Skip to main content
Version: Next

Authentication

To use driftctl, we need credentials to make authenticated requests to your GCP project.

service account

Since driftctl use Cloud Asset API, using a service account is mandatory.

Please refer to official documentation to setup a proper service account.

$ GOOGLE_APPLICATION_CREDENTIALS=your-creds.json\
CLOUDSDK_CORE_PROJECT=my-project\
driftctl scan --to gcp+tf

You can use any env var from google cloud sdk environment variable.

Least privileged policy

driftctl uses Google Asset API to enumerate efficiently resources on your account. It also uses Cloud Resource Manager API to enumerate project IAM Resources. Be sure to have enabled these APIs for the GCP project you are using.

enable_api

To be able to enumerate resources, you need at least the role Cloud Asset Viewer.

Required roles

# Mandatory role to allow driftctl to enumerate resources
roles/cloudasset.viewer