diff --git a/cloud/integrations.mdx b/cloud/integrations.mdx
index c8e22ef..b47c165 100644
--- a/cloud/integrations.mdx
+++ b/cloud/integrations.mdx
@@ -1072,6 +1072,16 @@ Grant the required roles based on your [enumeration scope](#enumeration-scope).
| Organization Viewer | `roles/resourcemanager.organizationViewer` |
| Folder Viewer | `roles/resourcemanager.folderViewer` |
| Browser | `roles/browser` |
+ | Compute Viewer | `roles/compute.viewer` |
+ | DNS Reader | `roles/dns.reader` |
+ | Storage Bucket Viewer | `roles/storage.bucketViewer` |
+ | Cloud Run Viewer | `roles/run.viewer` |
+ | Cloud Functions Viewer | `roles/cloudfunctions.viewer` |
+ | Kubernetes Engine Viewer | `roles/container.clusterViewer` |
+
+
+ **Permission Inheritance:** Organization-level IAM roles automatically cascade to all projects and folders within the organization. This means granting these 10 roles at the org level provides access across your entire GCP environment without per-project configuration.
+
Find your Organization ID:
```bash
@@ -1081,7 +1091,7 @@ Grant the required roles based on your [enumeration scope](#enumeration-scope).
Grant these roles at the **organization level** via the [Cloud Console IAM page](https://console.cloud.google.com/iam-admin/iam) (switch to organization scope) or using `gcloud`:
```bash
- for role in roles/cloudasset.viewer roles/resourcemanager.organizationViewer roles/resourcemanager.folderViewer roles/browser; do
+ for role in roles/cloudasset.viewer roles/resourcemanager.organizationViewer roles/resourcemanager.folderViewer roles/browser roles/compute.viewer roles/dns.reader roles/storage.bucketViewer roles/run.viewer roles/cloudfunctions.viewer roles/container.clusterViewer; do
gcloud organizations add-iam-policy-binding YOUR_ORG_ID \
--member="serviceAccount:projectdiscovery-scanner@YOUR_PROJECT_ID.iam.gserviceaccount.com" \
--role="$role"
@@ -1101,10 +1111,26 @@ Or via the [Cloud Console](https://console.cloud.google.com/iam-admin/serviceacc
**Step 4: Configure in ProjectDiscovery**
-In the ProjectDiscovery platform, create a new GCP integration and select **Service Account Key** as the authentication method. Upload the JSON key file and optionally provide your Organization ID for org-level enumeration.
+In the ProjectDiscovery platform, create a new GCP integration and select **Service Account Key** as the authentication method. Upload the JSON key file and optionally provide your Organization ID for org-level enumeration and an **optional Project IDs** list to limit discovery to specific projects (leave it empty to scan all projects).
Click **Verify** to confirm the connection, then **Create & Start Discovery**.
+
+
+ The **Project IDs** field is optional. If you provide it, **only those projects will be scanned** (not all projects under the organization).
+
+ To list the projects your service account can access:
+
+ ```bash
+ # Authenticate as the service account
+ gcloud auth activate-service-account --key-file=PATH_TO_SA_KEY.json
+
+ # List all projects the service account can see
+ gcloud projects list --format="value(projectId)"
+ ```
+
+
+
---
#### Workload Identity Federation
@@ -1197,6 +1223,16 @@ Grant the required roles based on your [enumeration scope](#enumeration-scope).
| Organization Viewer | `roles/resourcemanager.organizationViewer` |
| Folder Viewer | `roles/resourcemanager.folderViewer` |
| Browser | `roles/browser` |
+ | Compute Viewer | `roles/compute.viewer` |
+ | DNS Reader | `roles/dns.reader` |
+ | Storage Bucket Viewer | `roles/storage.bucketViewer` |
+ | Cloud Run Viewer | `roles/run.viewer` |
+ | Cloud Functions Viewer | `roles/cloudfunctions.viewer` |
+ | Kubernetes Engine Viewer | `roles/container.clusterViewer` |
+
+
+ **Permission Inheritance:** Organization-level IAM roles automatically cascade to all projects and folders within the organization. This means granting these 10 roles at the org level provides access across your entire GCP environment without per-project configuration.
+
Find your Organization ID:
```bash
@@ -1206,7 +1242,7 @@ Grant the required roles based on your [enumeration scope](#enumeration-scope).
Grant these roles at the **organization level** via the [Cloud Console IAM page](https://console.cloud.google.com/iam-admin/iam) (switch to organization scope) or using `gcloud`:
```bash
- for role in roles/cloudasset.viewer roles/resourcemanager.organizationViewer roles/resourcemanager.folderViewer roles/browser; do
+ for role in roles/cloudasset.viewer roles/resourcemanager.organizationViewer roles/resourcemanager.folderViewer roles/browser roles/compute.viewer roles/dns.reader roles/storage.bucketViewer roles/run.viewer roles/cloudfunctions.viewer roles/container.clusterViewer; do
gcloud organizations add-iam-policy-binding YOUR_ORG_ID \
--member="serviceAccount:pd-cloudlist-reader@YOUR_PROJECT_ID.iam.gserviceaccount.com" \
--role="$role"
@@ -1269,9 +1305,24 @@ In the ProjectDiscovery platform, create a new GCP integration and select **Work
| **Workload Identity Provider** | Full provider path from Step 6 |
| **Service Account Email** | `pd-cloudlist-reader@YOUR_PROJECT_ID.iam.gserviceaccount.com` |
| **Organization ID** | Your numeric org ID — leave empty for project-level enumeration |
+| **Project IDs (Optional)** | Limit discovery to specific projects |
Click **Verify** to confirm the connection, then **Create & Start Discovery**.
+
+
+ The **Project IDs** field is optional. If you provide it, **only those projects will be scanned** (not all projects under the organization).
+
+ To list the projects you can access:
+
+ ```bash
+ gcloud projects list --format="value(projectId)"
+ ```
+
+ Run this as an org admin (or a principal with org-level visibility) if you need the full list of projects.
+
+
+
---
#### GCP Troubleshooting
@@ -1701,4 +1752,4 @@ Supported Services:
References:
1. https://docs.digitalocean.com/reference/api/create-personal-access-token/
-2. https://docs.digitalocean.com/reference/api/
\ No newline at end of file
+2. https://docs.digitalocean.com/reference/api/