Connect a cloud · GCP · Expanding

GCP setup.

Axiom's GCP connector is live for scan + topology mapping. Reasoning + execution roll out in Q3 2026. This page documents what works today and what's coming honestly.

Honest state — GCP is expanding

Live today: Service Account onboarding, project enumeration, Compute Engine + Cloud Storage + Networking + IAM scanning, topology mapping, basic drift detection.

Q3 2026: Full reasoning loop, execution plans, Terraform export, approval workflow, rollback orchestration — parity with AWS.

Subscribe at /contact for early-access invitations.

01

What works today

  • Service Account onboarding — workload identity federation preferred; JSON key supported as fallback
  • Project + folder scanning — scoped by your IAM bindings
  • Compute Engine — instances, instance groups, machine types, disks, network interfaces
  • Cloud Storage — buckets, lifecycle rules, encryption settings, public access prevention
  • Networking — VPCs, subnets, firewall rules, Cloud NAT, load balancers
  • IAM — bindings, custom roles, service accounts inventory
  • Topology mapping — GCP resources appear in /dashboard/topology
  • Basic drift detection — flagged in the activity feed

02

Onboarding (preview path)

  1. Create a Service Account in the project (or folder) you want to scan
  2. Grant roles/viewer + roles/iam.securityReviewer at the chosen scope
  3. Add a custom role for Cloud Billing read access (we provide the exact role definition)
  4. Configure workload identity federation with Axiom as the trusted issuer (no JSON key shared)
  5. Paste the Project ID + Service Account email into the Axiom onboarding wizard

If your org disallows workload identity federation, JSON key upload is supported — but expires and rotates every 30 days automatically.

03 · Permissions

Expected permissions

Scan role (today):

  • roles/viewer — broad read across Compute, Storage, Networking
  • roles/iam.securityReviewer — IAM analysis read
  • Custom role for Cloud Billing read (we provide it)
  • Custom role for Cloud Audit Log read (we provide it)

Execution role (Q3 2026):

  • Separate custom roles with minimum-scope write permissions per action class
  • Approval-gated assumption — same model as AWS

04 · Roadmap

Q3 2026 roadmap

  • July 2026 — Signal engine for GCP (cost waste, security, drift, performance)
  • August 2026 — Reasoning loop adapted for GCP resource model
  • September 2026 — Execution planning + Terraform generation for GCP
  • Late Q3 2026 — Approval workflow + rollback orchestration parity with AWS

05

Security model

  • Workload identity federation preferred — no JSON key stored long-term
  • Read-only by default
  • Project/folder scoping enforced at the IAM binding level
  • Revocable instantly by removing the IAM binding or disabling the Service Account
  • All API calls captured in Cloud Audit Logs on your side

Trust questions

Is GCP fully live?

Scan + topology + basic drift are live today. Reasoning + execution + approval ship Q3 2026.

Why connect now?

Topology + drift are immediately useful for multi-cloud orgs. You'll be ready when reasoning ships.

Is the GCP connection safe?

Yes — read-only at the project/folder scope you choose. Workload identity federation over JSON keys where possible.

What does Axiom store?

Resource metadata + topology graph. Never bucket contents, never database row data, never secrets.

Can I revoke?

Yes — remove the IAM binding or disable the Service Account. Axiom loses access immediately.

How do I get early access to Q3?

Subscribe at /contact?topic=gcp-preview. We invite teams in waves as each capability ships.

Need a human?

Most flows are documented — but we'll help if anything is unclear.

Talk to Vision XIX Labs