ops0 connects to Google Cloud using project-level access and a service account. You can use the integration for discovery, infrastructure changes, and inventory across the target project.
Go to Settings > Integrations > Add Integration.
Choose Google Cloud from the provider list.
Provide the target project ID and upload the service account key.
Click Connect to verify access.
ops0 supports two ways to authenticate with GCP:
| Method | Best for |
|---|---|
| Service Account Key (JSON) | Automated/CI use — stable long-lived credentials |
| Google OAuth | Interactive setup — authenticates as your Google account |
Upload a JSON key file for a GCP service account. This is the standard method for production integrations.
Click Connect with Google to authenticate via your Google account. ops0 redirects you to Google's consent screen, you approve access, and ops0 stores the refresh token. Tokens are refreshed automatically before they expire.
OAuth is convenient for personal GCP projects or quick trials. For shared team integrations, service account keys are more reliable since they don't depend on a personal account's continued access.
| Field | Required | Description |
|---|---|---|
| Name | Yes | Integration name |
| Project ID | Yes | GCP project ID |
| Service Account Key | Yes (if using key auth) | JSON key file for the service account |
By default the integration scans a single GCP project. To scan across a folder hierarchy or your entire organization, configure the scope:
| Scope | Description |
|---|---|
| Project | Scan resources in a single GCP project (default) |
| Folder | Scan all projects under a GCP folder |
| Organization | Scan all projects in your GCP organization |
| Field | When Required | Description |
|---|---|---|
| Organization ID | Organization scope | Your GCP organization numeric ID |
| Folder ID | Folder scope | The folder numeric ID to scan under |
| Included Projects | Optional | Limit to specific project IDs |
| Excluded Projects | Optional | Skip specific project IDs |
roles/resourcemanager.folderViewer — to enumerate projects under a folderroles/resourcemanager.organizationViewer — to enumerate all projects in the orgroles/cloudasset.viewer — for Cloud Asset Inventory scanningFor folder and organization scope, the service account must be granted roles at the folder or organization level, not just at the project level. Grant the roles on the folder/org node in IAM.
Go to GCP Console and open IAM & Admin.
Create a dedicated service account for ops0.
Assign the roles needed for discovery or deployment based on your use case.
Generate the key file and upload it in the integration form.
roles/editor or a custom least-privilege set covering the resources you manageroles/viewerroles/compute.viewerroles/storage.objectViewerIf you don't want to use roles/editor, create a custom role that covers only the services ops0 should read or manage.
After an integration is connected, you can change which GCP project it targets without re-creating the integration:
The integration updates immediately. Future discovery scans and deployments use the newly selected project.
Confirm the service account has the required roles on the project.
Re-download the key and make sure the uploaded file is a valid service account credential.
Double-check the project ID in the integration matches the project where resources live.