Prerequisites
- GCP project or organization with permissions to create service accounts, IAM roles, and Workload Identity pools
- Google Cloud CLI (
gcloud) installed and authenticated - Access to the Draftt dashboard (Integrations > GCP)
Setup Methods
Draftt supports three installation methods. Workload Identity Federation via CLI is recommended.Workload Identity Federation - CLI (Recommended)
Workload Identity Federation - CLI (Recommended)
You can select any project under the organization. However the project must have the relevant admin APIs enabled.
Enable necessary APIs
Make sure that both the IAM Service Account Credentials API and Cloud Resource Manager API are enabled:
Add the Draftt AWS Provider to the Pool
Define AWS as a trusted identity provider. The AWS account ID (
339712924365) is Draftt’s production account, which hosts the draftt-fetcher service used to fetch data from your GCP project.Grant permissions to the Service Account
Assign read-only permissions to the service account at the organization level:
Allow AWS Role to act as the GCP Service Account
Authorize Draftt’s AWS role (
arn:aws:sts::339712924365:assumed-role/draftt-fetcher) to impersonate the GCP service account:Generate Credentials JSON
Create a non-sensitive JSON credentials configuration file that links the workload identity pool, provider, and service account together:
Unlike a service account key, a credential configuration file does not contain a private key and does not need to be kept confidential.
Workload Identity Federation - UI
Workload Identity Federation - UI
Select either Organization Level or Project Level scope.
You can select any project under the organization. However the project must have the relevant admin APIs enabled.
Create a GCP Service Account
Go to Service Accounts and click Create service account.Use the following values:
- Service account name:
draftt-wif-int-readonly - Service account ID:
draftt-wif-int-readonly - Description:
A read only service account for Draftt integration
ViewerBrowseriam.securityReviewer
Create a Workload Identity Pool
Go to Workload Identity Pool and click Create pool.Use the following values:
- Pool name:
draftt-wif-integration - Pool ID:
draftt-wif-integration - Description:
Workload Identity Pool for Draftt.io integration
- Provider name:
draftt-wif-aws-integration - Provider ID:
draftt-wif-aws-integration - AWS Account ID:
339712924365
Grant Draftt permissions to impersonate the service account
Click Grant access. In the left panel, choose Grant access using service account impersonation.Choose the service account created in Step 1.Under Select principals, choose the Click Save.In the Configure your application window, choose
aws_role attribute name and enter Draftt’s fetcher role:draftt-wif-aws-integration as the provider and download the JSON config file. This file does not include any secrets.Service Account Keys
Service Account Keys
Name your integration
In Draftt, fill in the Integration Name field. Select either Organization Level or Project Level scope.
Create a GCP Service Account
Go to your Google Cloud service account and at the project level select Create Service Account.Enter the Service account details and select Create and Continue.Attach the following roles at the organization level:
ViewerBrowseriam.securityReviewer
Generate a JSON key
At the project level, select Service Accounts and select the Draftt service account.Select Keys > Manage Keys > Add Key > Create new key.Select JSON > Create. A JSON file will be downloaded to your machine.
What Draftt Reads
Draftt’s service account is read-only. It cannot create, modify, or delete any resources in your GCP environment. The required roles provide access to resource metadata across compute (Compute Engine, GKE, Cloud Run, Cloud Functions), storage (Cloud Storage, Filestore), databases (Cloud SQL, Spanner, Memorystore), networking (VPC, Load Balancing, Cloud CDN), and security (IAM, Secret Manager, KMS).Verifying Your Connection
After setup, return to Integrations > GCP in Draftt. Each connected project or organization shows a status:- Healthy - All required access is in place. Draftt is collecting data as expected.
- Unhealthy - Something is wrong with the service account or permissions. Verify the WIF configuration and IAM role bindings.
Troubleshooting
WIF authentication fails: Confirm the AWS account ID (339712924365) matches in the provider configuration. Verify the service account email and project number are correct in the credential config.
Missing resources in inventory: Check that the service account has roles/viewer and roles/browser at the correct scope (organization vs. project). New connections may take one scan cycle to fully populate.
API not enabled errors: Ensure both cloudresourcemanager.googleapis.com and iamcredentials.googleapis.com are enabled in your project.