> ## Documentation Index
> Fetch the complete documentation index at: https://www.trycomp.ai/docs/llms.txt
> Use this file to discover all available pages before exploring further.
# GCP Cloud Tests
> Connect Google Cloud Platform to Comp AI over OAuth so findings from Security Command Center flow into your compliance posture.
## About the GCP integration
Comp AI connects to Google Cloud Platform over **OAuth 2.0** and reads findings from **Security Command Center (SCC)**. No service account JSON key is uploaded — you sign in with a Google account that has access to the organization and projects you want to monitor.
After you connect, Comp AI auto-detects your organization, lets you pick projects, then runs a setup step that enables the required APIs and verifies IAM access. Findings are mapped to common frameworks (SOC 2, ISO 27001, CIS GCP Foundations, PCI DSS, HIPAA).
Security Command Center is where all GCP findings originate. If SCC is not enabled at the organization, Comp AI cannot read findings regardless of connection method.
## How access works
* **Auth model**: OAuth 2.0 with Google, using the `cloud-platform` scope plus `openid`, `email`, `profile` for account identification. Refresh tokens are stored so scans can run without re-prompting.
* **Real permissions**: The OAuth scope only enables API calls — actual access is gated by the **IAM roles** assigned to the signed-in account. Comp AI only makes read calls.
* **Required role**: `roles/securitycenter.findingsViewer` on the **organization** (needed to read SCC findings). Project-level `roles/viewer` is also recommended.
* **Scope**: Comp AI scans the projects you select inside the organization the signed-in account belongs to.
## Prerequisites
Before connecting GCP, make sure you have:
1. A **GCP organization** with **Security Command Center** enabled — confirm at **GCP Console → Security → Risk Overview**
2. A Google account with:
* `roles/securitycenter.findingsViewer` on the organization
* `roles/viewer` (or equivalent) on the projects you want to scan
3. Permission to enable APIs on at least one project in the organization (so Comp AI's setup step can enable SCC, Cloud Resource Manager, and Service Usage APIs if they are not already on)
4. Admin access to your Comp AI workspace
If Security Command Center is not yet enabled, enable it first at [console.cloud.google.com/security/command-center](https://console.cloud.google.com/security/command-center).
## Connect GCP
In Comp AI, go to **Cloud Tests → GCP → Connect**. Click **Sign in with Google**.
Sign in with a Google account that meets the prerequisites above and approve the consent screen. Comp AI stores the resulting refresh token (never the password) so it can run scheduled scans.
Comp AI auto-detects your organization and lists the projects that account can access. Pick the ones you want scanned — findings are scoped to those projects.
Comp AI's setup guide runs automatically and shows a checklist:
* Connected via OAuth
* Organization detected
* Required APIs enabled (Security Command Center, Cloud Resource Manager, Service Usage)
* `roles/securitycenter.findingsViewer` granted at the organization level
Any step that fails is shown with a one-click **Resolve** button or a link to the exact GCP console page plus the `gcloud` command you can run to fix it manually.
When all required steps pass, the first scan starts automatically. You can re-run it any time from the connection's page.
## What gets scanned
Comp AI consumes findings from Security Command Center across services including:
| Area | Services |
| ------------- | ---------------------------------------------------- |
| Identity | IAM (over-privileged accounts, service account keys) |
| Storage | Cloud Storage (ACLs, public access, encryption) |
| Compute | Compute Engine, GKE |
| Network | VPC Network (firewall rules, flow logs), Cloud Armor |
| Data | Cloud SQL, BigQuery, Pub/Sub |
| Cryptography | Cloud KMS |
| Observability | Cloud Logging, Cloud Monitoring |
| DNS | Cloud DNS (DNSSEC) |
The **Services** tab inside the connection lets you enable or disable specific check categories.
## Compliance frameworks
Findings are mapped to the controls used by:
* CIS GCP Foundations Benchmark
* SOC 2
* ISO 27001
* PCI DSS
* HIPAA (where applicable)
## Security model
* **Read-only in practice** — Comp AI only issues read API calls against SCC and resource manager
* **IAM-bounded** — access is limited to what the signed-in account's IAM roles permit
* **Token storage** — refresh tokens are stored in an encrypted vault; they are never returned to the UI
* **Revocable at any time** — remove the IAM role, revoke the token at [myaccount.google.com/permissions](https://myaccount.google.com/permissions), or delete the connection in Comp AI
## Troubleshooting
Confirm SCC is enabled at the organization level (not just one project). Open **GCP Console → Security → Risk Overview** and check that the organization shows findings.
The signed-in account does not have permission to manage IAM at the organization level. Ask a GCP organization admin to grant `roles/securitycenter.findingsViewer` to the account (or service account) you connected with. Copy the email shown in the setup guide — that is exactly who needs the role.
The signed-in account lacks the `serviceusage.services.enable` permission on the target project. Either sign in with an account that has `roles/serviceusage.serviceUsageAdmin` on the project, or enable the three APIs manually from the [API Library](https://console.cloud.google.com/apis/library):
* Security Command Center API
* Cloud Resource Manager API
* Service Usage API
Comp AI only lists projects the signed-in account has IAM access to. Sign in with a different Google account, or ask an admin to add your account as `roles/viewer` on the relevant projects.
## Support
1. Email [support@trycomp.ai](mailto:support@trycomp.ai)
2. Join our [Discord community](https://discord.gg/compai)