Skip to Content
How-To GuidesConnect Google Cloud Storage

Connect Google Cloud Storage

This guide walks you through connecting a Google Cloud Storage bucket to slim.io for agentless PII scanning.

Time required: 5 minutes (same-project) | 15 minutes (cross-project)

Prerequisites:

  • GCP Console access with IAM Admin permissions
  • gcloud CLI installed (optional but recommended)
  • A Cloud Storage bucket you want to scan

Same-Project vs Cross-Project

SetupWhen to UseSteps
Same-ProjectYour GCS bucket is in the same GCP project as slim.io. Most common setup.2 steps — grant bucket access, configure in dashboard
Cross-ProjectYour GCS bucket is in a different GCP project. Requires service account impersonation.5 steps — create scanner SA, set up impersonation, configure WIF

For same-project scanning, slim.io uses its own Cloud Run service account directly — no impersonation or extra service accounts needed.

Step 1: Grant Bucket Access

Grant the Cloud Run service account read access to your bucket. First, find the service account:

gcloud run services describe slim-io-backend \
  --region=us-east1 \
  --project=YOUR_PROJECT_ID \
  --format='value(spec.template.spec.serviceAccountName)'

This returns the Compute Engine default SA (e.g., 239499012368-compute@developer.gserviceaccount.com).

Grant it access to your bucket:

gcloud storage buckets add-iam-policy-binding gs://YOUR_BUCKET_NAME \
  --member=serviceAccount:CLOUD_RUN_SA_FROM_ABOVE \
  --role=roles/storage.objectViewer

If you want slim.io to discover ALL buckets in the project (not just one), grant roles/storage.objectViewer at the project level instead of per-bucket.

Step 2: Configure in slim.io

  1. Navigate to Scanner Fleet in the Customer Dashboard.
  2. Scroll to Agentless Cloud Scan.
  3. Select GCP as the provider.
  4. Enter your GCP Project ID (e.g., slim-io-service).
  5. Service Account Email — leave blank for same-project scanning. slim.io uses its own Cloud Run identity automatically.
  6. Workload Identity Pool — leave blank.
  7. Click Scan.

That’s it. slim.io will enumerate your GCS buckets and scan them for PII.

Cross-Project Setup

Use this when your GCS bucket is in a different GCP project than slim.io.

Step 1: Create a Scanner Service Account (in the target project)

gcloud iam service-accounts create slim-io-scanner \
  --project=TARGET_PROJECT_ID \
  --display-name="Slim.io Scanner"

Step 2: Grant the Cloud Run SA Permission to Impersonate

Find the slim.io Cloud Run service account:

gcloud run services describe slim-io-backend \
  --region=us-east1 \
  --project=SLIM_IO_PROJECT_ID \
  --format='value(spec.template.spec.serviceAccountName)'

The Cloud Run service account is the Compute Engine default SA (PROJECT_NUMBER-compute@developer.gserviceaccount.com), NOT the App Engine default SA. Using the wrong SA is the most common cause of “Permission denied” errors.

Grant it the ability to impersonate the scanner SA in the target project:

gcloud iam service-accounts add-iam-policy-binding \
  slim-io-scanner@TARGET_PROJECT_ID.iam.gserviceaccount.com \
  --project=TARGET_PROJECT_ID \
  --role="roles/iam.serviceAccountTokenCreator" \
  --member="serviceAccount:CLOUD_RUN_SA_FROM_ABOVE"

Step 3: Grant Bucket Access

gcloud storage buckets add-iam-policy-binding gs://YOUR_BUCKET_NAME \
  --member=serviceAccount:slim-io-scanner@TARGET_PROJECT_ID.iam.gserviceaccount.com \
  --role=roles/storage.objectViewer

Step 4 (Optional): Set Up Workload Identity Federation

WIF is only needed if your organization requires federated identity instead of direct SA impersonation. Most cross-project setups work with Steps 1-3 alone.

If required, create a Workload Identity Pool:

gcloud iam workload-identity-pools create slim-io-pool \
  --project=TARGET_PROJECT_ID \
  --location=global \
  --display-name="Slim.io Scanner Pool"

Add a provider:

gcloud iam workload-identity-pools providers create-oidc slim-io-provider \
  --project=TARGET_PROJECT_ID \
  --location=global \
  --workload-identity-pool=slim-io-pool \
  --issuer-uri="https://auth.slim.io" \
  --attribute-mapping="google.subject=assertion.sub" \
  --allowed-audiences="slim-io-scanner"

Bind the WIF pool to the scanner SA. First, get the numeric project number:

gcloud projects describe TARGET_PROJECT_ID --format='value(projectNumber)'

Then bind:

gcloud iam service-accounts add-iam-policy-binding \
  slim-io-scanner@TARGET_PROJECT_ID.iam.gserviceaccount.com \
  --project=TARGET_PROJECT_ID \
  --role="roles/iam.workloadIdentityUser" \
  --member="principalSet://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/slim-io-pool/attribute.sub/slim-io-scanner"

PROJECT_NUMBER must be the numeric project number (e.g., 239499012368), not the project ID string. Using the project ID will fail with “Identity Pool does not exist”.

Step 5: Configure in slim.io

  1. Navigate to Scanner Fleet in the Customer Dashboard.
  2. Scroll to Agentless Cloud Scan.
  3. Select GCP as the provider.
  4. Enter the Target GCP Project ID.
  5. Enter the Service Account Email: slim-io-scanner@TARGET_PROJECT_ID.iam.gserviceaccount.com.
  6. Workload Identity Pool — enter the pool resource name if you set up WIF in Step 4, otherwise leave blank.
  7. Click Scan.

Troubleshooting

IssueSolution
”Permission denied” on bucket accessVerify storage.objectViewer is granted on the target bucket for the correct SA
”0 resources found” (same-project)Grant roles/viewer at the project level so the Cloud Run SA can list buckets
”Invalid audience”Ensure the WIF provider has slim-io-scanner in allowed audiences
”Permission iam.serviceAccounts.getAccessToken denied”See section below

Fixing “Permission iam.serviceAccounts.getAccessToken denied”

This error only applies to cross-project setups. Same-project scanning doesn’t use impersonation.

Root cause: The serviceAccountTokenCreator role was granted to the wrong service account.

Fix:

  1. Confirm which SA Cloud Run actually uses:
gcloud run services describe slim-io-backend \
  --region=us-east1 \
  --project=SLIM_IO_PROJECT_ID \
  --format='value(spec.template.spec.serviceAccountName)'
  1. Check the current bindings:
gcloud iam service-accounts get-iam-policy \
  slim-io-scanner@TARGET_PROJECT_ID.iam.gserviceaccount.com \
  --project=TARGET_PROJECT_ID
  1. If the member is the App Engine SA (@appspot.gserviceaccount.com) instead of the Compute Engine SA (-compute@developer.gserviceaccount.com), grant to the correct one:
gcloud iam service-accounts add-iam-policy-binding \
  slim-io-scanner@TARGET_PROJECT_ID.iam.gserviceaccount.com \
  --project=TARGET_PROJECT_ID \
  --role="roles/iam.serviceAccountTokenCreator" \
  --member="serviceAccount:PROJECT_NUMBER-compute@developer.gserviceaccount.com"
  1. Wait 60 seconds for IAM propagation, then retry the scan.
Last updated on
Connect AWS S3Connect Azure Blob