1. Home
    2. Prisma
    3. Prisma Cloud
    4. Prisma Cloud Administrator’s Guide (Compute)
    5. Authentication
    6. Credentials Store
    7. Google Cloud Platform (GCP) Credentials

    Google Cloud Platform (GCP) Credentials

    Accessing GCP to scan resources can be done in one of two ways. You can make use of a service account and create a key for that account or you can use an API Key. Google recommends that you use a service account with a key and we document that here. More information is available here https://cloud.google.com/docs/authentication/api-keys.
    On GCP, use of onboarded accounts for organizations is not supported. To use organization credentials, you must create credentials using the
    GCP
     type and the
    Organization
     credential level in Compute instead of going to
    Settings > Cloud Accounts
    .

    Creating a service account

    Create a service account that Prisma Cloud can use to scan your resources in GCP. The permissions the service account should have depend on the features you plan to use the credentials for. For the specific permissions, see the dedicated article of each feature (e.g. Google Container Registry scanning).
    1. Google provide a comprehensive guide for creating a service account - https://cloud.google.com/iam/docs/creating-managing-service-accounts
    2. Create a key for this service account. The format of this key should be JSON. Google have a guide for this - https://cloud.google.com/iam/docs/creating-managing-service-account-keys
    3. Copy the contents of the downloaded key, here is an example:
      {
  "type": "service_account",
  "project_id": "mycompany-project",
  "private_key_id": "abe29475a09fb22e709fdc622306a714e17cqd1c",
  "private_key": "-----BEGIN PRIVATE KEY-----\nMIIEvgIBADANBgkqhkiG9w0BAQEFBBSCBKgwggSkAgEAAoIBAQCyBJgPechqsXAK\nTaz1y77AGqei47IbgWegRq8JqqoQGERhBX8X41otaRNUIn7fpTdH/JjRfJ0wyduz\nn6TLmeMz+d/yIZBtztujJ4KoGTS0yTybtcKWKg254upri6RIcMS3ArNXsNtSwLQx\nicVDCI3uDKLuNyawmLf1BiHLwWZK8bOUe5thd3J9UXc+B+dL9JRYyz1Iq+X/Nz1w\n7D3TPXfy54Hg39rDRrx0bK0E+AIRMA5vPFmGrWlYn6HyltOxCU/D5NUrExRo3aug\nsIvQgGE3QYLU4a5n9jsWPbjSGI+EH/+zZ1fze5pk6rprlvKtbvygJSFGpdsjS4EX\nbFgPVYGJAgMBAAECggEABu9fIaY1yLNIKTyYrvwsnpUDQBkk/oWSbQfn6IVfqfAa\nFNoHFx4GLLP12u6bmPiZoFoutWWIhaatgpBG9iAU/fi/cNI+K0r2W0MuJ8CQoTTg\nQbQpZBp4Daxxg7ZNVH2hKjyGklVbW/xSIMZsWwXNqq8PF17qaNGQRBFEtoh+pM94\nJ23ZKIW5muF+5Svz4wLLS7VMtbl/XrM9eCepVQNzQ701A67VQa1Z8KIot5IeQ0d2\njnHJn6XgaDe/IKuP8ClXnCUwo/GbChCtctP0BpTeaTSOUrc1O7ntgFBGYxiSmgZ0\n13x43XkuYaycyZEycKEOaa9U+k1KrcFZ/CDQdv+AUQKBgQD25mVWFxQdhFqF12vu\nEhz0jRjLbre+V3UgOYJObmKMdM6iH+NQ9CNeFIn8qgHgOK7pHEgjcLvAv4ZgECin\n1XtMNAFGRREGuzovvzQKwBGAEz8PovI2gkITqmcSQ7xzcGyY1Xm1mthpqkoWFe5c\nk253fYhMjuITTXisYv8LBl5XGQKBgQC4lER2AmTSvLe+4sulTeDEocMsP+G4j/A1\neS1mG5e5YGUtuWgIdfNKUn1YG5uX3ERZVeCdRO7B/osQ4uAeJ1SIS3Zvw5QVtS/s\nFOJa1UJ/nxGAA8vApjRgJkLyRbf/yoxsRlCQkQJcRd1SO9DRlCSWdSW1CpIpauiN\nfZZW3iD78QKBgQCWW7Lk3cMjQqH6FjmlTySRDYhHA1MkuI1fFga0Cuc7EDtyYicF\n+te7CJkL5OClkv95+P45jwLYHAsSX2TDE3o16wnHqHH4/nYt86wWy+ccbxwdQqds\n6KCi50hDyDpwtst7u62WGgmnN8xMbOivOh2w6SLjNyQ0ix5tJRCavzMeqQKBgQCu\nYvajf/N93urDIEdC8Gcxn5tkTR6XXvaVrt0joWIhtF8jag5OIBIx3+m55rywJ100\nAhzquVvSUQlWdONF2ebVtmY5hdB9Cegy5jBNnTrslH7WMb/pTZ4iUUPi3dfPhbBS\nA8TOMRLH1wIZVYYe3BYNSLTNbSVWmDkKpOLLQ6ZqIQKBgA0rkqfzz0MIij58OugB\nFyv8UWvy+hYR15EvIFOl5jXomVl199x+XHQGiwV6cXGmGcii7eC7vXSmnjxILMEA\nD4Odwi9vmyJXOtIT1WlVj/faLrpKfunZEphYnrtRASuDzzU4cTbeElhfLOqkJEA4\nK4CCBhjL3UX8Z9FbJJz7mYoX\n-----END PRIVATE KEY-----\n",
  "client_email": "mycompany-service-svc@mycompany-project.iam.gserviceaccount.com",
  "client_id": "120957099362691824155",
  "auth_uri": "https://accounts.google.com/o/oauth2/auth",
  "token_uri": "https://oauth2.googleapis.com/token",
  "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
  "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/mycompany-service-svc%40mycompany-project.iam.gserviceaccount.com"
}

    Storing the Credential in Prisma Cloud

    Complete these steps to store your GCP credential in Prisma Cloud.
    1. Open Console, and go to
      Manage > Authentication > Credentials Store
      .
    2. Click
      Add credential
      , and enter the following values:
      1. In the
        Name
         field, enter a label to identify the credential.
      2. In the
        Type
         field, select
        GCP
        .
      3. In the
        Credential level
         field, select
        Project
         or
        Organization
        . When using project-level credentials, Prisma Cloud scans the resources of a single project. With organization-level credentials, Prisma Cloud will find and scan all the projects in the organization.
        The service account permissions should fit the credentials level. Use
        Project
         with service accounts that have permissions to a single project. Use
        Organization
         with service accounts that have permissions to an organization or multiple projects.
        When using organization-level credentials, the service account you use should be defined for a single organization. Credentials for multiple organizations with the same service account are not supported.
        Organization-level credentials are not supported for Serverless auto-defend, Host auto-defend, and Google Cloud Pub/Sub alerts.
        When using organization-level credentials, the performance of several features may be affected if the organization includes a large number of projects. For specific information and guidelines see:
      4. In the
        Service Account
         field, copy and paste the entire JSON key that you downloaded.
      5. Leave the
        API token
         blank
      6. Click
        Save
        .