Skip to content

fix: doc for gcp org level integration #212

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
ehsandeep merged 2 commits into from
Mar 3, 2026
Merged

fix: doc for gcp org level integration #212

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
9bdfeae
fix doc for gcp org level integration
girish-cheedala Mar 1, 2026
2bdef1e
add project list field to gcp integration
girish-cheedala Mar 3, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
59 changes: 55 additions & 4 deletions cloud/integrations.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1072,6 +1072,16 @@ Grant the required roles based on your [enumeration scope](#enumeration-scope).
| Organization Viewer | `roles/resourcemanager.organizationViewer` |
| Folder Viewer | `roles/resourcemanager.folderViewer` |
| Browser | `roles/browser` |
| Compute Viewer | `roles/compute.viewer` |
| DNS Reader | `roles/dns.reader` |
| Storage Bucket Viewer | `roles/storage.bucketViewer` |
| Cloud Run Viewer | `roles/run.viewer` |
| Cloud Functions Viewer | `roles/cloudfunctions.viewer` |
| Kubernetes Engine Viewer | `roles/container.clusterViewer` |

<Note>
**Permission Inheritance:** Organization-level IAM roles automatically cascade to all projects and folders within the organization. This means granting these 10 roles at the org level provides access across your entire GCP environment without per-project configuration.
</Note>

Find your Organization ID:
```bash
Expand All @@ -1081,7 +1091,7 @@ Grant the required roles based on your [enumeration scope](#enumeration-scope).
Grant these roles at the **organization level** via the [Cloud Console IAM page](https://console.cloud.google.com/iam-admin/iam) (switch to organization scope) or using `gcloud`:

```bash
for role in roles/cloudasset.viewer roles/resourcemanager.organizationViewer roles/resourcemanager.folderViewer roles/browser; do
for role in roles/cloudasset.viewer roles/resourcemanager.organizationViewer roles/resourcemanager.folderViewer roles/browser roles/compute.viewer roles/dns.reader roles/storage.bucketViewer roles/run.viewer roles/cloudfunctions.viewer roles/container.clusterViewer; do
gcloud organizations add-iam-policy-binding YOUR_ORG_ID \
--member="serviceAccount:projectdiscovery-scanner@YOUR_PROJECT_ID.iam.gserviceaccount.com" \
--role="$role"
Expand All @@ -1101,10 +1111,26 @@ Or via the [Cloud Console](https://console.cloud.google.com/iam-admin/serviceacc

**Step 4: Configure in ProjectDiscovery**

In the ProjectDiscovery platform, create a new GCP integration and select **Service Account Key** as the authentication method. Upload the JSON key file and optionally provide your Organization ID for org-level enumeration.
In the ProjectDiscovery platform, create a new GCP integration and select **Service Account Key** as the authentication method. Upload the JSON key file and optionally provide your Organization ID for org-level enumeration and an **optional Project IDs** list to limit discovery to specific projects (leave it empty to scan all projects).

Click **Verify** to confirm the connection, then **Create & Start Discovery**.

<AccordionGroup>
<Accordion title="How to find list of project IDs">
The **Project IDs** field is optional. If you provide it, **only those projects will be scanned** (not all projects under the organization).

To list the projects your service account can access:

```bash
# Authenticate as the service account
gcloud auth activate-service-account --key-file=PATH_TO_SA_KEY.json

# List all projects the service account can see
gcloud projects list --format="value(projectId)"
```
</Accordion>
</AccordionGroup>

---

#### Workload Identity Federation
Expand Down Expand Up @@ -1197,6 +1223,16 @@ Grant the required roles based on your [enumeration scope](#enumeration-scope).
| Organization Viewer | `roles/resourcemanager.organizationViewer` |
| Folder Viewer | `roles/resourcemanager.folderViewer` |
| Browser | `roles/browser` |
| Compute Viewer | `roles/compute.viewer` |
| DNS Reader | `roles/dns.reader` |
| Storage Bucket Viewer | `roles/storage.bucketViewer` |
| Cloud Run Viewer | `roles/run.viewer` |
| Cloud Functions Viewer | `roles/cloudfunctions.viewer` |
| Kubernetes Engine Viewer | `roles/container.clusterViewer` |

<Note>
**Permission Inheritance:** Organization-level IAM roles automatically cascade to all projects and folders within the organization. This means granting these 10 roles at the org level provides access across your entire GCP environment without per-project configuration.
</Note>

Find your Organization ID:
```bash
Expand All @@ -1206,7 +1242,7 @@ Grant the required roles based on your [enumeration scope](#enumeration-scope).
Grant these roles at the **organization level** via the [Cloud Console IAM page](https://console.cloud.google.com/iam-admin/iam) (switch to organization scope) or using `gcloud`:

```bash
for role in roles/cloudasset.viewer roles/resourcemanager.organizationViewer roles/resourcemanager.folderViewer roles/browser; do
for role in roles/cloudasset.viewer roles/resourcemanager.organizationViewer roles/resourcemanager.folderViewer roles/browser roles/compute.viewer roles/dns.reader roles/storage.bucketViewer roles/run.viewer roles/cloudfunctions.viewer roles/container.clusterViewer; do
gcloud organizations add-iam-policy-binding YOUR_ORG_ID \
--member="serviceAccount:pd-cloudlist-reader@YOUR_PROJECT_ID.iam.gserviceaccount.com" \
--role="$role"
Expand Down Expand Up @@ -1269,9 +1305,24 @@ In the ProjectDiscovery platform, create a new GCP integration and select **Work
| **Workload Identity Provider** | Full provider path from Step 6 |
| **Service Account Email** | `pd-cloudlist-reader@YOUR_PROJECT_ID.iam.gserviceaccount.com` |
| **Organization ID** | Your numeric org ID — leave empty for project-level enumeration |
| **Project IDs (Optional)** | Limit discovery to specific projects |

Click **Verify** to confirm the connection, then **Create & Start Discovery**.

<AccordionGroup>
<Accordion title="How to find list of project IDs">
The **Project IDs** field is optional. If you provide it, **only those projects will be scanned** (not all projects under the organization).

To list the projects you can access:

```bash
gcloud projects list --format="value(projectId)"
```

Run this as an org admin (or a principal with org-level visibility) if you need the full list of projects.
</Accordion>
</AccordionGroup>

---

#### GCP Troubleshooting
Expand Down Expand Up @@ -1701,4 +1752,4 @@ Supported Services:
References:

1. https://docs.digitalocean.com/reference/api/create-personal-access-token/
2. https://docs.digitalocean.com/reference/api/
2. https://docs.digitalocean.com/reference/api/
Loading