# GCP - getting started

Copy as Markdown[Open in ChatGPT](https://chatgpt.com/?q=Read%20https%3A%2F%2Fdocs-docusaurus.kinsta.page%2Fintegrations%2Fgcp%2Fgcp-getting-started.md%20and%20help%20me%20with%20my%20question%20about%20this%20Coralogix%20documentation%20page.)[Open in Claude](https://claude.ai/new?q=Read%20https%3A%2F%2Fdocs-docusaurus.kinsta.page%2Fintegrations%2Fgcp%2Fgcp-getting-started.md%20and%20help%20me%20with%20my%20question%20about%20this%20Coralogix%20documentation%20page.)

## Overview[​](#overview "Direct link to Overview")

Coralogix offers a number of basic integrations with Google Cloud Platform. However, a prerequisite for each is that you first **Configure a Service Account**. Once you have created a Service Account and its corresponding API key, access your integration-specific instructions in the table below:

| [GCP Logs](https://docs-docusaurus.kinsta.page/integrations/gcp/gcp-logs/.md)       | [Google Workspace Users](https://docs-docusaurus.kinsta.page/integrations/gcp/google-workspace-users/.md)           |
| ----------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------- |
| [GCP Traces](https://docs-docusaurus.kinsta.page/integrations/gcp/gcp-traces/.md)   | [Google Alert Center](https://docs-docusaurus.kinsta.page/integrations/gcp/google-workspace-alert-center/.md)       |
| [GCP Metrics](https://docs-docusaurus.kinsta.page/integrations/gcp/gcp-metrics/.md) | [GCP Infrastructure Explorer](https://docs-docusaurus.kinsta.page/integrations/gcp/gcp-infrastructure-explorer/.md) |

## Configure a Service Account[​](#configure-a-service-account "Direct link to Configure a Service Account")

This should be done before any GCP integration with Coralogix. Please make sure that you have **Super admin** permissions. Also, you should have an existing project within Google Cloud. Your new service account will be created there.

Coralogix supports authentication using a service account key or by principal impersonation.

### Configuration overview[​](#configuration-overview "Direct link to Configuration overview")

On the Google Cloud side, basic Service Account configuration is done in two steps:

**Step 1.** First, create a new Service Account to authenticate with Coralogix.

**Step 2.** Set up authentication based on your chosen method:

* For key-based authentication, generate an API key for Coralogix.

* For impersonation, grant the `Service Account Token Creator` role to the Coralogix principal associated with that integration during the integration setup.

### Configuration steps[​](#configuration-steps "Direct link to Configuration steps")

##### Step 1. Create a Service Account[​](#step-1-create-a-service-account "Direct link to Step 1. Create a Service Account")

**1.** Sign in to the Google Cloud Console and choose the project where you want to create the service account.

**2.** Go to **IAM & Admin** in the menu and scroll down to **Service Accounts**.

**3.** On the **Service accounts** list, click **+ CREATE SERVICE ACCOUNT**.

**4.** Input your service account details: name, account ID, and description. Click **CREATE AND CONTINUE**.

**5.** Based on the type of integration you are setting up, you may need to assign specific roles to the service account.

* **GCP Logs:** To collect logs, select the `Pub/Sub Subscriber` role.

* **GCP Traces:** To collect traces, select `BigQuery Job User` and `BigQuery Data Viewer` .

* **GCP Metrics:** To collect metrics, select `Compute Viewer`, `Monitoring Viewer`, and `Cloud Asset Viewer.`

* **Google Workspace Users:** You don’t need to assign roles for this service account.

* **Google Alerts Center:** You don’t need to assign roles for this service account.

At the end, click **CONTINUE** and **DONE** in the step below. Your service account is now ready for use.

**6.** Find the new service account on the list. Note down the **OAuth 2 Client ID**. You will need it to finish this tutorial.

[![](/assets/images/google-workspace20-accounts-1-ed0399671fc2f960c635d831ddce2a3d.jpg)](https://docs-docusaurus.kinsta.page/assets/images/google-workspace20-accounts-1-ed0399671fc2f960c635d831ddce2a3d.jpg)

##### Step 2. Create a Private Key (for key-based authentication only)[​](#step-2-create-a-private-key-for-key-based-authentication-only "Direct link to Step 2. Create a Private Key (for key-based authentication only)")

**1.** Click the three dots in the rightmost **Actions** column and choose **Manage keys**.

[![](/assets/images/manage-keys-1-e5a36c0ccc5a3dc1e28e51959ab6230b.webp)](https://docs-docusaurus.kinsta.page/assets/images/manage-keys-1-e5a36c0ccc5a3dc1e28e51959ab6230b.webp)

**2.** Click **Add Key and** choose the JSON **Key type**. Download it and store locally. You will need to upload it to your Coralogix integration.

### Impersonation Authentication: Customer ID Whitelisting[​](#impersonation-authentication-customer-id-whitelisting "Direct link to Impersonation Authentication: Customer ID Whitelisting")

This section applies to organizations that have [domain restricted sharing](https://docs.cloud.google.com/resource-manager/docs/organization-policy/domain-restricted-sharing) enabled.

**Important Security Notice:**

Coralogix does not share its GCP organization or customer ID for whitelisting due to security risks. Sharing this ID could expose our internal IAM mechanism and is not a recommended practice.

#### Recommended Approach for Customers[​](#recommended-approach-for-customers "Direct link to Recommended Approach for Customers")

* Please use fine-grained IAM policies (e.g., `iam.managed.allowedPolicyMembers`) to whitelist only the required service accounts or principals for impersonation-based authentication.
* If your organization policy only supports org/customer ID whitelisting, we cannot support this integration due to security risks. We recommend discussing alternative authentication flows, such as domain-based whitelisting, or direct service account whitelisting.

#### Why Organization/Customer ID Whitelisting (`iam.allowedPolicyMemberDomains`) Is Not Supported[​](#why-organizationcustomer-id-whitelisting-iamallowedpolicymemberdomains-is-not-supported "Direct link to why-organizationcustomer-id-whitelisting-iamallowedpolicymemberdomains-is-not-supported")

##### Security Risks[​](#security-risks "Direct link to Security Risks")

* Sharing our GCP organization or customer ID exposes our internal IAM structure and could allow broad access to all principals in our organization, increasing risk of privilege escalation or misconfiguration.
* Our security department has determined that sharing this ID is not a safe practice and is not permitted for Coralogix integrations.

##### Why We Recommend Against This Approach[​](#why-we-recommend-against-this-approach "Direct link to Why We Recommend Against This Approach")

* The `iam.allowedPolicyMemberDomains` constraint is coarse-grained: it allows any principal from the whitelisted organization/customer, not just the required service accounts.
* This method does not provide the necessary control or auditability for secure integrations.

##### Secure Alternatives (Recommended)[​](#secure-alternatives-recommended "Direct link to Secure Alternatives (Recommended)")

Use the `iam.managed.allowedPolicyMembers` constraint to specify only the required service accounts:

```
resource: //cloudresourcemanager.googleapis.com/organizations/YOUR_ORG_ID

constraint: constraints/iam.managed.allowedPolicyMembers

allowed_values:

	- serviceAccount:your-sa@cx-project.iam.gserviceaccount.com
```

## Next Steps[​](#next-steps "Direct link to Next Steps")

Now that you have created a Service Account and an API key, consult our integration-specific tutorials. For these, you will need to use the Coralogix platform.
