Prerequisites
- GCP project or organization with permissions to create service accounts, IAM roles, and Workload Identity pools
- Google Cloud CLI (
gcloud) installed and authenticated - Access to the Draftt dashboard (Integrations > GCP)
Setup Methods
Draftt supports three installation methods. Workload Identity Federation via CLI is recommended.Workload Identity Federation - CLI (Recommended)
Workload Identity Federation - CLI (Recommended)
The most secure method. Uses WIF to allow Draftt’s AWS-based infrastructure to authenticate to your GCP environment without long-lived credentials.
Enter project details
In Draftt, go to Integrations > GCP > Add. Select either Organization or Project scope. Enter your GCP Project ID and (if organization scope) your Organization ID.
Grant read-only roles
Assign the required read-only roles at the organization or project level:For project scope, replace
gcloud organizations add-iam-policy-binding YOUR_ORG_ID with gcloud projects add-iam-policy-binding YOUR_PROJECT_ID.Workload Identity Federation - UI
Workload Identity Federation - UI
Same WIF approach as the CLI method, but configured through the GCP Console UI instead of the command line. Follow the guided steps in the Draftt setup dialog, which walks you through creating the pool, provider, and service account in the GCP Console.
Service Account Keys
Service Account Keys
For environments where WIF is not available. Creates a traditional service account key pair.
- In Draftt, go to Integrations > GCP > Add and select the Service Account Keys tab
- Create a service account in your GCP project with the required read-only roles (
roles/viewer,roles/browser,roles/iam.securityReviewer) - Generate a JSON key for the service account
- Upload the JSON key file in the Draftt setup dialog and click Create
What Draftt Reads
Draftt’s service account is read-only. It cannot create, modify, or delete any resources in your GCP environment. The required roles provide access to resource metadata across compute (Compute Engine, GKE, Cloud Run, Cloud Functions), storage (Cloud Storage, Filestore), databases (Cloud SQL, Spanner, Memorystore), networking (VPC, Load Balancing, Cloud CDN), and security (IAM, Secret Manager, KMS).Verifying Your Connection
After setup, return to Integrations > GCP in Draftt. Each connected project or organization shows a status:- Healthy - All required access is in place. Draftt is collecting data as expected.
- Unhealthy - Something is wrong with the service account or permissions. Verify the WIF configuration and IAM role bindings.
Troubleshooting
WIF authentication fails: Confirm the AWS account ID (339712924365) matches in the provider configuration. Verify the service account email and project number are correct in the credential config.
Missing resources in inventory: Check that the service account has roles/viewer and roles/browser at the correct scope (organization vs. project). New connections may take one scan cycle to fully populate.
API not enabled errors: Ensure both cloudresourcemanager.googleapis.com and iamcredentials.googleapis.com are enabled in your project.