How ZEUS reads GCP (Workload Identity, Asset Inventory, Security Command Center)
This is the key lesson for anyone deploying ZEUS at a customer running Google Cloud. It shows exactly how the connector authenticates — without keys — and which APIs it queries, read-only.
Identity: Workload Identity (keyless)
ZEUS deliberately does not use service account JSON keys. Instead it authenticates through Workload Identity Federation: the ZEUS identity exchanges its token for short-lived GCP credentials. In the customer's environment we create a read-only service account and bind it to a WIF pool:
# Konto usługi read-only dla ZEUS
gcloud iam service-accounts create zeus-reader \
--display-name="ZEUS read-only"
# Nadanie ról odczytu na poziomie organizacji
gcloud organizations add-iam-policy-binding <org-id> \
--member="serviceAccount:zeus-reader@<projekt>.iam.gserviceaccount.com" \
--role="roles/cloudasset.viewer"
gcloud organizations add-iam-policy-binding <org-id> \
--member="serviceAccount:zeus-reader@<projekt>.iam.gserviceaccount.com" \
--role="roles/securitycenter.findingsViewer"
Tip: no JSON key means no secret to leak. This is the most secure model of third-party access in GCP — and at the same time a demonstration of the good practice we recommend to customers for their own integrations.
Read-only roles
The connector receives only read roles at the organization level:
| Role | What for |
|---|---|
roles/cloudasset.viewer | inventory via Asset Inventory |
roles/securitycenter.findingsViewer | reading findings from SCC |
roles/iam.securityReviewer | reading IAM policies |
roles/viewer (optional) | resource configuration details |
Two main data sources
1. Cloud Asset Inventory
With a single organization-level query, ZEUS pulls a complete inventory: all resources, IAM policies and Organization Policies across the entire hierarchy (organization → folders → projects → resources).
gcloud asset search-all-resources \
--scope=organizations/<org-id> \
--asset-types="compute.googleapis.com/Instance"
2. Security Command Center
ZEUS pulls in findings from SCC (misconfigs and threats), so as not to duplicate Google's scans, and pours them into the shared SecOps queue (see lesson 05).
What ZEUS does with the data
The streams from Asset Inventory and SCC flow into the same data model as Azure and AWS. The result is one posture dashboard, one alert queue (SCC + GuardDuty + Defender) and one set of compliance evidence (NIS2, DORA, ISO 27001) — regardless of how many clouds the customer has.
Track summary
From the organization/folder/project hierarchy, through IAM and service accounts, compute, storage, networking, SCC and Workload Identity, to the connector — you now have the full picture for understanding how ZEUS "sees" a customer's GCP environment and for leading a secretless read-only reader deployment.