# Google Cloud Platform (GCP)
## Overview
The [Google Cloud Platform (GCP)](https://cloud.google.com/) integration connects data from your GCP account to your Sola workspace, making it easy to search and find answers to your specific use cases.
The GCP integration gives you a complete view of your GCP environment, allowing you to monitor and analyze GCP security posture and potential threats.
With the GCP integration, you can:
* Ensure cloud security best practices
* Gain full visibility into your cloud resources
* Identify security risks across your cloud environment
{% hint style="warning" %}
**Your data can only be retrieved, never modified.**
Once connected, your data is securely stored, and access is restricted to retrieving configurations and metadata only. Authentication methods ensure secure delegation of permissions while maintaining data integrity.
{% endhint %}
{% hint style="info" %}
**No hidden indirect cloud provider charges**\
The Sola integration won’t use resources that increase your cloud costs.
{% endhint %}
## Set up GCP data source integration with Sola
{% columns %}
{% column width="75%" %}
Go to ***Integrations*** > [***Data Sources***](https://app.sola.security/integrations/data-sources) > click ***New data source*** > select ***GCP***.
*The Sola wizard will take you through the steps.*
{% endcolumn %}
{% column width="25%" %} Set up GCP ->
{% endcolumn %}
{% endcolumns %}
### Connect GCP Organization to Sola
To connect GCP, you'll need a GCP account with the necessary permissions to create a service account.
{% hint style="info" %}
GCP organization connection method is available on [paid plans](https://sola.security/pricing/).
{% endhint %}
{% tabs %}
{% tab title="Service Account" %}
**Connect at the organization level** to manage multiple GCP projects through a single integration.
This method utilizes a GCP Service Account at the organization root to securely grant Sola read-only access to your GCP services and resources across all projects.
* Service Account Key
{% hint style="info" %}
The **setup script**, provided in the Sola wizard, creates the relevant resources needed for accessing GCP data and extracting it to Sola:
1. **Enabling services**: `admin`, `alloydb`, `apikeys`, `appengine`, `bigquery`, `bigtableadmin`, `cloudasset`, `cloudbilling`, `cloudfunctions`, `cloudkms`, `cloudresourcemanager`, `cloudscheduler`, `composer`, `compute`, `container`, `dataplex`, `dataproc`, `dns`, `file`, `groupssettings`, `iam`, `logging`, `metastore`, `recommender`, `redis`, `run`, `secretmanager`, `servicemanagement`, `serviceusage`, `spanner`, `storage`, `vpcaccess`
2. **Creating a service account** in the provided Sola project
3. **Binding the service account roles** at organization root
4. **Creating a deny policy** for each excluded project or folder, if applicable
5. **Creating a service account key**
**For troubleshooting**, see [setup script common errors](#troubleshooting-gcp-organization-setup-script-common-errors) below.
{% endhint %}
{% endtab %}
{% endtabs %}
#### Troubleshooting GCP Organization setup script common errors
Use the table below to troubleshoot errors returned in your GCP console by the setup script.
| Error code | Description | Resolution |
| -------------------- | ----------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| MISSING\_PERMISSIONS | Your GCP account lacks a required IAM permission. | Ensure all required roles are assigned to your account and re-run the script: Organization Administrator, Organization Policy Administrator, Billing Account Administrator, Deny Admin (if excluded projects/folders are specified). |
| RESOURCE\_NOT\_FOUND | A required GCP resource does not exist or is not visible to you. | Verify the ID in the GCP Console and re-run the script. |
| RESOURCE\_EXISTS | A resource with the requested name already exists. | Re-run the script. |
| QUOTA\_EXCEEDED | A GCP quota limit has been reached. | Delete unused resources or request a quota increase in the GCP Console. |
| BILLING\_DISABLED | Billing is not enabled on the selected project | Enable billing at and re-run. |
| UNAUTHENTICATED | The gcloud CLI is not authenticated. | Run `gcloud auth login` and try again. |
| POLICY\_BLOCKED | An organization policy is blocking the operation. | Check organization policies in the GCP Console or contact your org admin and try again. |
| PROPAGATION\_TIMEOUT | A GCP change (service account creation or policy update) did not propagate within the expected time window. | Wait a few minutes and try again. |
| UNEXPECTED\_ERROR | An unexpected error occurred. | Try again and [contact Sola Support](https://help.sola.security/support/tickets/new) if the issue persists. |
### Connect GCP Single Project to Sola
To connect GCP, you'll need a GCP account with the necessary permissions to create a service account.
{% tabs %}
{% tab title="Service Account" %}
**Connect a single GCP project.**
Recommended for secure, production environments. These methods utilize a GCP Service Account within your project to securely grant Sola read-only access to your GCP services and resources.
* Service Account Key (Recommended)
* Terraform
{% hint style="info" %}
The **setup script**, provided in the Sola wizard, creates the relevant resources needed for accessing GCP data and extracting it to Sola:
1. **Creating service account** - Creates a service account in the project and binds it the roles: `viewer`, `iam.securityReviewer`, `cloudasset.viewer`
2. **Enabling services** - Enables the following APIs: `admin`, `alloydb`, `apikeys`, `appengine`, `bigquery`, `bigtableadmin`, `cloudasset`, `cloudbilling`, `cloudfunctions`, `cloudkms`, `cloudresourcemanager`, `cloudscheduler`, `composer`, `compute`, `container`, `dataplex`, `dataproc`, `dns`, `file`, `groupssettings`, `iam`, `logging`, `metastore`, `recommender`, `redis`, `run`, `secretmanager`, `servicemanagement`, `serviceusage`, `spanner`, `storage`, `vpcaccess`
3. **Creating service account key** - Temporarily disables the `iam.disableServiceAccountKeyCreation` org policy, waits for propagation, creates the key, then re-enables the policy
**For troubleshooting**, see [setup script common errors](#troubleshooting-azure-setup-script-common-errors) below.
{% endhint %}
{% endtab %}
{% endtabs %}
#### Troubleshooting Single Project setup script common errors
| Error Code | Description | Resolution |
| -------------------- | ------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------- |
| MISSING\_PERMISSIONS | Your GCP account lacks a required IAM permission. | Ensure all required roles are assigned to your account and re-run the script: **Project Owner or Editor**, **Organization Policy Administrator**. |
| RESOURCE\_NOT\_FOUND | A required GCP resource does not exist or is not visible to you. | Verify the project ID in the GCP Console and re-run the script. |
| RESOURCE\_EXISTS | A resource with the requested name already exists. | Re-run the script (a new random name will be generated). |
| QUOTA\_EXCEEDED | A GCP quota limit has been reached (e.g. max service accounts per project). | Delete unused resources or request a quota increase in the GCP Console, then re-run. |
| BILLING\_DISABLED | Billing is not enabled on the selected project. | Enable billing at and re-run. |
| UNAUTHENTICATED | The gcloud CLI is not authenticated. | Run `gcloud auth login` and try again. |
| POLICY\_BLOCKED | An organization policy is blocking the operation (e.g. key creation policy enforced at a parent level). | Check organization policies in the GCP Console or contact your org admin and try again. |
| PROPAGATION\_TIMEOUT | A GCP change did not propagate within the expected time window. | Wait a few minutes and try again. |
| UNEXPECTED\_ERROR | An unexpected error occurred. | Try again. Contact Sola support if the issue persists. |
## Explore the app gallery for GCP apps
 Get started with [GCP-focused security apps](https://sola.security/app-gallery/?search=gcp), built by our expert team.
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.sola.security/integrations/data-sources/gcp.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.