GCP Account Connection Overview

Before Aqua CSPM can produce any security scan results, you must connect a cloud account. For Google Cloud, this is done through the use of a Service Account. A Service Account is an entity that can be assumed by a third party and secured to only access resources in a project. 

Drag and Drop (Recommended)

Step 1: Navigate to the Cloud Accounts page.

  • Click Connect Account on the top right.

Step 2: Choose "Google Cloud Platform (GCP)" under Account Type and "Drag and Drop (Recommended)" under Method.

Step 3: Use the following steps to create a Service Account and attach a role.

  1. Log into your Google Cloud console and navigate to IAM Admin > Service Accounts.
  2. Click Create Service Account.
  3. Enter "Aqua" in the Service account name, enter "Aqua API Access" in the Service account description, and click Create.
  4. Select the role: Project > Viewer.
  5. Click on Add Another Role.
  6. Select the role IAM > Security Reviewer.
  7. Click Done.
  8. Select the newly created Service Account.
  9. Select ADD KEY > Create new key.
  10. Select JSON > Create.
  11. Save the provided JSON file (Credentials).
  12. Select GCP organisation from the top and go to IAM.
  13. Click on GRANT ACCESS on top and add Organisation Viewer and Organisation Policy Viewer role to the service account and click Save.

Step 4: Drag and drop the JSON file  newly created on step 3.8 in the Aqua connection wizard.

Manual Setup

Step 1: Follow the Drag and Drop Instructions without dragging and dropping the JSON file.

Step 2: Open the JSON file and copy and paste the Project ID, Client Email, and Private Key.


For plugins involving BigQuery tables, we support a maximum limit of 50,000 tables when collecting data.