--- title: Onboarding GCP accounts description: Onboard a GCP organization, folder, or project to manage its resources in PingOne Privilege with Just-In-Time (JIT) access. component: privilege page_id: privilege:configuration:cloud-accounts/gcp canonical_url: https://docs.pingidentity.com/privilege/configuration/cloud-accounts/gcp.html revdate: May 4, 2026 section_ids: step-1-create-a-service-account-in-gcp: "Step 1: Create a service account in GCP" step-2-add-the-gcp-account-to-pingone-privilege: "Step 2: Add the GCP account to PingOne Privilege" validation: Validation --- # Onboarding GCP accounts You can onboard a Google Cloud Platform (GCP) organization, folder, or project to manage its resources in PingOne Privilege with Just-In-Time (JIT) access. The process involves creating a service account with the necessary permissions in GCP, and then adding the account to PingOne Privilege. ## Step 1: Create a service account in GCP 1. In the GCP console, create a new service account. 2. Grant the service account the required IAM permissions. These permissions allow PingOne Privilege to discover resources and manage access. The necessary permissions depend on whether you are onboarding an organization, folder, or project: | Onboarding level | Required Permissions | | ---------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Organization | * **Browser** * **Cloud SQL Admin** * **Cloud SQL Client** * **Role Administrator** * **Security Admin** * **Viewer** * **Service Account Key Admin** * **Service Account Admin** * **Service Account Token Creator** * **Kubernetes Engine Admin** * **IAM Recommender Admin** * **AlloyDB Admin** * **BigQuery Data Owner** | | Folder | - **Browser** - **Cloud SQL Admin** - **Cloud SQL Client** - **Security Admin** - **Viewer** - **Service Account Key Admin** - **Service Account Admin** - **Service Account Token Creator** - **Kubernetes Engine Admin** - **IAM Recommender Admin** - **AlloyDB Admin** - **BigQuery Data Owner** For each project in the folder, include "Role Administrator" or include "owner" permission at the top folder level. | | Project | * **Browser** * **Cloud SQL Admin** * **Cloud SQL Client** * **Role Administrator** * **Security Admin** * **Viewer** * **Service Account Key Admin** * **Service Account Admin** * **Service Account Token Creator** * **Kubernetes Engine Admin** * **IAM Recommender Admin** * **AlloyDB Admin** * **BigQuery Data Owner** | 3. [Create a service account key](https://cloud.google.com/iam/docs/creating-managing-service-account-keys#creating) for the service account and download it in JSON format. You will need this file later. 4. Enable the [Cloud Resource Manager API](https://console.cloud.google.com/apis/library/cloudresourcemanager.googleapis.com) in the project that contains the service account. ## Step 2: Add the GCP account to PingOne Privilege 1. In the PingOne Privilege admin console, go to **Cloud > Clouds**. 2. Click **Add Account Wizard**. 3. Click the **GCP icon**. 4. Select whether you are onboarding an **Organization**, **Folder**, or **Project**. Click **Next**. 5. Enter the **Provider ID** (this is your Organization ID, Folder ID, or Project ID). Click **Next**. 6. Upload or paste the content of the JSON service account key file you downloaded earlier. Click **Next**. 7. Verify the account details are correct and click **Verify And Add**. ## Validation After adding the account, go to the **Cloud > Clouds** page in the PingOne Privilege admin console. Your new GCP account should be listed with a **Verified** status. You can click on the account to see the discovered resources.