SaaS Security Administrator's Guide
    : Begin Scanning a Google Cloud Storage App
    Focus
    Download PDF
    Focus
    1. Home
    2. SaaS Security
    3. SaaS Security Administrator's Guide
    4. Data Security
    5. Secure Sanctioned SaaS Apps on Data Security
    6. Add Cloud Apps to Data Security
    7. Begin Scanning a Google Cloud Storage App
    Download PDF

    SaaS Security Administrator's Guide

    Begin Scanning a Google Cloud Storage App

    Table of Contents

    Begin Scanning a Google Cloud Storage App

    Add the Google Cloud Storage app for GCP (Global Cloud Platform) to Data Security to begin scanning and monitoring assets for possible security risks.
    Before you begin scanning a Google Cloud Storage app, you must create a service account and enable administrator and client API access.
    To connect the Google Cloud Storage app to Data Security and begin scanning assets, you need to:
    • Create a service account from Google Cloud Console or use an existing service account.
    • Enable administrator and client API access from Google Admin Console.
    • Add the Google Cloud Storage app to Data Security.
    • Configure initial scan settings.
    Support for automated remediation capabilities varies by SaaS application.

    Create a Service Account for Google Cloud Storage

    You must create a service account before you can add the Google Cloud Storage app; alternatively, you can Use an Existing Project and Service Account instead. As you prepare the Google Cloud Storage account, take note of the following values, as they are required to add the Google Cloud Storage app on Data Security. Each web interface might refer to the value by a different name.
    Item
    Web interface
    Description
    Google Cloud Console
    Google Admin Console
    SaaS Security
    Google administrator email
    Google account
    Google account
    Administrator email
    The Google account you used to log in to Google Cloud Console to create the service account in Google Cloud Storage. You will use this same Google account to log in to the Google Admin Console when to enable API client access. You specify this email on Data Security when adding the Google Cloud Storage app.
    Private Key
    Private key
    n/a
    Certificate
    A P12 format private key certificate issued from your Google service account. This required certificate is uploaded on Data Security when adding the Google Cloud Storage app.
    Private Key Password
    Private key password
    n/a
    n/a
    The default password for the new private key.
    Client ID
    Client ID and Unique ID
    Client ID
    n/a
    The client ID automatically displays on Google Cloud Console when enabling Google Cloud Storage domain-wide delegation, on Data Security when you add the Google Cloud Storage app, and on Google Admin Console when enable API client access.
    Service Account ID
    Email and Service account ID
    n/a
    Service account ID
    The service account ID is automatically generated on the Google Cloud Console when you create the service project and is partly based on the service account name you assign. You will specify the service account ID on SaaS Security web interface when you add the Google Cloud Storage app.
    1. Log in to Google Cloud Console as the Google Cloud Storage administrator.
      If you have not used the Google Cloud Console before, Agree to the Google Cloud Platform Terms of Service. Otherwise, proceed to the next step.
    2. Create a new project from GCP.
      1. In the drop-down at the top of the screen, open your project list, then NEW PROJECT.
      2. Name your project (for example, Data Security GCP), select your organization (domain), then CREATE the project.
    3. Authorize OAuth consent for the new project.
      1. Select APIs & ServicesOAuth consent screen.
      2. Select the project you created above.
      3. Select Internal user type, then CREATE.
      4. Specify an App name (for example, Data Security) and User support email.
      5. Click + ADD DOMAIN, then specify Authorized domain—the domain name for your Google administrator email, to authorize.
      6. Specify Developer contact information, then SAVE AND CONTINUE.
    4. Create the Service Account Key for the new project.
      1. Select APIs & ServicesCredentialsCREATE CREDENTIALS.
      2. Select Service account and specify a Service account name (for example, Data Security), which automatically populates the Service account ID, then CREATECONTINUEDONE, authorizing no optional permissions or access.
    5. Enable Domain-wide Delegation for the new service account.
      GCP creates a service account client when domain-wide delegation is enabled on a service account.
      1. Select APIs & ServicesCredentials.
      2. In Service Accounts, locate the service account, then Edit service account.
      3. Record the Email, which you’ll use to specify the Service account ID later on SaaS Security web interface.
      4. Select Enable Google Domain-wide Delegation, then SAVE.
        If prompted to provide a value in Product name for the consent screen field, you did not perform 3 and 4 as instructed. GCP is very particular.
      5. Select KEYSADD KEYCreate new keyJSONCREATE.
        The key is downloaded automatically on your device. Upload the key during onboarding.
      6. Store the default password and key to a secure location as the key can't be recovered if lost.
        Data Security requires this key when you Add Google Cloud Storage App.
      7. Save your changes.
    6. To create a service account client, go to Service AccountsAdvanced settings. Click CREATE GOOGLE WORKSPACE MARKETPLACE-COMPATIBLE OAUTH CLIENT. You’ll then be able to see the same client in the OAuth 2.0 Client IDs list.
    7. Retrieve and save the Client ID for the new service account client.
      1. Select APIs & ServicesCredentials.
      2. In OAuth 2.0 Client IDs, locate the client, then copy and save the Client ID.
    8. Enable API access for the new service account.
      1. Select the project.
      2. Select APIs & Services+ ENABLE APIS AND SERVICES.
      3. Search for and ENABLE the following APIs:
        • Google Admin SDK API
        • Google Cloud Resource Manager API
        • Google Cloud Storage API
        • Google Cloud Pub or Sub API
        • Google Identity and Access Management (IAM) API
        • Google Cloud Logging API
    9. Provide the local admin account with the required roles.
      You’ll use this admin account to onboard Data Security. This admin account does not need to be a Super Admin; however, the admin account does require minimum permissions at the organization level—Storage Admin and Security Admin permissions.
      1. Log in to Google Cloud Console as Super Admin.
      2. At the top of the screen and in the project list, select your organization.
      3. Select IAM & AdminIAM, then + ADD.
      4. Add your account as Security Admin and Storage Admin.
    10. Enable API client access to Google Cloud Storage.
      1. Log in to Google Admin Console as the Google Cloud Storage administrator.
        The admin console isn't the same as the cloud console that you’ve been accessing up to this point in this procedure; rather, the admin console is a different console.
      2. Select SecurityApp access control (API Controls)Domain wide DelegationMANAGE DOMAIN WIDE DELEGATION.
        Trust internal, domain-owned apps isn't needed for onboarding the Google Cloud Storage app; however, GCP web interface enables this setting by default. You can safely disable this setting if you want.
      3. Click Add new, then specify Client ID and required scopes.
        • In Client Name, specify the Client ID that you recorded in 7.
        • In One or More API S copes, copy and paste the following scope, then AUTHORIZE access to data in Google services.
          https://www.googleapis.com/auth/admin.directory.user.security,https://www.googleapis.com/auth/cloud-platform,https://www.googleapis.com/auth/devstorage.read_write,https://www.googleapis.com/auth/admin.directory.group
    11. Proceed to Add Google Cloud Storage App

    Use an Existing Project and Service Account

    If you want to onboard the Google Cloud Storage app using an existing GCP project and service account, set up your admin account as the project IAM owner and service account owner. If you don’t have an existing project or service account, Create a Service Account for Google Cloud Storage instead.
    1. Log in to Google Cloud Console as Super Admin.
    2. Set permissions for the existing project.
      1. In the drop-down at the top of the screen, open your project list, then select your existing project.
      2. Select IAM & AdminIAM.
      3. In PERMISSIONSMembers, locate and Edit your membership, which is your admin account.
        If you can't quickly locate your admin account in the Members table, click + ADD to use the New members search tool.
      4. Set Role to Owner.
    3. Set permissions for the existing service account.
      1. Select IAM & AdminService Accounts.
      2. Click on your service account, then PERMISSIONS.
      3. In Members table, locate and Edit your membership, which is your admin account.
        If you can't quickly locate your admin account in the Members table, click + GRANT ACCESS to use the New members search tool.
      4. Set Role to Owner.
    4. Verify that the Oauth Consent settings outlined in 3 are correct.
    5. Proceed to Add Google Cloud Storage App.

    Add Google Cloud Storage App

    Before you add the Google Cloud Storage app, you must Create a Service Account for Google Cloud Storage.
    1. To add Google Cloud Storage, go to Data SecurityApplicationsAdd ApplicationGoogle Cloud Storage.
    2. Select Google Cloud Storage and then Connect to Account.
    3. Enter the Google Administrator email to which you granted roles in 9.d.
    4. Enter Service account ID that you created in 4.b.
    5. Upload P12 Certificate GCP issued in 5.e.
    6. Click Next to add the cloud app.
    7. Review the initial project scan discoveries and select the projects to monitor.
      If you Cancel the setup at any time, you must start over again.
      1. Enable Automatically scan new projects to scan all new projects.
      2. To select individual projects, select the Project to scan from the list.
      3. Save your scan setting to proceed scanning all discovered projects.
      4. Cancel if you don't want to proceed with scanning the discovered projects.
    8. Review the initial bucket scan discoveries and select the buckets to monitor.
      1. Enable Scan all current and any new buckets to scan all new buckets.
      2. To select individual buckets, select the Bucket to scan from the list.
      3. Save your scan setting to proceed scanning all discovered buckets.
      4. Cancel if you don't want to proceed with scanning the discovered buckets.
        After authentication, Data Security adds the new Google Cloud Storage app to the Cloud Apps list as Google Cloud Storage n, where n is the number of Google Cloud Storage app instances that you have connected to Data Security. For example, if you added one Google Cloud Storage app, the name displays as Google Cloud Storage 1. You’ll specify a descriptive name soon.
        From this point forward, keep this project exclusively for Data Security. Don't revoke, disable authorization, or change the project in any way. If you do, Data Security stops scanning.
    9. Proceed to Identify Risks.

    Identify Risks

    Select the projects and buckets that you want Data Security to monitor.
    When you add a new cloud app and enable scanning, Data Security automatically scans the cloud app against the default data patterns and displays the match occurrences. You can take action now to improve your scan results and identify risks.
    1. Start scanning the new Google Cloud Storage app for risks.
    2. Monitor the scan results.
      During the discovery phase, Data Security scans files and matches them against enabled default policy rules.
      Verify that your default policy rules are effective. If the results don’t capture all risks or you see false positives, proceed to the next step.
    3. (Optional) Add new policy rules.
      Consider the business use of your app, then identify risks unique to your enterprise. As necessary, add new:
    4. (Optional) Configure or edit a data pattern.
      You can configure data patterns to identify specific strings of text, characters, words, or patterns to make it possible to find all instances of text that match a data pattern you specify.
    5. Proceed to View Scan Settings for Project and Buckets.

    View Scan Settings for Project and Buckets

    When you added the cloud app, you configured the projects and buckets you want Data Security to monitor. You can view the scan settings for the Projects and Buckets that are currently being scanned.
    1. Log in to SaaS Security.
    2. Select SettingsCloud App and Scan Settings.
    3. Select a Google Cloud Storage app from the list of Cloud Apps and expand the Projects Buckets to view the scan details.
    4. Proceed to Customize Google Cloud Storage App and Fix Google Cloud Storage Onboarding Issues, if necessary.

    Customize Google Cloud Storage App

    If you plan to manage more than one instance of Google Cloud Storage app, consider differentiating your instances.
    1. (Optional) Give a descriptive name to this app instance.
      1. Select the Google Storage n link on the Cloud Apps list.
      2. Enter a descriptive Name.
      3. Click Done to save your changes.
    2. Proceed to Fix Google Cloud Storage Onboarding Issues.

    Fix Google Cloud Storage Onboarding Issues

    The most common issues related to onboarding the Google Cloud Storage app are as follows:
    Symptom
    Explanation
    Solution
    There are no known issues.

    © 2025 Palo Alto Networks, Inc. All rights reserved.