This guide walks you through enabling the required Google Cloud APIs, creating a service account with read access to Security Command Center and Cloud Asset Inventory, and collecting the values needed to connect Google Cloud Security to Synqly. The Google Cloud Security connector is currently in development. ## Prerequisites Before you begin, make sure: - You know whether you want the integration to read data at the organization or project level. - Security Command Center is already activated for the Google Cloud scope you want to connect. - You can sign in to the [Google Cloud Console](https://console.cloud.google.com/) with permission to enable APIs, create service accounts, and grant IAM roles on the target scope. ## Enable the required APIs Enable these APIs in the Google Cloud project where your service account will live: 1. In the Google Cloud Console, go to **APIs & Services -> Library**. 2. Search for and enable **Security Command Center API**. 3. Search for and enable **Cloud Asset API**. ## Create a service account and assign permissions Creating a dedicated service account for this integration is recommended. Reusing an existing service account is a power-user setup and should only be done if you understand the access and lifecycle trade-offs. ### 1. Create the service account Follow the Google documentation to [create a service account](https://cloud.google.com/iam/docs/service-accounts-create). Give the service account a clear name such as `integration-google-cloud-security`. ### 2. Grant the required IAM roles on your target scope Grant the service account access on the same organization or project you plan to use in `scope_path`. Assign the following roles on the target scope: | Role | IAM identifier | Enables | Required | | --- | --- | --- | --- | | Security Center Findings Viewer | `roles/securitycenter.findingsViewer` | `query_compliance_findings`, `query_ioms`, and `query_threats` | Yes | | Cloud Asset Viewer | `roles/cloudasset.viewer` | `query_cloud_resource_inventory` | Yes | | Service Usage Consumer | `roles/serviceusage.serviceUsageConsumer` | Cloud Asset Inventory API access in environments where `serviceusage.services.use` is required | Optional | If your organization prefers broader read-only access, **Security Center Admin Viewer** (`roles/securitycenter.adminViewer`) can be used instead of **Security Center Findings Viewer**. ### 3. Create a JSON key for the service account Create a JSON key for the service account by following the Google documentation to [create a service account key](https://cloud.google.com/iam/docs/keys-create-delete#iam-service-account-keys-create-console). Unlike the Google Workspace Identity setup, this connector does not use domain-wide delegation. Download the JSON key and keep it secure. You will need these values from the file: - `client_email` - `client_id` - `private_key` - `token_uri` ## Choose your `scope_path` The `scope_path` is used to determine which Google Cloud scope to query for findings and inventory. Supported formats: - `organizations/{numeric_id}` - `projects/{project_id}` - `projects/{project_number}` Examples: - `organizations/123456789012` - `projects/my-production-project` - `projects/123456789012` Use an organization-scoped path when you want coverage across the full organization. Use a project-scoped path when you want to limit the integration to a single project. ## Configure the integration Create your integration in Synqly with the following values. **Credential: Token URL (Optional)** Leave this blank to use the default Google token URL: `https://oauth2.googleapis.com/token` **Credential: Client Email** The `client_email` value from your service account JSON key. **Credential: Client ID** The `client_id` value from your service account JSON key. **Credential: Secret** The `private_key` value from your service account JSON key. This is the full PEM-encoded private key string from the downloaded JSON file. **Scope Path** The organization or project scope you want Synqly to read, formatted exactly as described in the `scope_path` section above.