access **Data Flow**, then **Integrations**. **STEP 2.** From the **Integrations** section, select **GCP Infrastructure Explorer**. **STEP 3.** Select **ADD NEW**. **STEP 4.** Select the account key or impersonation authentication flow. Use the flow-specific step that applies to you: - If you selected account key authentication, complete [Step 5](#account-key-only) - If you selected impersonation authentication, skip to [Step 6](#common-settings) ### Account key only **STEP 5.** If you selected account key authentication, upload the JSON key file for the service account that has access to the resources you want to scan, then select **NEXT**. ### Common settings **STEP 6.** Define your settings: - **Integration name**: a name for the integration. The default value is `GCP Infrastructure Explorer`. - **Service Account Principal**: for impersonation, enter the service account email that Coralogix should impersonate. - **GCP Project ID**: enter the GCP project ID to scan. For account key authentication, Coralogix can read the project ID from the uploaded key when the key includes `project_id`. - **GCP Billing Project ID**: optional. Enter a caller-specified project for quota and billing purposes. The caller must have `serviceusage.services.use` permission on this project. - **Poll interval in minutes**: how often the integration scans your project. The default and minimum value is `10`. - **Select GCP zones**: select the zones to scan. Select zones when you collect zonal or regional resources, including compute instances, disks, instance groups, subnets, clusters, and node pools. - **Compute Engine Resource Scanning**: select the Compute Engine resource types to scan: - **Scan compute instances** - **Scan compute disks** - **Scan compute images** - **Scan compute instance groups** - **Scan compute networks** - **Scan compute subnets** - **Scan compute firewalls** - **Scan compute routes** - **Cluster Resource Scanning**: select the GKE resource types to scan: - **Scan clusters** - **Scan node pools** - **Storage Resource Scanning**: select the Cloud Storage resource types to scan: - **Scan storage buckets** - **Scan storage objects** Select at least 1 scan option. **STEP 7.** Select **NEXT**. ### Impersonation only **STEP 8.** If you selected impersonation authentication, copy the Coralogix principal from **Service Account Delegate**. **STEP 9.** In the Google Cloud console, open the service account you entered in **Service Account Principal**. **STEP 10.** Go to **Principals with access**, then select **Grant access**. **STEP 11.** Paste the Coralogix principal into **New principals**, assign the `Service Account Token Creator` role, and select **Save**. Note It can take a few minutes for the Google Cloud IAM role change to take effect. **STEP 12.** Return to Coralogix and select **Complete**. ## Verify the setup - In Google Cloud, confirm that the service account has the required permissions for every scan option you selected - For impersonation, confirm that the Coralogix principal has the `Service Account Token Creator` role on the service account - On the Coralogix **Integrations** page, confirm the integration shows **Active** within one poll interval - In Coralogix, open [Infrastructure Explorer](https://coralogix.com/docs/user-guides/infrastructure/infrastructure-explorer/overview/index.md) and confirm that GCP resources appear for the scanned project ## Parameters and descriptions | Parameter | Description | Default | Required | | -------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------- | ----------- | | **Integration name** | Display name shown in the integrations list. | `GCP Infrastructure Explorer` | Yes | | **Service Account Principal** | Service account email that Coralogix impersonates. Impersonation flow only. | | Conditional | | **GCP Project ID** | GCP project ID to scan. Required for impersonation. For account key authentication, Coralogix can read it from the uploaded key when the key includes `project_id`. | | Conditional | | **GCP Billing Project ID** | Caller-specified project for quota and billing purposes. Requires `serviceusage.services.use` on the billing project. | | No | | **Service Account Delegate** | Read-only Coralogix principal to grant `Service Account Token Creator` in Google Cloud. Impersonation flow only. | | Conditional | | **Poll interval in minutes** | How often the integration scans your project. Minimum `10`. | `10` | No | | **Select GCP zones** | GCP zones to scan. Required when any selected scan option depends on zones or derived regions. | | Conditional | | **Scan compute instances** | Collects metadata for Compute Engine instances. | `false` | Yes | | **Scan compute disks** | Collects metadata for Compute Engine disks. | `false` | Yes | | **Scan compute images** | Collects metadata for Compute Engine images. | `false` | Yes | | **Scan compute instance groups** | Collects metadata for Compute Engine instance groups. | `false` | Yes | | **Scan compute networks** | Collects metadata for Compute Engine networks. | `false` | Yes | | **Scan compute subnets** | Collects metadata for Compute Engine subnets. | `false` | Yes | | **Scan compute firewalls** | Collects metadata for Compute Engine firewalls. | `false` | Yes | | **Scan compute routes** | Collects metadata for Compute Engine routes. | `false` | Yes | | **Scan clusters** | Collects metadata for GKE clusters. | `false` | Yes | | **Scan node pools** | Collects metadata for GKE node pools. | `false` | Yes | | **Scan storage buckets** | Collects metadata for Cloud Storage buckets. | `false` | Yes | | **Scan storage objects** | Collects metadata for Cloud Storage objects. | `false` | Yes | ## What gets collected For every scanned resource, the integration sends a metadata record to Coralogix with attributes such as: - `cloud.provider`: always `gcp` - `cloud.account.id`: the GCP project ID - `cloud.region`: the GCP region, when the resource has regional context - `cloud.availability_zone`: the GCP zone, when the resource has zonal context - `cx.entity.interval`: the configured poll interval, in seconds - `gcp.gce.instance.raw_description`: the full raw resource JSON for Compute Engine instances - `gcp.gce.disk.raw_description`: the full raw resource JSON for Compute Engine disks - `gcp.gce.image.raw_description`: the full raw resource JSON for Compute Engine images - `gcp.gce.instancegroup.raw_description`: the full raw resource JSON for Compute Engine instance groups - `gcp.gce.network.raw_description`: the full raw resource JSON for Compute Engine networks - `gcp.gce.subnetwork.raw_description`: the full raw resource JSON for Compute Engine subnets - `gcp.gce.firewall.raw_description`: the full raw resource JSON for Compute Engine firewalls - `gcp.gce.route.raw_description`: the full raw resource JSON for Compute Engine routes - `gcp.gke.cluster.raw_description`: the full raw resource JSON for GKE clusters - `gcp.gke.nodepool.raw_description`: the full raw resource JSON for GKE node pools - `gcp.storage.bucket.raw_description`: the full raw resource JSON for Cloud Storage buckets - `gcp.storage.object.raw_description`: the full raw resource JSON for Cloud Storage object metadata ## Limitations - Each integration scans 1 GCP project. To scan multiple projects, create 1 integration per project. - Organization-wide project discovery is not supported. - The integration collects resource metadata only. It does not ingest logs, metrics, traces, or Cloud Storage object contents. - The minimum poll interval is `10` minutes. Coralogix rejects lower values. ## Support **Need help?** Coralogix customer success is available 24/7 to walk you through your setup and answer questions. Use the in-app chat or email [support@coralogix.com](mailto:support@coralogix.com).