This guide walks you through enabling the required Google Cloud APIs, creating a service account with read access to Security Command Center and Cloud Asset Inventory, and collecting the values needed to connect Google Cloud Security to Synqly.
The Google Cloud Security connector is currently in development.
Before you begin, make sure:
- You know whether you want the integration to read data at the organization or project level.
- Security Command Center is already activated for the Google Cloud scope you want to connect.
- You can sign in to the Google Cloud Console with permission to enable APIs, create service accounts, and grant IAM roles on the target scope.
Enable these APIs in the Google Cloud project where your service account will live:
- In the Google Cloud Console, go to APIs & Services -> Library.
- Search for and enable Security Command Center API.
- Search for and enable Cloud Asset API.
Creating a dedicated service account for this integration is recommended. Reusing an existing service account is a power-user setup and should only be done if you understand the access and lifecycle trade-offs.
Follow the Google documentation to create a service account.
Give the service account a clear name such as integration-google-cloud-security.
Grant the service account access on the same organization or project you plan to use in scope_path.
Assign the following roles on the target scope:
| Role | IAM identifier | Enables | Required |
|---|---|---|---|
| Security Center Findings Viewer | roles/securitycenter.findingsViewer | query_compliance_findings, query_ioms, and query_threats | Yes |
| Cloud Asset Viewer | roles/cloudasset.viewer | query_cloud_resource_inventory | Yes |
| Service Usage Consumer | roles/serviceusage.serviceUsageConsumer | Cloud Asset Inventory API access in environments where serviceusage.services.use is required | Optional |
If your organization prefers broader read-only access, Security Center Admin Viewer (roles/securitycenter.adminViewer) can be used instead of Security Center Findings Viewer.
Create a JSON key for the service account by following the Google documentation to create a service account key.
Unlike the Google Workspace Identity setup, this connector does not use domain-wide delegation.
Download the JSON key and keep it secure. You will need these values from the file:
client_emailclient_idprivate_keytoken_uri
The scope_path is used to determine which Google Cloud scope to query for findings and inventory.
Supported formats:
organizations/{numeric_id}projects/{project_id}projects/{project_number}
Examples:
organizations/123456789012projects/my-production-projectprojects/123456789012
Use an organization-scoped path when you want coverage across the full organization. Use a project-scoped path when you want to limit the integration to a single project.
Create your integration in Synqly with the following values.
Credential: Token URL (Optional) Leave this blank to use the default Google token URL: https://oauth2.googleapis.com/token
Credential: Client Email The client_email value from your service account JSON key.
Credential: Client ID The client_id value from your service account JSON key.
Credential: Secret The private_key value from your service account JSON key. This is the full PEM-encoded private key string from the downloaded JSON file.
Scope Path The organization or project scope you want Synqly to read, formatted exactly as described in the scope_path section above.