Connect Google Cloud Storage

This guide walks you through connecting a Google Cloud Storage bucket to slim.io for agentless PII scanning.

Time required: 10–15 minutes

Prerequisites:

GCP Console access with IAM Admin permissions on the project that holds the bucket
gcloud CLI installed (optional but recommended)
A Cloud Storage bucket you want to scan

Overview

slim.io accesses your Cloud Storage buckets via a service account in your GCP project that has read-only permissions on the bucket. Two configurations are supported:

Direct SA grant — grant the slim.io service account direct read access on your bucket. Simplest, recommended for most accounts.
Workload Identity Federation (WIF) — federate slim.io’s identity into your project so no long-lived service account key is needed. Recommended if your security team requires WIF.

The slim.io service account email address is shown on the connector setup page in the Customer Dashboard when you select GCP as the provider — copy it from there each time you set up a new connector.

slim.io will never ask for a service account key or any long-lived credential. The integration uses cross-project SA access (or WIF) so your project always holds the trust root.

Direct SA Grant

Step 1: Create a Scanner Service Account in Your Project

Create a dedicated SA that slim.io will read your bucket through:


gcloud iam service-accounts create slim-io-scanner \
  --project=YOUR_PROJECT_ID \
  --display-name="Slim.io Scanner"

Step 2: Allow slim.io to Impersonate the Scanner SA

Open the Customer Dashboard → Connectors → Add GCS connector. Copy the slim.io service account email shown on the form (it ends in .iam.gserviceaccount.com).

Grant that email the roles/iam.serviceAccountTokenCreator role on the scanner SA you just created:


gcloud iam service-accounts add-iam-policy-binding \
  slim-io-scanner@YOUR_PROJECT_ID.iam.gserviceaccount.com \
  --project=YOUR_PROJECT_ID \
  --role="roles/iam.serviceAccountTokenCreator" \
  --member="serviceAccount:SLIM_IO_SA_EMAIL_FROM_DASHBOARD"

Step 3: Grant the Scanner SA Read Access to Your Bucket


gcloud storage buckets add-iam-policy-binding gs://YOUR_BUCKET_NAME \
  --member=serviceAccount:slim-io-scanner@YOUR_PROJECT_ID.iam.gserviceaccount.com \
  --role=roles/storage.objectViewer

If you want slim.io to scan all buckets in the project, grant roles/storage.objectViewer at the project level instead of per-bucket.

Step 4: Configure in slim.io

Navigate to Scanner Fleet → Agentless Cloud Scan → GCP in the Customer Dashboard.
Enter your GCP Project ID.
Enter the Scanner SA Email: slim-io-scanner@YOUR_PROJECT_ID.iam.gserviceaccount.com.
Leave Workload Identity Pool blank.
Click Test Connection, then Scan.

Workload Identity Federation (Optional)

WIF lets slim.io exchange a short-lived OIDC token for an access token to your project, without granting any direct SA-to-SA permission. Use this if your organization’s policy disallows direct SA impersonation.

WIF is only needed if your organization requires federated identity. Most accounts work fine with the direct grant flow above.

Step 1: Create a Workload Identity Pool


gcloud iam workload-identity-pools create slim-io-pool \
  --project=YOUR_PROJECT_ID \
  --location=global \
  --display-name="Slim.io Scanner Pool"

Step 2: Add an OIDC Provider


gcloud iam workload-identity-pools providers create-oidc slim-io-provider \
  --project=YOUR_PROJECT_ID \
  --location=global \
  --workload-identity-pool=slim-io-pool \
  --issuer-uri="https://auth.slim.io" \
  --attribute-mapping="google.subject=assertion.sub" \
  --allowed-audiences="slim-io-scanner"

Step 3: Bind the Pool to the Scanner SA

First, get your project’s numeric project number:


gcloud projects describe YOUR_PROJECT_ID --format='value(projectNumber)'

Then bind:


gcloud iam service-accounts add-iam-policy-binding \
  slim-io-scanner@YOUR_PROJECT_ID.iam.gserviceaccount.com \
  --project=YOUR_PROJECT_ID \
  --role="roles/iam.workloadIdentityUser" \
  --member="principalSet://iam.googleapis.com/projects/YOUR_PROJECT_NUMBER/locations/global/workloadIdentityPools/slim-io-pool/attribute.sub/slim-io-scanner"

YOUR_PROJECT_NUMBER must be the numeric project number (the value from Step 3 above), not the project ID string. Using the ID will fail with “Identity Pool does not exist”.

Step 4: Configure in slim.io

In the connector setup form, enter the Workload Identity Pool resource name:


projects/YOUR_PROJECT_NUMBER/locations/global/workloadIdentityPools/slim-io-pool/providers/slim-io-provider

Test the connection and start your scan.

Troubleshooting

Issue	Fix
”Permission denied” on bucket access	Verify `roles/storage.objectViewer` is granted on the bucket for `slim-io-scanner@YOUR_PROJECT_ID.iam.gserviceaccount.com`.
”Permission iam.serviceAccounts.getAccessToken denied”	The slim.io SA email from the connector setup page must have `roles/iam.serviceAccountTokenCreator` on the scanner SA in your project (Step 2 above).
“0 resources found”	Confirm the bucket name is correct and that the scanner SA has `objectViewer` on either the specific bucket or the project.
”Invalid audience” (WIF)	The WIF provider’s `--allowed-audiences` must include `slim-io-scanner`.

If the slim.io SA email shown in the dashboard doesn’t match what you granted permissions to, refresh the connector setup page and re-copy — the email is stable but the dashboard is the source of truth.