GCP

Overview

Connect GCP to Nullify for cloud-to-code traceability. The connector uses Workload Identity Federation (WIF) with OIDC — no long-lived service account keys, no secrets to manage.

Key Benefits

Cloud-to-code mapping — Tie vulnerabilities back to specific GCP projects, regions, and IaC definitions.
Blast-radius awareness — Understand which services, identities, and networks are reachable from an exposed asset.
Multi-project coverage — Operate across GCP organizations, folders, or individual projects.
Secure access — Uses OIDC federation with per-tenant trust. No service account JSON keys.
Read-only — Nullify cannot modify your environment, read object data, or access secret payloads.

How It Works

Deploy the Nullify Terraform module in your GCP project. This creates a workload identity pool, a read-only service account, and IAM bindings.
Paste the service_account_email and workload_identity_provider outputs into the Nullify console.
Nullify validates the credentials and begins ingesting metadata for cloud exposure assessments.

Full setup instructions are documented in Configuration.

Optional: Kubernetes Collector (GKE)

Deploy the Nullify k8s-collector to your GKE clusters for workload-level visibility (pods, services, deployments, ingresses).

Share your cluster's OIDC issuer URL with Nullify (one gcloud command).
Nullify returns a role ARN.
Deploy the Helm chart with the role ARN.

No GCP service account or Workload Identity binding required. See Configuration for details.

Support

Implementation assistance: [email protected]
Terraform module: nullify-cloud-connector

PreviousConfiguration NextConfiguration

Last updated 26 days ago

hashtagOverview

hashtagKey Benefits

hashtagHow It Works

hashtagOptional: Kubernetes Collector (GKE)

hashtagSupport

Overview

Key Benefits

How It Works

Optional: Kubernetes Collector (GKE)

Support