Integrations

Google Cloud Platform (GCP)

title: Google Cloud Platform (GCP) description: Configure Google Cloud Platform integration for automatic compliance monitoring in Tidal Control sidebar_position: 3

Google Cloud Platform (GCP)

Configuring Google Cloud Platform integration

Tidal Control's Google Cloud Platform integration monitors your GCP resources, IAM settings, and security configurations for compliance purposes.

What this integration monitors:

  • Resources: Virtual machines, storage, databases, and other GCP services
  • IAM: Users, roles, and permissions within your GCP project
  • Security: Security settings and access controls

Requirements:

  • Super User role in Tidal Control
  • Google Cloud Platform project access
  • Access to Google Cloud Console
  • (Optional) Google Workspace super admin rights for Workspace integration

Configuration step-by-step plan

What we're going to do: We'll create a Google service account with the necessary permissions to access your GCP resources through secure APIs. If you also want to set up Google Workspace, we'll add the required Workspace configuration at each step.

Configuration steps:

  1. Create service account
  2. Assign role and generate JSON key
  3. Set up domain-wide delegation (optional for Workspace)
  4. Configure API scopes
  5. Enable APIs
  6. Configure integrations

Step 1: Create service account

  • Go to Google Cloud Console at https://console.cloud.google.com
  • Log in with account that has project access
  • Select your Google Cloud project in project selector
  • Navigate to IAM & Admin → Service Accounts
  • Click "+ CREATE SERVICE ACCOUNT"
  • Fill in service account details:
    • Service account name: Tidal Control GCP
    • Service account ID: tidal-control-gcp
    • Description: Service account for Tidal Control GCP monitoring

Step 2: Assign role and generate JSON key

  • Select role: Basic → Viewer
  • Click "Continue" and skip next step
  • Click "Done" to create service account
  • Select new service account from list
  • Go to "KEYS" tab
  • Click "ADD KEY""Create new key"
  • Select JSON format
  • Download JSON file automatically to computer
  • Store file securely - needed for integration setup

For Google Workspace, add this:

Step 3: Set up domain-wide delegation (optional for Workspace)

This step is only needed if you also want to set up Google Workspace.

  • Go back to service account details
  • Click "Advanced settings" section to expand
  • Copy Client ID (save for next step)
  • Click "VIEW GOOGLE WORKSPACE ADMIN CONSOLE"
  • Navigate to Security → Access and data control → API controls
  • Click "MANAGE DOMAIN WIDE DELEGATION"

For Google Workspace, add this:

  • You now need access to Google Workspace Admin Console
  • Ensure you have super admin rights in Google Workspace

Step 4: Configure API scopes

  • Return to Google Cloud Console
  • This step configures permissions for GCP access

For Google Workspace, add this:

  • Go to Google Workspace Admin Console → API controls → Domain-wide delegation
  • Click "Add new" in domain-wide delegation
  • Paste Client ID (from step 3)
  • Enter OAuth Scopes (comma separated): 
    https://www.googleapis.com/auth/cloud-platform,https://www.googleapis.com/auth/admin.directory.user,https://www.googleapis.com/auth/admin.directory.group
  • Click "AUTHORISE" to assign permissions

Step 5: Enable APIs

  • Navigate to APIs & Services → Library in Google Cloud Console
  • Search and enable the following APIs:
    • Identity and Access Management (IAM) API
    • Cloud Resource Manager API
  • Click "ENABLE" for each API

For Google Workspace, add this:

  • Enable additional API:
    • Admin SDK API

Step 6: Configure integrations

  • Go to Settings → Integrations in Tidal Control
  • Click the plus icon next to Google Cloud Platform
  • Fill in configuration:
    • Name: GCP Production Account
    • Domain: Your Google Workspace domain (e.g. company.com) - only if you have Workspace
    • Impersonation Subject: Admin email for delegation (e.g. admin@company.com) - only if you have Workspace
    • Service Account JSON: Upload or paste contents of JSON file
  • Click "Create" to save integration

For Google Workspace, add this:

  • Click the plus icon next to Google Workspace
  • Fill in configuration:
    • Name: Google Workspace
    • Service Account JSON: Upload same JSON file
  • Click "Create" to save integration
Tip

One service account, two integrations: You can use the same JSON key file for both GCP and Google Workspace integrations

Configuration fields explained

Service Account JSON:

  • Contains authentication credentials for your service account
  • Downloaded in step 2 during service account creation
  • Keep this file secure - it provides access to your Google environment

For Google Workspace integration (optional):

Domain:

  • Your Google Workspace domain name
  • For example: company.com, organisation.org
  • Needed for domain-wide delegation to Workspace resources
  • Leave empty if you're only using GCP

Impersonation Subject:

  • Email of Google Workspace admin that service account may impersonate
  • Must have super admin rights in Google Workspace
  • For example: admin@company.com, it-admin@organisation.org
  • Needed for access to Workspace admin APIs
  • Leave empty if you're only using GCP

Verification

Check GCP integration status:

  • Settings → Integrations shows "Connected" status for Google Cloud Platform
  • Google Cloud test available in Tests section
  • Test refresh delivers results without authentication errors

If you also set up Workspace:

  • Google Workspace integration also shows "Connected" status
  • Both tests work without authentication errors
Warning

JSON key security: Store the JSON key file securely - it provides access to your Google environment and cannot be downloaded again

Frequently asked questions

Can I use the same service account for multiple Tidal Control environments? Yes, you can reuse the same service account JSON key across different Tidal Control instances.

Do I always need to set up Workspace too? No, you can use GCP standalone. Workspace is optional and only needed if you also want to monitor Workspace compliance.

How often does Tidal Control sync GCP data? Data is synchronized according to your configured test schedule, typically every few hours.

Common problems

"Authentication failed" errors

  • Verify the JSON key file is correctly uploaded
  • Check that the service account has the correct Viewer role in GCP
  • Confirm that all required APIs are enabled

"API not enabled" errors

  • Ensure IAM API and Cloud Resource Manager API are enabled in your GCP project
  • Wait a few minutes after enabling APIs before testing the integration

"Permission denied" errors for Workspace

  • Verify domain-wide delegation is configured with the correct Client ID
  • Check that OAuth scopes are correctly configured
  • Confirm the impersonation subject has super admin rights

Still can't figure it out?

Send an email to support@tidalcontrol.com, and we'll get back to you as soon as possible.

Info

Gather support info: Note which browser you're using, exact error messages, and which steps you've already tried. This speeds up the solution considerably.

Next
Google Workspace