Skip to main content

Add a GCP Single Account with read-only access

Learn how to seamlessly integrate your GCP read-only account with our platform

Updated today

Step 1

Skip to Step 4 if you came to this guide from the Connect Your GCP Project page.

Navigate to the Account Manager tab and click Add new account. If you already have accounts, your Account Manager page will look similar to the example below.

Step 2

Select the ‘Google Cloud Platform’.

Step 3

You’ll be taken to the Connect your GCP project page.

Step 3.1

In the first field, enter an Account name. You can enter a custom name (up to 32 characters) or leave the default GCP.


Step 3.2

Select Single project as the account type.

Step 3.3

Select the connection type - Auto.

  • Auto automatically configures the required IAM roles by running a script in Google Cloud Shell.

  • Manual set up and assign IAM roles yourself directly in GCP Console

Step 3.4

Select Read-only as the access type.

Next, select the Access type (The selected option will be marked with a blue dot.):

  • Read/write: Gives full access to the account. You can view resources and take actions, such as converting to spot, scheduling resources, and removing unused resources.

  • Read-only: Lets you view resources and see what actions are available, but you can’t make any changes or perform those actions.

You can review the permissions included in the read-only policy. No action is required.

Optional: View permission list

title: Uniskai Service Role

stage: "GA"

includedPermissions:

- appengine.applications.get

- appengine.instances.get

- appengine.instances.list

- appengine.services.get

- appengine.services.list

- appengine.versions.get

- appengine.versions.list

- bigquery.datasets.get

- bigquery.tables.get

- bigquery.readsessions.create
- bigquery.readsessions.getData

- bigquery.tables.list

- bigquery.tables.getData

- bigquery.jobs.create

- bigtable.backups.get

- bigtable.backups.list

- bigtable.clusters.get

- bigtable.clusters.list

- bigtable.instances.get

- bigtable.instances.list

- cloudfunctions.functions.get

- cloudfunctions.functions.list

- cloudfunctions.locations.get

- cloudfunctions.locations.list

- cloudsql.backupRuns.list

- cloudsql.instances.list

- compute.autoscalers.list

- compute.diskTypes.get

- compute.disks.get

- compute.disks.list

- compute.externalVpnGateways.get

- compute.externalVpnGateways.list

- compute.externalVpnGateways.list

- compute.firewalls.get

- compute.firewalls.list

- compute.images.get

- compute.images.list

- compute.instanceGroupManagers.get

- compute.instanceGroupManagers.list

- compute.instanceGroups.get

- compute.instanceGroups.list

- compute.instanceTemplates.get

- compute.instanceTemplates.list

- compute.instances.get

- compute.instances.list

- compute.machineImages.get

- compute.machineImages.list

- compute.machineTypes.get

- compute.networks.get

- compute.networks.list

- compute.regions.list

- compute.routers.get

- compute.routers.list

- compute.routes.get

- compute.routes.list

- compute.snapshots.get

- compute.snapshots.list

- compute.subnetworks.get

- compute.subnetworks.list

- compute.vpnGateways.list

- compute.vpnTunnels.list

- compute.zones.list

- compute.targetVpnGateways.get

- compute.targetVpnGateways.list

- compute.healthChecks.get

- compute.healthChecks.list

- compute.addresses.get

- compute.addresses.list

- compute.globalAddresses.get

- compute.globalAddresses.list

- compute.interconnects.get

- compute.interconnects.list

- compute.interconnectAttachments.get

- compute.interconnectAttachments.list

- compute.forwardingRules.get

- compute.forwardingRules.list

- container.clusters.get

- container.clusters.list

- dns.managedZones.list

- file.backups.list

- file.instances.list

- file.locations.get

- file.locations.list

- memcache.instances.get

- memcache.instances.list

- recommender.locations.get

- recommender.locations.list

- redis.instances.get

- redis.instances.list

- spanner.backups.get

- spanner.backups.list

- spanner.instanceConfigs.get

- spanner.instanceConfigs.list

- spanner.instances.get

- spanner.instances.list

- storage.buckets.get

- storage.buckets.list

- serviceusage.services.list

- resourcemanager.projects.getIamPolicy

- iam.roles.list

- iam.serviceAccounts.list

- iam.serviceAccountKeys.list

- cloudasset.assets.searchAllResources

- compute.instances.listReferrers

- compute.instances.setServiceAccount

- iam.serviceAccounts.actAs

- compute.backendServices.list

- compute.targetPools.list

- eventarc.locations.list

- eventarc.providers.list

- eventarc.triggers.list

- eventarc.triggers.get

- eventarc.channels.list

- cloudkms.locations.list

- cloudkms.keyRings.list

- cloudkms.cryptoKeys.get

- cloudkms.cryptoKeys.list

- cloudkms.cryptoKeyVersions.list

- cloudkms.importJobs.list

- monitoring.groups.get

- monitoring.groups.list

- monitoring.alertPolicies.get

- monitoring.alertPolicies.list

- monitoring.notificationChannels.get

- monitoring.notificationChannels.list

- monitoring.notificationChannelDescriptors.list

- monitoring.uptimeCheckConfigs.get

- monitoring.uptimeCheckConfigs.list

- monitoring.monitoredResourceDescriptors.list

- monitoring.timeSeries.list

- pubsub.topics.get

- pubsub.topics.list

- pubsub.subscriptions.list

- pubsub.subscriptions.get

- pubsub.subscriptions.list

- pubsublite.topics.list

- pubsublite.reservations.list

- pubsublite.subscriptions.get

- pubsublite.subscriptions.list

Step 3.5

Input your Project / Org account. You can find it in the GCP console here.

Step 3.6

Generate the script by pressing on the "Generate script" button.

Step 3.7

Copy the script and go to the GCP console.

To continue, make sure you have permission to create roles and service accounts in GCP.

Step 4

Log in to GCP and select your Project

Step 5

Open the Cloud Shell and authorize it

Step 6

Create the script file using the next command, replacing `{name_of_the_script}` with a suitable file name.

nano {name_of_the_script}.sh

Make the script executable by running the next command.

chmod +x {name_of_the_script}.sh

Then run it.

./{name_of_the_script}.sh

Step 7

Wait until the script is finished.

Step 8

Return to Uniskai and click Connect account. The connection may take a few minutes.

Step 11

(Optional) To enable billing features in Uniskai, refer to the billing setup guide. This step can be completed later.

For instructions on adding billing permissions, see the billing setup manual.

Step 12

Once completed, the account appears in Account Manager. Status shows Connected (Read-only). No further action is required

Related Articles
Adding whole organization of GCP account with read-only access
Add an Azure account with Read-only access with a Single subscription using Manual connection
Adding a GCP Single Account with read/write access
Step-by-step connecting Kubernetes Cluster for GCP
Did this answer your question?