GCP analyze

enterprise feature this feature is only available on trufflehog enterprise with analyze contact us to learn more early access this is an early access feature and is being developed integrating your gcp environment to integrate with the gcp analyze feature, we'll need a service account with the appropriate permissions to get started, create a role with the following org wide permissions https //console cloud google com/iam admin/role https //console cloud google com/iam admin/roles gcp role permissions recommended workflow run this command to set up a role with the necessary permissions gcloud iam roles create trufflehog gcp analyze \\ \ organization=\<numerical org id> \\ \ title="trufflehog gcp analyze role" \\ \ description="custom role for trufflehog's gcp analyze with permissions for cloud asset, cloud resource manager, iam, recommender, and monitoring apis" \\ \ permissions="cloudasset assets searchalliampolicies,resourcemanager organizations get,resourcemanager folders get,resourcemanager folders list,resourcemanager projects get,resourcemanager projects list,iam roles get,recommender iampolicyinsights get,recommender iampolicyinsights list,recommender iampolicyrecommendations get,recommender iampolicyrecommendations list,monitoring timeseries list" \\ \ stage=ga if you want to manually set up the role in gcp, attach the following permissions to a role cloud asset api listing policies associated with service account name cloudasset assets searchalliampolicies resource manager api getting ids and parent info resourcemanager organizations get resourcemanager folders get resourcemanager folders list resourcemanager projects get resourcemanager projects list iam api get permissions for a role iam roles get recommender api searching and getting recommendations recommender iampolicyinsights get recommender iampolicyinsights list recommender iampolicyrecommendations get recommender iampolicyrecommendations list monitoring api retrieving key usage monitoring timeseries list attach the created role to your desired service account this is using the "manage access" button under the "permissions" tab for the service account https //console cloud google com/iam admin/serviceaccounts/ https //console cloud google com/iam admin/serviceaccounts/ under the "keys" tab, create a new key with json formatting in your trufflehog instance, create a cloud analyze integration for gcp paste in the json key you created earlier the next time a trufflehog scanner detects a live gcp credential, it will automatically analyze the secret if you prefer not to set up a trufflehog cloud integration, you can run trufflehog locally using an on prem scanner which will use your local machine's gcp credentials if you have a cloud integration set up, it'll prioritize that over the local credentials permissions viewer learn more about a credential's resource permission hierarchy and associated role bindings with our permission viewer credential insights & recommendations coming soon on prem scanner gcp credentials can be analyzed using a hosted scanner or an on prem scanner when using an on prem scanner, adc (application default credential) can be used instead of using a service account credential configured through the integrations tab if this feature is enabled in a scanner configuration, the scanner will only using the adc set up in the scanner environment example configuration enabling adc using `analyzeusingdefaultcredentials trufflehogaddress your truffle address 8443 trufflehogscannergroup scannergroup trufflehogscannertoken thog agent 64869d9e735b33f1f8586a09be50d7ca logjson true loglevel info analyzeusingdefaultcredentials true notifiers \ name stdout sendunverified true type notifier type stdout limitations integrating gcp analyze on the web dashboard is limited to a single gcp organization currently does not handle conditional iam policies