This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Community FAQ
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Glossary

This documentation is for the new preview UI. It’s still being refined and is subject to change. For documentation for the old UI, see Knowledge Base.

Prepare Google Cloud Platform for Cloud Discovery

Article link copied to clipboard
Updated

on ‎11-02-2025 09:41 PM - edited on ‎11-02-2025 09:42 PM by Lansweeper Employee

Published
‎11-02-2025 09:41 PM
2 min read

Note on third‑party tools

We aim to provide accurate and helpful details about third‑party tools, but we can’t guarantee that this information is always complete or up to date. For the most reliable information, please always refer to the third‑party tool’s official documentation.

Integrating your Google Cloud Platform (GCP) environment with Lansweeper Cloud Discovery allows Lansweeper to securely inventory assets across your GCP organization. This configuration uses Workload Identity Federation, enabling Lansweeper to authenticate with GCP using OpenID Connect (OIDC) — without storing or managing long-lived credentials.

Create a Workload Identity Pool and Provider

You’ll first create a Workload Identity Pool with an OIDC provider to enable federated authentication from Lansweeper. For more information, see Manage workload identity pools and providers.

  1. In the Google Cloud console, go to IAM & Admin > Workload Identity Federation.

  2. Select Create pool, then provide a name (for example, lansweeper-pool).

  3. Under Provider type, select OpenID Connect (OIDC).

  4. Enter the following:

    • Issuer URL: 

      https://login.auth.lansweeper.com/6d02a192-efc6-a58a-e413-8abc60f3b067

    • Allowed audiences:

      866d6f4d-c8fa-4342-9f6a-377932892ee0

  5. Add attribute mappings:

    • Map google.subject to assertion.sub

    • Map attribute.site_id to assertion.site_id

  6. Set an attribute condition to limit access by Lansweeper Site:

    attribute.site_id == '<your site ID>'

    To allow multiple Sites, use the OR operator:

    attribute.site_id == '<site ID #1>' || attribute.site_id == '<site ID #2>'

  7. Create the pool and provider.

  8. Copy the resulting Workload Identity Pool ID. You’ll need this when configuring your discovery action in Lansweeper.

Create a service account

This service account grants Lansweeper permission to read resource data in your projects and organization.

  1. Follow Google’s documentation to Create service accounts.

  2. Assign the following roles:

    • Viewer (for scanning project assets)

    • Folder Viewer (to read folder structures)

    • Organization Viewer (to read organizational metadata)

  3. Save the new service account.

  4. Copy the Service account email address as you’ll need it later.

Recommendation

The predefined Viewer role is typically sufficient. Ensure that no editor or write-level permissions are granted.

Configure access to the Workload Identity Pool

You’ll now allow your Lansweeper Workload Identity federation to impersonate the GCP service account.

  1. Follow Google’s documentation to Manage workload identity pools and providers.

  2. In the Attribute name field, select subject and enter:

    866d6f4d-c8fa-4342-9f6a-377932892ee0

Enable access across multiple projects (optional)

If your GCP environment includes multiple projects you want to scan:

  1. In each project, go to IAM & Admin > IAM.

  2. Find the service account created for Lansweeper.

  3. Grant it the Viewer role at the project level.

This allows the service account to list and read resources across all targeted projects.

Next steps

Now that you have prepared your GCP environment, you can create a Cloud Discovery action to connect with Lansweeper Sites.