Configuration
Requirements
An active Nullify tenant.
A GCP project with permissions to create workload identity pools and service accounts.
Terraform >= 1.3 (recommended) or
gcloudCLI.For organization or folder scope: org admin access.
Setup Overview
Nullify uses Workload Identity Federation (WIF) with OIDC to access your GCP environment. The Terraform module creates a workload identity pool, a read-only service account, and the minimum IAM bindings needed for cloud scanning.
Parameters Supplied by Nullify
Available in the Nullify console under Configure > Connectors > GCP:
OIDC Issuer URI —
https://gcp.nullify.ai(production)Tenant ID — Your Nullify tenant identifier
Information You Provide
After deploying the Terraform module:
Workload Identity Provider — The full resource path from the Terraform output
Service Account Email — The impersonated service account email from the Terraform output
Project IDs — The GCP projects Nullify should scan
Setup Steps
Clone the Terraform module:
Configure variables:
Fill in:
gcp_project_id— Your GCP projectnullify_oidc_issuer_uri— From the Nullify consolenullify_tenant_id— From the Nullify consolescope—"organization","folder", or"projects"organization_id— Required for org or folder scope
Deploy:
Configure in Nullify console:
Go to Configure > Connectors > GCP
Paste the
workload_identity_provideroutputPaste the
service_account_emailoutputAdd your GCP project IDs
Click Save — Nullify auto-verifies the credentials
Scope Options
organization
Scan all projects in your GCP org
organization_id
folder
Scan all projects in a folder
organization_id + folder_id
projects
Scan specific projects only
project_ids list
Permissions
Nullify requests read-only access. No write, no data-plane, no code execution permissions.
Predefined roles: cloudasset.viewer, iam.securityReviewer, compute.viewer, container.clusterViewer, cloudsql.viewer, spanner.viewer, cloudkms.viewer, logging.viewer, run.viewer, cloudfunctions.viewer, appengine.appViewer, dataproc.viewer, dataflow.viewer, pubsub.viewer
Custom role (nullifyCloudConnector): Read-only permissions for Cloud Armor, VPC Service Controls, org policies, AlloyDB, Filestore, Memorystore, Artifact Registry, Cloud DNS, and API Gateway.
Full permission justification: permissions.md
Revoking Access
This deletes the workload identity pool, service account, and all IAM bindings.
Kubernetes Collector (GKE)
Deploy the Nullify k8s-collector to GKE clusters for workload-level visibility.
Prerequisites
Any GKE cluster (Standard, Autopilot, private, or public)
Kubernetes 1.22+
Helm v3
No special GKE configuration required
Setup
Get your cluster's OIDC issuer URL:
Register in Nullify console:
Go to Configure > Connectors > GCP > GKE Clusters
Add the OIDC issuer URL
Click Save
Copy the K8s Collector Role ARN displayed on the card
Deploy the Helm chart:
What the Collector Gathers
Cluster metadata (version, node pools)
Namespaces, pods, deployments, statefulsets, daemonsets
Services, ingresses, endpoints
RBAC (roles, role bindings, service accounts)
Network policies
Persistent volumes and claims
Data is uploaded to Nullify's S3 bucket encrypted in transit. No cluster modifications are made.
Troubleshooting
Verify returns red with permission denied
The Nullify SA is missing IAM bindings. Re-run terraform apply.
Verify returns red with invalid token
nullify_oidc_issuer_uri doesn't match. Use https://gcp.nullify.ai for production.
k8s-collector fails with AssumeRoleWithWebIdentity error
The cluster OIDC URL wasn't registered in the Nullify console, or the role ARN is wrong.
k8s-collector pod stuck in Pending
Insufficient CPU/memory on the node. Reduce resource requests in Helm values.
Connector shows Not Verified
Click Verify in the console, or re-save the settings to trigger auto-verify.
Last updated