Cloud Account Integrations
Google Cloud
Set up Google Cloud Account
Web Manual Integration

Web Manual Integration

ℹ️
This guide provides a service account web configuration guide for SpaceONE Google Cloud integration as of August 2025.

Concept

⚠️
To proceed with this process, you must first understand the Google organization and projects described below.

Google Cloud’s organizational hierarchy is structured as follows:

(1) cloudeco.io [Organization]: The top-level hierarchy (Organization Level) for managing Google Cloud resources
(2) Root Project [Top-level Project]: A project that has a service account for permission inheritance
(3) Projects [Projects]: Projects that inherit permissions from the [Top-level Project]
(4) Folder [Folder]: A collection containing projects

To collect data from Google Cloud service accounts, SpaceONE resource collectors require minimal permission settings. SpaceONE supports google_oauth2_credentials method based on OAuth2.0 for Google Cloud integration, which requires the following information:

- Client Email
- Client ID
- Private Key
- Private Key ID
- Project ID
- client_x509_cert_url

You can obtain integration information through project integration and organization integration by following the steps below.



0. Common

Login and Organization, Project Selection

⚠️

The logged-in user must have the Organization Administrator role.

Check Permission Status

  1. Select ‘IAM & Admin’ > ‘IAM’ from the navigation menu (☰) in the top left.

  2. Select the organization resource at the top of the page. It’s important to accurately select the organization resource for which you want to check your permissions.

  3. Find your email address in the ‘Principal members’ list. If the list is long, you can easily find it by entering your email in the ‘Filter’ field at the top. (If your email is not there, you may have been granted permissions through Google Groups. Filter by the group name.)

  4. Check for the ‘Organization Administrator’ role in the ‘Role’ column next to your account.

Log in to the console. Click the console in the top right.

  1. Click the project dropdown in the top left to activate the modal.
  2. Select the organization you want to configure.
  3. Click the ALL tab to list all projects.
  4. Click the project where you want the service account to belong.

1. Service Account Creation

Login and Organization, Project Selection

Complete the steps from (Common) Organization, Project Selection .

Service Account Creation

Select ‘IAM & Admin’ > ‘Service Accounts’ from the navigation menu (☰) in the top left.

  1. Verify that the project where you want to create the service account is correct.
  2. Click Create Service Account.

  1. Enter the service account name. A recognizable name is good.
  2. Click Done.

2. Service Account Project Role Assignment and API Activation

ℹ️
This chapter performs the essential steps of creating a service account required for integration and assigning necessary roles.

Login and Organization, Project Selection

Complete the steps from (Common) Organization, Project Selection .

Service Account Project Role Assignment

Select ‘IAM & Admin’ > ‘IAM’ from the navigation menu (☰) in the top left.

  1. Enter the name of the created service account in the filter.
  2. Click the searched service account.

  1. Navigate to the Permissions tab.
  2. Click the Permission Control button to activate the right sidebar.
  3. Add the following roles:
Browser
Security Reviewer
Storage Bucket Viewer
Storage Object Viewer
Viewer

  1. Verify that 5 roles have been added.
  2. Click Save to apply.

API Activation

Select ‘APIs & Services’ > ‘Library’ from the navigation menu (☰) in the top left.

  1. Search for the following list:
Compute Engine API
Cloud Resource Manager API
Cloud Logging API
Cloud Pub/Sub API
Cloud Functions API
Cloud SQL Admin API
Cloud Identity API
Cloud Storage API
Cloud Build API
Identity and Access Management (IAM) API
Secret Manager API
Service Usage API
Eventarc API
BigQuery API
  1. Click the one that matches the search term.

  1. Verify the selected project.
  2. Click Enable to activate the API.

Select ‘APIs & Services’ > ‘Enabled APIs & Services’ from the navigation menu (☰) in the top left.

Verify that the APIs added above are activated.

3. [Optional] Service Account Specific Project or Folder Permission Grant

ℹ️
This chapter performs specific project permission grant or folder permission grant for sub-project integration using the service account created above.

Permission Grant Concept

⚠️
You must understand this section and complete the permission grant. List the projects that need integration and grant them appropriately according to the permission grant scope below.

In gcloud, you can change the access scope of a service account according to permission grants. The red area in the figure below represents the accessible area.

Project Permission Grant

1. Root Project Service Account Creation 2. Single Project Permission Grant
  • Projects can be granted permissions individually.
  • This structure is used when individual integration is needed in complex tree structures.

Folder Permission Grant

1. Folder Permission Grant 2. Folder Permission Grant Sub-folder Inheritance
  • When permissions are granted to a folder, permissions are inherited by sub-projects and folders.
  • This structure is used when integrating all projects in a folder.

Full Permission Grant

1. Full Permission Grant 2. Organization Permission Grant
⚠️
If you are granting organization permissions for account synchronization, please refer to 4. [Optional] Service Account Organization Role Assignment and API Activation.
  • You can grant permissions to all folders and root projects.
  • When organization permission grant is performed, you can integrate from all folders and projects.

Service Account Specific Project or Folder Permission Grant

Login and Organization, Folder, Project Selection

Complete the steps from (Common) Organization, Project Selection .

Service Account Organization Role Assignment

Select the appropriate resource based on your understanding from the Permission Grant Concept above.

Select ‘IAM & Admin’ > ‘IAM’ from the navigation menu (☰) in the top left.

  1. Verify the appropriate resource selection based on your understanding from the Permission Grant Concept .
  2. Click ‘Grant Access’.
  3. Enter the target service account’s email in ‘Add Principal’. You can check this in the 1. Service Account Creation step.
  4. Add all roles (5 roles) added in the 2. Service Account Project Role Assignment step.

Enter the reflected email in the filter to verify that the added roles exist in the Role column.

4. [Optional] Service Account Organization Role Assignment and API Activation

ℹ️
This chapter performs steps for organization project structure integration and full project role assignment using the service account created in step 2. When organization permissions are granted, project list collection within the organization and granted permissions are inherited by all sub-folders and projects.

Login and Organization, Project Selection

⚠️

In this step, you must select the organization. The logged-in user must have the Organization Administrator role.

Check Permission Status

  1. Select ‘IAM & Admin’ > ‘IAM’ from the navigation menu (☰) in the top left.

  2. Select the organization resource at the top of the page. It’s important to accurately select the organization resource for which you want to check your permissions.

  3. Find your email address in the ‘Principal members’ list. If the list is long, you can easily find it by entering your email in the ‘Filter’ field at the top. (If your email is not there, you may have been granted permissions through Google Groups. Filter by the group name.)

  4. Check for the ‘Organization Administrator’ role in the ‘Role’ column next to your account.

Complete the steps from (Common) Organization, Project Selection .

Service Account Organization Role Assignment

Verify that the organization is selected.

Select ‘IAM & Admin’ > ‘IAM’ from the navigation menu (☰) in the top left.

  1. Verify organization selection.
  2. Click ‘Grant Access’.
  3. Enter the target service account’s email in ‘Add Principal’. You can check this in the 1. Service Account Creation step.
  4. Enter ‘Organization Viewer’ in the filter to add the role.
⚠️
To allow this account to access all project resources within the organization, you must add all 5 roles added in the 2. Service Account Project Role Assignment step as organization-level permissions.

Verify that the Organization Viewer role is assigned in the Role column by entering the reflected email in the filter.

API Activation

⚠️
If you have already completed this step previously, you don’t need to do it again. However, API activation must be completed in the project where the target service account belongs.

Select ‘APIs & Services’ > ‘Library’ from the navigation menu (☰) in the top left.

  1. Search for Cloud Resource Manager API.
  2. Click Cloud Resource Manager API.

  1. Verify the selected project.
  2. Click Enable to activate the API.

Select ‘APIs & Services’ > ‘Enabled APIs & Services’ from the navigation menu (☰) in the top left.

Verify that the API added above is activated.

5. Service Account Authentication Key Issuance

Login and Organization, Project Selection

Complete the steps from (Common) Organization, Project Selection .

Service Account Authentication Key Issuance

  1. Verify project selection.
  2. Select ‘IAM & Admin’ > ‘Service Accounts’.
  3. Navigate to the ‘Keys’ tab.
  4. Click ‘Add Key’ > ‘Create New Key’.

Select JSON type and create to download the JSON key. This key is used for integration with SpaceONE.

Script Automation Integration