Skip to main content

About the GCP integration

Comp AI connects to Google Cloud Platform over OAuth 2.0 and reads findings from Security Command Center (SCC). No service account JSON key is uploaded — you sign in with a Google account that has access to the organization and projects you want to monitor. After you connect, Comp AI auto-detects your organization, lets you pick projects, then runs a setup step that enables the required APIs and verifies IAM access. Findings are mapped to common frameworks (SOC 2, ISO 27001, CIS GCP Foundations, PCI DSS, HIPAA).
Security Command Center is where all GCP findings originate. If SCC is not enabled at the organization, Comp AI cannot read findings regardless of connection method.

How access works

  • Auth model: OAuth 2.0 with Google, using the cloud-platform scope plus openid, email, profile for account identification. Refresh tokens are stored so scans can run without re-prompting.
  • Real permissions: The OAuth scope only enables API calls — actual access is gated by the IAM roles assigned to the signed-in account. Comp AI only makes read calls.
  • Required role: roles/securitycenter.findingsViewer on the organization (needed to read SCC findings). Project-level roles/viewer is also recommended.
  • Scope: Comp AI scans the projects you select inside the organization the signed-in account belongs to.

Prerequisites

Before connecting GCP, make sure you have:
  1. A GCP organization with Security Command Center enabled — confirm at GCP Console → Security → Risk Overview
  2. A Google account with:
    • roles/securitycenter.findingsViewer on the organization
    • roles/viewer (or equivalent) on the projects you want to scan
  3. Permission to enable APIs on at least one project in the organization (so Comp AI’s setup step can enable SCC, Cloud Resource Manager, and Service Usage APIs if they are not already on)
  4. Admin access to your Comp AI workspace
If Security Command Center is not yet enabled, enable it first at console.cloud.google.com/security/command-center.

Connect GCP

1

Start the connection

In Comp AI, go to Cloud Tests → GCP → Connect. Click Sign in with Google.
2

Authorize with Google

Sign in with a Google account that meets the prerequisites above and approve the consent screen. Comp AI stores the resulting refresh token (never the password) so it can run scheduled scans.
3

Select projects

Comp AI auto-detects your organization and lists the projects that account can access. Pick the ones you want scanned — findings are scoped to those projects.
4

Let auto-setup run

Comp AI’s setup guide runs automatically and shows a checklist:
  • Connected via OAuth
  • Organization detected
  • Required APIs enabled (Security Command Center, Cloud Resource Manager, Service Usage)
  • roles/securitycenter.findingsViewer granted at the organization level
Any step that fails is shown with a one-click Resolve button or a link to the exact GCP console page plus the gcloud command you can run to fix it manually.
5

Run your first scan

When all required steps pass, the first scan starts automatically. You can re-run it any time from the connection’s page.

What gets scanned

Comp AI consumes findings from Security Command Center across services including:
AreaServices
IdentityIAM (over-privileged accounts, service account keys)
StorageCloud Storage (ACLs, public access, encryption)
ComputeCompute Engine, GKE
NetworkVPC Network (firewall rules, flow logs), Cloud Armor
DataCloud SQL, BigQuery, Pub/Sub
CryptographyCloud KMS
ObservabilityCloud Logging, Cloud Monitoring
DNSCloud DNS (DNSSEC)
The Services tab inside the connection lets you enable or disable specific check categories.

Compliance frameworks

Findings are mapped to the controls used by:
  • CIS GCP Foundations Benchmark
  • SOC 2
  • ISO 27001
  • PCI DSS
  • HIPAA (where applicable)

Security model

  • Read-only in practice — Comp AI only issues read API calls against SCC and resource manager
  • IAM-bounded — access is limited to what the signed-in account’s IAM roles permit
  • Token storage — refresh tokens are stored in an encrypted vault; they are never returned to the UI
  • Revocable at any time — remove the IAM role, revoke the token at myaccount.google.com/permissions, or delete the connection in Comp AI

Troubleshooting

Confirm SCC is enabled at the organization level (not just one project). Open GCP Console → Security → Risk Overview and check that the organization shows findings.
The signed-in account does not have permission to manage IAM at the organization level. Ask a GCP organization admin to grant roles/securitycenter.findingsViewer to the account (or service account) you connected with. Copy the email shown in the setup guide — that is exactly who needs the role.
The signed-in account lacks the serviceusage.services.enable permission on the target project. Either sign in with an account that has roles/serviceusage.serviceUsageAdmin on the project, or enable the three APIs manually from the API Library:
  • Security Command Center API
  • Cloud Resource Manager API
  • Service Usage API
Comp AI only lists projects the signed-in account has IAM access to. Sign in with a different Google account, or ask an admin to add your account as roles/viewer on the relevant projects.

Support

  1. Email support@trycomp.ai
  2. Join our Discord community