Scan data for secrets

Google Cloud Storage (GCS)

7min

﻿
Source integration to GCS, the managed cloud storage service.
Configuration
Buckets that the given credentials can list and access will be scanned.
﻿
﻿
Local configuration
ProjectID is required. If you omit providing buckets then all buckets that the credential can list and access will be scanned.
When using the include/exclude filters for buckets or objects, the include filters take precedence if both are specified. It is recommended to only use one of the two filters for each.
GCS with IAM credentials (recommended)
Configuration
Example IAM policy
sources:
- connection:
    '@type': type.googleapis.com/sources.GCS
    adc: {}
    excludeBuckets:
    - bucket3
    excludeObjects:
    - object3
    includeBuckets:
    - bucket1
    - bucket2
    includeObjects:
    - object1
    - object2
    projectId: my-project
  name: GCS
  scanPeriod: 12h
  type: SOURCE_TYPE_GCS
  verify: true
sources:
- connection:
    '@type': type.googleapis.com/sources.GCS
    adc: {}
    excludeBuckets:
    - bucket3
    excludeObjects:
    - object3
    includeBuckets:
    - bucket1
    - bucket2
    includeObjects:
    - object1
    - object2
    projectId: my-project
  name: GCS
  scanPeriod: 12h
  type: SOURCE_TYPE_GCS
  verify: true
﻿
GCS with service account file (JSON)
Configuration
Example IAM policy
sources:
- connection:
    '@type': type.googleapis.com/sources.GCS
    excludeBuckets:
    - bucket3
    excludeObjects:
    - object3
    includeBuckets:
    - bucket1
    - bucket2
    includeObjects:
    - object1
    - object2
    projectId: my-project
    serviceAccountFile: /path/to/service-account.json
  name: GCS
  scanPeriod: 12h
  type: SOURCE_TYPE_GCS
  verify: true
sources:
- connection:
    '@type': type.googleapis.com/sources.GCS
    excludeBuckets:
    - bucket3
    excludeObjects:
    - object3
    includeBuckets:
    - bucket1
    - bucket2
    includeObjects:
    - object1
    - object2
    projectId: my-project
    serviceAccountFile: /path/to/service-account.json
  name: GCS
  scanPeriod: 12h
  type: SOURCE_TYPE_GCS
  verify: true
﻿
GCS without authentication
Can only be used for public buckets. Since these scans are unauthenticated, you must specify which buckets are to be scanned.
Unauthenticated
sources:
- connection:
    '@type': type.googleapis.com/sources.GCS
    excludeObjects:
    - object3
    includeBuckets:
    - bucket1
    - bucket2
    includeObjects:
    - object1
    - object2
    unauthenticated: {}
  name: GCS
  scanPeriod: 12h
  type: SOURCE_TYPE_GCS
  verify: true

sources:
- connection:
    '@type': type.googleapis.com/sources.GCS
    excludeObjects:
    - object3
    includeBuckets:
    - bucket1
    - bucket2
    includeObjects:
    - object1
    - object2
    unauthenticated: {}
  name: GCS
  scanPeriod: 12h
  type: SOURCE_TYPE_GCS
  verify: true
﻿
Options
Key
Description
Required
projectId
GCP Project ID
Yes
includeBuckets
Buckets to be included. Omit to enumerate instead.
No
excludeBuckets
Buckets to be excluded
No
includeObjects
Objects to be included; supports globbing
No
excludeObjects
Objects to be excluded; supports globbing
No
maxObjectSize
The maximum size of the object
No
Capabilities
Feature
Supported
Scan archive files
✅
Scan base64 encoded data
✅
Scan binaries
✅
Scan Microsoft Office documents
✅
Exclude Filter
✅
Include Filter
✅
Auto resume
✅
﻿

Key	Description	Required
projectId	GCP Project ID	Yes
includeBuckets	Buckets to be included. Omit to enumerate instead.	No
excludeBuckets	Buckets to be excluded	No
includeObjects	Objects to be included; supports globbing	No
excludeObjects	Objects to be excluded; supports globbing	No
maxObjectSize	The maximum size of the object	No

Feature	Supported
Scan archive files	✅
Scan base64 encoded data	✅
Scan binaries	✅
Scan Microsoft Office documents	✅
Exclude Filter	✅
Include Filter	✅
Auto resume	✅

Updated 17 Jun 2024

Did this page help you?

GitHub

Google Drive