GCP CIEM connector with Client Credentials does not aggregate Google Cloud Service Accounts

psalat8887100 · May 7, 2026, 10:53am

Hello,

I am working on a Google Cloud / Google Workspace integration with SailPoint Identity Security Cloud and CIEM.

Current configuration:

Integration mode: Client Credentials
Enabled APIs:
- Admin SDK API
- Groups Settings API
- Identity and Access Management IAM API
- Cloud Resource Manager API
- Cloud Asset API
OAuth scopes currently configured:
https://www.googleapis.com/auth/admin.directory.user
https://www.googleapis.com/auth/apps.groups.settings
https://www.googleapis.com/auth/admin.directory.rolemanagement
https://www.googleapis.com/auth/admin.directory.rolemanagement.readonly
https://www.googleapis.com/auth/cloud-platform
https://www.googleapis.com/auth/iam
https://www.googleapis.com/auth/admin.directory.domain

The Google Workspace user used to generate and authorize the refresh token has elevated admin roles, including User Management Admin, Group Admin and Super Admin.

The Google Workspace user used to generate and authorize the refresh token has elevated admin roles, including User Management Admin, Group Admin and Super Admin.

The connector is not aggregating Google Cloud service accounts, for example the service accounts visible in Google Cloud Console under IAM & Admin > Service Accounts

From the SailPoint CIEM GCP documentation, it looks like CIEM requires the Google Workspace SaaS connector to use Service Account as the Grant Type, and Client Credentials is not supported for CIEM. The same documentation also lists GCP organization-level permissions such as:

iam.serviceAccounts.list
iam.serviceAccounts.getIamPolicy
cloudasset.assets.searchAllResources
cloudasset.assets.searchAllIamPolicies
resourcemanager.projects.list
resourcemanager.projects.get

Can someone confirm the following?

Is it expected that GCP service accounts are not aggregated when the Google Workspace / GCP configuration uses Client Credentials?
To aggregate Google Cloud service accounts with CIEM, is Service Account grant type mandatory?
Should Google Cloud service accounts appear as account objects in the Google Workspace/GCP source, or are they only used by CIEM for cloud access/effective access visibility?
Are Google Workspace admin roles such as Super Admin, User Management Admin and Group Admin relevant for reading GCP service accounts, or is the required access controlled only through GCP IAM permissions assigned to the SailPoint service account?
Is the recommended configuration to create a GCP service account, assign the required custom GCP role at organization scope, configure domain-wide delegation for the Workspace part, and use the service account JSON key in the connector?

Thanks in advance for your support.

Looking forward to receiving a feedback.

Kind Regards,

Paolo

Topic		Replies	Views
GCP integration permissions ISC Discussion and Questions aggregation , identity-security-cloud , connectors	2	185	October 19, 2024
New Capability: New Google Workspace SaaS Connector is now LIVE! Product News saas-connector , identity-security-cloud , new-capability	5	522	December 27, 2025
Filtering entitlements for Google Cloud (G Suite Connector) ISC Discussion and Questions identity-security-cloud , entitlements	4	266	August 3, 2024
G suite service accounts IIQ Discussion and Questions aggregation , identityiq , connectors	3	46	March 11, 2025
Aggregate GCP Roles Using IDN G Suite Source ISC Discussion and Questions aggregation , identity-security-cloud , roles	2	262	March 24, 2024

GCP CIEM connector with Client Credentials does not aggregate Google Cloud Service Accounts

Related topics