Skip to content

GCP Console Onboarding (Manual)

  1. Create a Service Account

    Create a service account in any project within your GCP organization.

  2. Choose an Authorization Method

    Choose one of the following authorization methods:

    • Create a Service Account Key for the created service account and select the JSON key type.

    • Allow SailPoint Entro's dedicated AWS role to impersonate this service account. Follow these steps to enable impersonation via GCP Workload Identity Federation.

  3. Assign Roles for SailPoint Entro's Service Account

    Assign roles for SailPoint Entro's Service Account.

    Grant the SailPoint Entro Service Account in an organization, folder, or specific project scope.

  4. Enable Required APIs

    Enable APIs on all GCP projects or on the host project only.

    To maintain SailPoint Entro reachability, certain APIs must be enabled on all projects in the organization. This can be done via CLI script or Terraform.

  5. Enable Audit Logs and Complete Onboarding in SailPoint Entro

    Enable audit logs, then complete onboarding in the SailPoint Entro portal.


Create a service account

Click on this link to create a service account in you GCP Portal. Permissions should be set later with your desired scope (project, folder or organization).


Create a Service Account Key

To create a new key for your service account:

  1. Click on the service account to open its settings.

  2. Navigate to the Keys tab.

  3. Click Add Key and choose Create new key from the dropdown.

  4. Ensure the JSON option is selected.

  5. Click Create.


Enable Required APIs

Run the following commands in Cloud Shell to enable required APIs across all GCP projects.

Which APIs are enabled by default?

  • Often already enabled in existing projects: cloudresourcemanager.googleapis.com, iam.googleapis.com, logging.googleapis.com. You can try enabling only the others first, then enable these if you see permission or not-enabled errors.
  • Usually not enabled and typically needs to be turned on: recommender.googleapis.com, cloudasset.googleapis.com, apikeys.googleapis.com.
  • Enabled when used and typically does not need to be turned on manually: secretmanager.googleapis.com, cloudfunctions.googleapis.com.

Option 1 - All Projects, All Orgs

#!/usr/bin/env bash
set -u
NON_BILLING_SERVICES=(
  cloudresourcemanager.googleapis.com
  iam.googleapis.com
  apikeys.googleapis.com
  recommender.googleapis.com
)
BILLING_SERVICES=(
  discoveryengine.googleapis.com
  secretmanager.googleapis.com
  cloudfunctions.googleapis.com
)
for PROJECT_ID in $(gcloud projects list --format="value(projectId)"); do
  [[ -z "$PROJECT_ID" ]] && continue
  if [[ "$PROJECT_ID" == sys-* ]]; then
    continue
  fi
  echo "Enabling APIs for project: $PROJECT_ID"
  if [ ${#NON_BILLING_SERVICES[@]} -gt 0 ]; then
    ERROR_OUTPUT=""
    if ERROR_OUTPUT=$(gcloud services enable "${NON_BILLING_SERVICES[@]}" \
        --project="$PROJECT_ID" \
        2>&1); then
      echo "Enabled non-billing APIs for $PROJECT_ID"
    else
      RC=$?
      echo "Failed enabling non-billing APIs for $PROJECT_ID (exit code: $RC)"
      echo "$ERROR_OUTPUT" | head -n 200
    fi
  fi
  if [ ${#BILLING_SERVICES[@]} -gt 0 ]; then
    ERROR_OUTPUT=""
    if ERROR_OUTPUT=$(gcloud services enable "${BILLING_SERVICES[@]}" \
        --project="$PROJECT_ID" \
        2>&1); then
      echo "Enabled billing APIs for $PROJECT_ID"
    else
      RC=$?
      echo "Failed enabling billing APIs for $PROJECT_ID (exit code: $RC)"
      echo "$ERROR_OUTPUT" | head -n 200
    fi
  fi
done
echo "Done"

Option 2 - All Projects, Single Org

#!/usr/bin/env bash
set -u
ORG_ID="<your org id>"
NON_BILLING_SERVICES=(
  cloudresourcemanager.googleapis.com
  iam.googleapis.com
  apikeys.googleapis.com
  recommender.googleapis.com
)
BILLING_SERVICES=(
  discoveryengine.googleapis.com
  secretmanager.googleapis.com
  cloudfunctions.googleapis.com
)
gcloud asset search-all-resources \
  --scope="organizations/${ORG_ID}" \
  --asset-types="cloudresourcemanager.googleapis.com/Project" \
  --filter="state=ACTIVE" \
  --format="value(additionalAttributes.projectId)" |
while IFS= read -r PROJECT_ID; do
  [[ -z "$PROJECT_ID" ]] && continue
  if [[ "$PROJECT_ID" == sys-* ]]; then
    continue
  fi
  echo "Enabling APIs for project: $PROJECT_ID"
  if [ ${#NON_BILLING_SERVICES[@]} -gt 0 ]; then
    ERROR_OUTPUT=""
    if ERROR_OUTPUT=$(gcloud services enable "${NON_BILLING_SERVICES[@]}" \
        --project="$PROJECT_ID" \
        2>&1); then
      echo "Enabled non-billing APIs for $PROJECT_ID"
    else
      RC=$?
      echo "Failed enabling non-billing APIs for $PROJECT_ID (exit code: $RC)"
      echo "$ERROR_OUTPUT" | head -n 200
    fi
  fi
  if [ ${#BILLING_SERVICES[@]} -gt 0 ]; then
    ERROR_OUTPUT=""
    if ERROR_OUTPUT=$(gcloud services enable "${BILLING_SERVICES[@]}" \
        --project="$PROJECT_ID" \
        2>&1); then
      echo "Enabled billing APIs for $PROJECT_ID"
    else
      RC=$?
      echo "Failed enabling billing APIs for $PROJECT_ID (exit code: $RC)"
      echo "$ERROR_OUTPUT" | head -n 200
    fi
  fi
done
echo "Done"

After running the previous script according to the desired scope, make sure to also enable those APIs on SailPoint Entro's hosting project.

Replace the project ID with the ID of the hosting project <host project id> :

export PROJECT_ID="<host project id>"
gcloud services enable \
  cloudresourcemanager.googleapis.com \
  iam.googleapis.com \
  logging.googleapis.com \
  secretmanager.googleapis.com \
  cloudfunctions.googleapis.com \
  recommender.googleapis.com \
  policyanalyzer.googleapis.com \
  cloudasset.googleapis.com \
  pubsub.googleapis.com \
  apikeys.googleapis.com \
  --project="$PROJECT_ID"

Assign Roles for SailPoint Entro-S Service Account

  1. Navigate to IAM within your project, folder, or organization and click Grant access.

  2. Select the newly created SailPoint Entro service account from the previous step.

  3. Assign the required role (details below).

  4. Click Save to apply changes.

Or Cherry-Pick These Roles (Least Privilege)

  • Logs Viewer

  • Logs View Accessor

  • Private Logs Viewer

  • Organization Viewer

  • Secret Manager Viewer

  • View Service Accounts

  • Cloud Functions Viewer

  • IAM Recommender Viewer

  • Cloud Asset Viewer

  • Activity Analysis Viewer

  • Organization Role Viewer

  • Security Reviewer

  • Folder Viewer

  • API Keys Viewer

  • Secret Manager Secret Accessor

  • Discovery Engine Viewer


Audit Logs

To ensure SailPoint Entro's validation and anomaly detection, follow these steps:

  1. Navigate to the Audit Logs page in the GCP Portal, selecting your preferred scope (project, folder, or organization).

  2. Filter for the following services using the OR condition:

    • Secret Manager API

    • Cloud Functions API

    • Identity and Access Management (IAM) API

  3. Select the checkboxes for these services.

  4. Set their Permission types to:

    • Admin read

    • Data read

    • Data write

  5. Click Save.


Limited API Permissions (Appendix)

If you would like to restrict access for certain APIs, you can use limited manual onboarding: enable only the APIs on the project that hosts SailPoint Entro's service account (no org-wide API enablement). Some functionality will be lost.

What you get with limited onboarding

  • Project discovery (add child accounts), Secret Manager (metadata + values), Cloud Functions (exposed-secrets scan), logs (viewer), IAM (service account viewer, policy/recommender/asset for agents), and Activity Analysis.

  • All of this works with the minimal role set listed below, with APIs enabled only on the host project (the project where the SailPoint Entro service account is created).

What you'll miss

With Manual Onboarding, the following are not supported:

  • Google API Keys discovery, management, and correlation. This requires apikeys.googleapis.com and API Keys Viewer (and optional org-wide API enablement) on every project where you want API key visibility.

  • Project-level human ownership attribution for service accounts. Full ownership attribution uses agent-driven flows and additional data, so minimal setup does not provide project-level human ownership for service accounts.

If you need these features, use full onboarding (org-wide API enablement and the full organization roles list above).

APIs: enable on the host project only (limited onboarding)

Enable APIs only on the project that hosts SailPoint Entro's service account. Not all of these are required—only the core set is needed for the backend; the rest are for agent-driven features (IAM analysis, Recommender, Cloud Functions scan, etc.). When enabled only on the host project, those agent features only run for the host project.

API Used by Required?
cloudresourcemanager.googleapis.com project discovery, org resolution Yes
iam.googleapis.com NHI Enumeration (service account/key checks, archive flow) Yes
logging.googleapis.com Activity monitoring Yes
secretmanager.googleapis.com Backend (list/read secrets) Yes if you use Secret Manager (Usually switches on automatically)
cloudfunctions.googleapis.com Cloud Functions exposed-secrets scan Only if you want CF scanning
recommender.googleapis.com IAM Permissions Recommender insights Only if you want permissions recommender data
cloudasset.googleapis.com Resources, hierarchy Yes
pubsub.googleapis.com Alternative audit logs ingestion No

Minimum (Project Scope)

export PROJECT_ID="<host project id>"
gcloud services enable \
  cloudresourcemanager.googleapis.com \
  iam.googleapis.com \
  logging.googleapis.com \
  secretmanager.googleapis.com \
  --project="$PROJECT_ID"

Full Set (Project Scope)

export PROJECT_ID="<host project id>"
gcloud services enable \
  cloudresourcemanager.googleapis.com \
  iam.googleapis.com \
  logging.googleapis.com \
  secretmanager.googleapis.com \
  cloudfunctions.googleapis.com \
  recommender.googleapis.com \
  cloudasset.googleapis.com \
  pubsub.googleapis.com \
  --project="$PROJECT_ID"