GCP Setup¶
LightPane connects to your GCP project using Workload Identity Federation (WIF) — the Google-recommended approach for cross-cloud access. No secrets are exchanged or stored. LightPane's AWS Lambda authenticates directly to your GCP project using its own AWS credentials.
A service account key option is available as a fallback.
How Workload Identity Federation works¶
- You create a WIF pool in your GCP project that trusts the LightPane AWS account
- You create a service account with read-only access
- You grant the WIF identity permission to impersonate the service account
- LightPane's Lambda uses its AWS credentials to obtain short-lived GCP access tokens (1 hour)
- No private keys or long-lived credentials involved
Setup with Cloud Shell script¶
LightPane provides a script you can paste into Google Cloud Shell:
- Log in to app.lightpane.cloud
- Go to Cloud Accounts and click Link GCP Project
- Copy the setup script
- Open Cloud Shell in your GCP project
- Paste and run the script
- Copy the credential config JSON output back into LightPane
The script runs these steps:
# 1. Create a Workload Identity Pool
gcloud iam workload-identity-pools create lightpane-pool \
--location="global" \
--display-name="LightPane Discovery"
# 2. Add an AWS provider to the pool
gcloud iam workload-identity-pools providers create-aws lightpane-aws \
--location="global" \
--workload-identity-pool="lightpane-pool" \
--account-id="LIGHTPANE_AWS_ACCOUNT_ID"
# 3. Create a service account
gcloud iam service-accounts create lightpane-reader \
--display-name="LightPane Reader"
# 4. Grant read-only roles
gcloud projects add-iam-policy-binding $PROJECT_ID \
--member="serviceAccount:lightpane-reader@$PROJECT_ID.iam.gserviceaccount.com" \
--role="roles/viewer"
# 5. Allow WIF identity to impersonate the service account
gcloud iam service-accounts add-iam-policy-binding \
lightpane-reader@$PROJECT_ID.iam.gserviceaccount.com \
--role="roles/iam.workloadIdentityUser" \
--member="principalSet://iam.googleapis.com/projects/$PROJECT_NUMBER/locations/global/workloadIdentityPools/lightpane-pool/attribute.account/LIGHTPANE_AWS_ACCOUNT_ID"
# 6. Generate credential config
gcloud iam workload-identity-pools create-cred-config \
projects/$PROJECT_NUMBER/locations/global/workloadIdentityPools/lightpane-pool/providers/lightpane-aws \
--service-account=lightpane-reader@$PROJECT_ID.iam.gserviceaccount.com \
--aws \
--output-file=lightpane-config.json
The credential config file¶
The output is a JSON file that you paste into LightPane. It contains identifiers and endpoint URLs only — no private keys or secrets:
{
"type": "external_account",
"audience": "//iam.googleapis.com/projects/123456789/locations/global/workloadIdentityPools/lightpane-pool/providers/lightpane-aws",
"subject_token_type": "urn:ietf:params:aws:token-type:aws4_request",
"service_account_impersonation_url": "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/lightpane-reader@my-project.iam.gserviceaccount.com:generateAccessToken",
"token_url": "https://sts.googleapis.com/v1/token",
"credential_source": {
"environment_id": "aws1",
"region_url": "http://169.254.169.254/latest/meta-data/placement/availability-zone",
"url": "http://169.254.169.254/latest/meta-data/iam/security-credentials",
"regional_cred_verification_url": "https://sts.{region}.amazonaws.com?Action=GetCallerIdentity&Version=2011-06-15"
}
}
This file is not sensitive
If the credential config is exposed, an attacker would also need valid AWS credentials for the LightPane platform account to use it. The file alone grants no access.
Fallback: service account key¶
No secrets stored. Short-lived tokens. Google's recommended approach.
If you cannot set up WIF, you can create a service account key:
- Go to IAM & Admin > Service Accounts in the GCP Console
- Create a new service account (e.g.,
lightpane-reader) - Grant it the
roles/viewerrole - Go to the Keys tab and create a JSON key
- Paste the downloaded JSON into LightPane
{
"type": "service_account",
"project_id": "my-project-123",
"private_key_id": "key123abc",
"private_key": "-----BEGIN RSA PRIVATE KEY-----\n...\n-----END RSA PRIVATE KEY-----\n",
"client_email": "lightpane-reader@my-project-123.iam.gserviceaccount.com",
...
}
Service account keys are long-lived secrets
The JSON key file contains a private key that never expires. LightPane stores it encrypted, but WIF avoids this entirely. Use WIF unless you have a specific reason not to.
Note: GCP organisations created after May 2024 block service account key creation
by default. You may need to disable the iam.disableServiceAccountKeyCreation
organisation policy constraint.
Required GCP APIs¶
These APIs must be enabled in your project for WIF to work:
- IAM API (
iam.googleapis.com) - IAM Credentials API (
iamcredentials.googleapis.com) - Security Token Service API (
sts.googleapis.com) - Cloud Resource Manager API (
cloudresourcemanager.googleapis.com)
The setup script enables them automatically.
Supported regions¶
LightPane discovers resources in any GCP region. Common regions:
| Region | Location |
|---|---|
europe-west2 |
London |
europe-west1 |
Belgium |
europe-west3 |
Frankfurt |
us-central1 |
Iowa |
us-east1 |
South Carolina |
us-west1 |
Oregon |
asia-southeast1 |
Singapore |
asia-northeast1 |
Tokyo |
Revoking access¶
Delete the service account or the Workload Identity Pool in your GCP project. LightPane immediately loses access. You can also remove the WIF provider from the pool to revoke access without deleting the pool itself.