DocumentationAPI ReferenceTerraform ProviderStatus PageSchedule a DemoFree Trial
Documentation

Configure a GCP Cloud Account

Suggest Edits

Configure a Cloud Account

Requirements

To successfully integrate your GCP account with env0, ensure the following prerequisites are met in your GCP project:

Enable Cloud Logging API for your GCP project

The Cloud Logging API must be enabled for your GCP project to allow env0 to read log data.

  • Verify the Cloud Logging API status
    • If not enabled, proceed to enable it.

Create a Service Account with permissions to read logs

You need a dedicated Service Account that env0 will use to read logs from your GCP project.

  • Navigate to IAM & Admin > Service Accounts in the GCP Console
  • Create a new Service Account
  • Ensure this Service Account is granted permissions to read logs. The predefined roles/logging.viewer role is recommended for this purpose as it provides necessary read access to logs


Create a Workload Identity Pool and OIDC Provider

Workload Identity Federation enables secure, keyless authentication for external identities like env0.

  • Navigate to IAM & Admin > Workload Identity Federation
  • Create a new Workload Identity Pool
  • Within this pool, create a new Workload Identity OIDC Provider
  • For detailed instructions on this process, refer to the env0 guide on OIDC with Google Cloud Platform.


Grant impersonation rights to the OIDC principal on the Service Account

This step connects your newly created Service Account with the Workload Identity Pool, allowing env0 (via the OIDC provider) to impersonate the Service Account and assume its permissions.

  • From within your Workload Identity Pool, click on Grant Access
  • Select the Grant access using service account impersonation radio button
  • Choose the Service Account you created
  • For the Subject value, copy it directly from the env0 application by clicking on Show OIDC Token in the Cloud Account Wizard. This value uniquely identifies the env0 organization within your OIDC setup



Setting Up Access Configuration

Once the GCP prerequisites are satisfied, you will configure the Cloud Account in env0.

Fill the Account Config form

In the env0 Cloud Account configuration form, you'll need to specify the following details:

Account name: A descriptive name for your account in env0 (for identification purposes only)

Project ID: Your Google Cloud Project ID (the alphanumeric string identifier)

JSON configuration file content: The content of the credential configuration file, explained in the next step.

Download the JSON configuration file content

This JSON file contains the necessary credentials for env0 to authenticate with your GCP Workload Identity Pool Provider.

  • In your Workload Identity Pool, navigate to the Connected Service Accounts tab
  • Locate the Service Account you connected to the pool and click the Download button next to it
  • In the download dialog:
    • Select the OIDC provider you previously created
    • Enter "file.json" in the OIDC ID token path field
    • Select "json" in the Format type dropdown
    • Keep "access_token" as the value in the Subject token field name
    • Click Download config

Updated 1 day ago