Skip to main content
Version: 0.18.0


To use driftctl, we need credentials to make authenticated requests to your GCP project.

service account

Since driftctl use Cloud Asset API, using a service account is mandatory.

Please refer to official documentation to setup a proper service account.

driftctl scan --to gcp+tf

You can use any env var from google cloud sdk environment variable.

Least privileged policy

driftctl uses Google Asset API to enumerate efficiently resources on your account. It also uses Cloud Resource Manager API to enumerate project IAM Resources. Be sure to have enabled these APIs for the GCP project you are using.


To be able to enumerate resources, you need at least the role Cloud Asset Viewer.

deep mode

If you want to use driftctl with deep mode, driftctl will also need to retrieve resource's details and the Cloud Asset Viewer will not be enough. If you want to be able to get the details you should set up the basic role Viewer on your project. To read your IAM policies you will also need role iam.securityReviewer on your project.

Required roles

# Mandatory role to allow driftctl to enumerate resources

# Required for deep mode only