Google Cloud Storage
This guide covers setting up a Google Cloud Storage connector in Slim.io using Workload Identity Federation (WIF).
Prerequisites
- A GCP project with Cloud Storage buckets you want to scan
- IAM permissions to create service accounts and configure WIF in the target project
gcloudCLI installed (optional, for command-line setup)
Workload Identity Federation Setup
Workload Identity Federation allows Slim.io to authenticate to your GCP project without exchanging long-lived service account keys. Instead, Slim.io presents a token from its own identity provider, which GCP exchanges for a short-lived access token.
Step 1: Create a Workload Identity Pool
gcloud iam workload-identity-pools create slim-io-pool \
--project=YOUR_PROJECT_ID \
--location=global \
--display-name="Slim.io Scanner Pool"Step 2: Add a Provider to the Pool
gcloud iam workload-identity-pools providers create-oidc slim-io-provider \
--project=YOUR_PROJECT_ID \
--location=global \
--workload-identity-pool=slim-io-pool \
--issuer-uri="https://auth.slim.io" \
--attribute-mapping="google.subject=assertion.sub" \
--allowed-audiences="slim-io-scanner"Step 3: Create a Service Account
gcloud iam service-accounts create slim-io-scanner \
--project=YOUR_PROJECT_ID \
--display-name="Slim.io Scanner"Step 4: Grant Bucket Access
gcloud storage buckets add-iam-policy-binding gs://your-bucket-name \
--member=serviceAccount:slim-io-scanner@YOUR_PROJECT_ID.iam.gserviceaccount.com \
--role=roles/storage.objectViewerFor multiple buckets, repeat this command or grant the role at the project level (less restrictive).
Step 5: Bind the WIF Identity to the Service Account
gcloud iam service-accounts add-iam-policy-binding \
slim-io-scanner@YOUR_PROJECT_ID.iam.gserviceaccount.com \
--project=YOUR_PROJECT_ID \
--role="roles/iam.workloadIdentityUser" \
--member="principalSet://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/slim-io-pool/attribute.sub/slim-io-scanner"Replace PROJECT_NUMBER with your GCP project number (numeric), not the project ID (string). Find it in the GCP Console under IAM & Admin > Settings.
Connector Configuration in Slim.io
- Navigate to Connectors > Add Connector in the Customer Dashboard.
- Select Google Cloud Platform.
- Enter your GCP Project ID.
- Enter the Service Account Email (
slim-io-scanner@YOUR_PROJECT_ID.iam.gserviceaccount.com). - Enter the Workload Identity Pool Provider resource name.
- Optionally, configure bucket filters and prefix scope.
- Click Test Connection.
Required IAM Roles
| Role | Purpose |
|---|---|
roles/storage.objectViewer | Read access to objects in Cloud Storage buckets |
roles/iam.workloadIdentityUser | Allow WIF token exchange for the service account |
Do not grant roles/storage.admin or roles/storage.objectAdmin. Slim.io requires only read access. Following the principle of least privilege prevents accidental data modification.
Troubleshooting
”Permission Denied” on Test Connection
- Verify the service account has
storage.objectVieweron the target buckets - Confirm the WIF pool and provider are correctly configured
- Check that the service account binding uses the correct project number
”Invalid Audience” Error
- Ensure the WIF provider’s allowed audience includes
slim-io-scanner - Verify the issuer URI matches
https://auth.slim.io
Bucket Not Visible
- The service account may not have
storage.buckets.listpermission at the project level - Grant
roles/storage.objectViewerat the project level, or specify bucket names explicitly in the connector configuration
Next Steps
- Run Your First Scan — Trigger a scan on this connector
- Event-Driven Scanning — Set up automatic scans via GCS Pub/Sub notifications