GCP Integration
Integration guide for Resmo GCP Integration.
Resmo seamlessly integrates with the Google Cloud Platform to ensure the security and compliance of your GCP environment.

  • Collect all your GCP assets in place.
  • Ability to query your GCP roles, networks, Cloud functions, and 50+ other resources.
  • Set up rule notifications based on GCP resource configurations and their changes.
  • Set up custom or predefined rules for continuous security and compliance auditing.
  • Check your GCP security and compliance posture using the GCP Best Practices and compliance packs.

Resmo has a GCP integration that you can install securely once you sign up for a Resmo account. Our application uses API calls to make the initial polling and receive existing resources.
  • API polling uses API calls to sync your GCP assets with Resmo.
  • Exposing Audit Logs over PUB/SUB lets track changes with actor information in real-time.

Resmo GCP integration collects AppEngine, API Gateway, Compute, IAM, and much more.
Available GCP Resources
AppEngine Application
AppEngine Service
AppEngine Version
Cloud Storage Bucket
Compute Disk
Compute Health Check
Compute Project
Compute Snapshot
Compute SSL Policy
GCP Function
IAM Policy
IAM Role
IAM Service Account
IAM Service Account Key
KMS Crypto Key
KMS Keyring
Logging Metric
Logging Sink
PUB/SUB Subscription
PUB/SUB Topic
These are only some of the resource types for GCP.

You have to create a Workload Identity Pool with the AWS provider to let Resmo access your GCP resources. You can learn more about Workload Identity Pool external providers here.
You can follow the instructions to create a Workload Identity Provider with AWS provider.

  1. 1.
    Create a Workload Identity Pool gcloud iam workload-identity-pools create POOL_ID \ --location="global" \ --description="DESCRIPTION" \ --display-name="DISPLAY_NAME"
  2. 2.
    Create an AWS Provider with Resmo trust gcloud iam workload-identity-pools providers create-aws PROVIDER_ID \ --location="global" \ --workload-identity-pool="POOL_ID" \ --account-id="512995177166" \ --attribute-mapping="google.subject=assertion.arn" \ --attribute-condition='assertion.arn=="arn:aws:sts::512995177166:assumed-role/Resmo-GCP-DataCollectionRole/resmo-gcp-data-collection"'
  3. 3.
    Create a Service Account gcloud iam service-accounts create SERVICE_ACCOUNT_ID \ --description="DESCRIPTION" \ --display-name="DISPLAY_NAME"
  4. 4.
    Grant viewer role to the created service account gcloud projects add-iam-policy-binding PROJECT_ID \ --member="serviceAccount:SERVICE_ACCOUNT_EMAIL" \ --role="roles/viewer"
  5. 5.
    Grant workloadIdentityUser role to the created service account gcloud iam service-accounts add-iam-policy-binding SERVICE_ACCOUNT_EMAIL \ --role=roles/iam.workloadIdentityUser \ --member="MEMBER_EXPRESSION" You can learn more about MEMBER_EXPRESSION here.
  6. 6.
    Enable Google Cloud Service API NOTE You can only enable 20 services at a time gcloud services enable \ accesscontextmanager.googleapis.com \ apigateway.googleapis.com \ appengine.googleapis.com \ bigquery.googleapis.com \ cloudasset.googleapis.com \ dns.googleapis.com \ cloudfunctions.googleapis.com \ cloudkms.googleapis.com \ logging.googleapis.com \ memcache.googleapis.com \ pubsub.googleapis.com \ cloudresourcemanager.googleapis.com \ run.googleapis.com \ spanner.googleapis.com \ sqladmin.googleapis.com \ storage.googleapis.com \ compute.googleapis.com \ redis.googleapis.com \ iam.googleapis.com \ container.googleapis.com \ serviceusage.googleapis.com \ monitoring.googleapis.com

Note: Real Time Change Ingestion is avaliable for enterprise plan only.
  1. 1.
    Create a PUB/SUB topic gcloud pubsub topics create TOPIC_NAME
  2. 2.
    Create a PUB/SUB subscription gcloud pubsub subscriptions create SUBSCRIPTION_ID \ --topic=FULL_TOPIC_NAME \ --push-endpoint=https://id.resmo.app/integration/gcp/event?ingestKey=<your-ingest-key> \ --expiration-period="never" \ --ack-deadline=60 \ --message-retention-duration=10m \ --min-retry-delay=10s \ --max-retry-delay=30s
  3. 3.
    Create a Log Router gcloud logging sinks create SINK_NAME pubsub.googleapis.com/projects/PROJECT_ID/topics/TOPIC_NAME \ --log-filter='[email protected]="type.googleapis.com/google.cloud.audit.AuditLog" protoPayload.serviceName=("pubsub.googleapis.com" OR "compute.googleapis.com" OR "storage.googleapis.com" OR "container.googleapis.com")'
Don't forget to add destination permissions for the created topic. You can learn about it here.

  1. 1.
    Sign up or log in to your Resmo account.
  2. 2.
    Go to the Integrations page, click on Add Integration, and select GCP.
  3. 3.
    Name the integration and write a description (optional.)
4. Enter your GCP project ID into the Project ID field.
5. Enter your full name of the Identity Provider into the GCP Target Resource field.
  1. 1.
    List your identity pools gcloud iam workload-identity-pools list --location="global"
  2. 2.
    List your identity pool providers
    gcloud iam workload-identity-pools providers list --workload-identity-pool="my-workload-identity-pool" --location="global"
6. Copy your provider name, and paste it to the GCP Target Resource field with the below format. //iam.googleapis.com/<provider-name>
7. Enter your Service Account Email into the Service Account Email field.
8. Hit the create button, and you are ready to run queries.

  1. 1.
    Login to your Resmo account.
  2. 2.
    Navigate to the Integrations page and click your GCP integration.
  3. 3.
    Click the Delete button to uninstall or Disable to stop polling GCP resources temporarily.
  4. 4.
    Delete your Workload Identity Pool, Service Account (PUB/SUB, Log Router if you enable real-time change ingestion) GCP resources.

What should I check if integration fails to install?
What happens if I delete required resource used by integration to poll my resources?
Can I update the Project ID for my integration?
I have entered the wrong Service Account Email, Identity Provider what should I do?
Copy link
On this page
Resmo + GCP Integration Fundamentals
What does Resmo offer Google Cloud Platform users?
How does the integration work?
Available resources
Integration Walkthrough
FAQ