Skip to main content
The Google Cloud integration discovers IAM policy bindings and collects Cloud Audit Log summaries for a GCP project. Use it to track who has access to your cloud resources and generate compliance evidence for identity and monitoring controls in Axiom Codex.

What you’ll need

  • A GCP project with Cloud Resource Manager and Cloud Logging APIs enabled.
  • Permission to create a service account in the project.
  • Five minutes.

Set it up

1

Create a service account

In the Google Cloud Console, go to IAM & Admin → Service Accounts and click Create Service Account.
  • Name: axiom-layer-readonly
  • Role: Viewer (or a custom role — see below)
2

Create and download a key

Click on the service account, go to Keys → Add Key → Create New Key, and choose JSON. A JSON key file downloads automatically — keep it safe.
3

Paste credentials into Layer

In Layer, go to Integrations, find Google Cloud, and click Connect. Enter your Project ID and paste the full contents of the JSON key file into the Service Account Key field. Click Connect.
4

Wait for the first sync

The initial sync runs immediately and typically finishes in under five minutes.

What gets synced

ObjectFieldsRefresh cadence
IAM policy bindingsrole, members, binding countDaily
Cloud Audit Logs (30-day summary)entry count, breakdown by serviceDaily

Compliance evidence

GCP data generates evidence records for the following SOC 2 controls:
EvidenceControls
Project IAM policy bindingsCC6.1, CC6.2, CC6.3
Cloud Audit Logs summaryCC7.1, CC7.2
See the SOC 2 evidence catalog for full control descriptions.

Least-privilege permissions

The Viewer role is sufficient. If you prefer a custom role with narrower scope, include these permissions:
  • resourcemanager.projects.getIamPolicy
  • logging.logEntries.list
  • logging.logs.list

Troubleshooting

Verify the service account key JSON is complete (it should start with { and end with }). If the key was deleted or the service account disabled, create a new key and update it in Layer.
Cloud Audit Logs must be enabled for the project. Go to IAM & Admin → Audit Logs in the Cloud Console and confirm that admin activity and data access logs are turned on for the services you want to monitor.
Create a separate connection for each project. You can reuse the same service account if you grant it the Viewer role on each additional project.