Quick Start

Get Cloud Guardian scanning your GCP project in under 5 minutes.

Prerequisites

• A Google Cloud Platform project with billing enabled
• Owner or Editor access to the GCP project
• A Cloud Guardian account (sign up at cloudguard.dev)

Step 1: Create a Service Account

# Set your project ID
export PROJECT_ID="your-project-id"

# Create the service account
gcloud iam service-accounts create cloud-guardian \
  --display-name="Cloud Guardian Scanner" \
  --project=$PROJECT_ID

Step 2: Grant Required Roles

Cloud Guardian needs read-only access to scan your infrastructure:

SA_EMAIL="cloud-guardian@${PROJECT_ID}.iam.gserviceaccount.com"

# Viewer role (covers most resources)
gcloud projects add-iam-policy-binding $PROJECT_ID \
  --member="serviceAccount:${SA_EMAIL}" \
  --role="roles/viewer"

# Cloud Run viewer (for service details)
gcloud projects add-iam-policy-binding $PROJECT_ID \
  --member="serviceAccount:${SA_EMAIL}" \
  --role="roles/run.viewer"

# Secret Manager viewer (for secret version counts)
gcloud projects add-iam-policy-binding $PROJECT_ID \
  --member="serviceAccount:${SA_EMAIL}" \
  --role="roles/secretmanager.viewer"

For Cloud SQL scanning, also add:

gcloud projects add-iam-policy-binding $PROJECT_ID \
  --member="serviceAccount:${SA_EMAIL}" \
  --role="roles/cloudsql.viewer"

Step 3: Generate a Service Account Key

gcloud iam service-accounts keys create key.json \
  --iam-account="${SA_EMAIL}"

Step 4: Connect in Cloud Guardian

1. Log in to Cloud Guardian
2. Navigate to Connectors in the sidebar
3. Click Add Connector
4. Upload your key.json file
5. Click Test Connection to verify permissions
6. Link the connector to your organization project

Step 5: Trigger Your First Scan

Navigate to Ops Health and click Trigger Scan, or wait for the next scheduled scan cycle (every 6 hours by default).

After the scan completes, check:

• Dashboard for infrastructure overview and violations
• Costs for cost trend data and breakdown
• Alerts for any cost anomalies detected

Step 6: Clean Up the Local Key

rm key.json

The key is now encrypted and stored securely in Cloud Guardian using envelope encryption (AES-256-GCM + Cloud KMS).

Next Steps

• Configure check thresholds for your organization
• Set up auto-remediation for common violations
• Integrate with Claude Code via the MCP server