Overview

Torii integrates with Google Cloud Platform and syncs:

• Users — IAM principals (human users and service accounts) referenced in role bindings on a GCP organization or project.
• Roles — per-user role assignment, aggregated across all role bindings.

• Multi-account support: you can connect multiple GCP accounts to Torii to cover more organizations and projects.
• You can constantly stay updated with application information from our Integrations Page >> Integration Capabilities button >> Integration Capabilities table.

Requirements

Accounts & Permissions

• A Google Cloud account with permission to create service accounts and grant IAM roles.
• A Google Cloud service account, granted these IAM roles at the chosen scope:
  • roles/iam.securityReviewer — read IAM policy bindings (always required).
  • roles/resourcemanager.organizationViewer — read the organization display name; also grants Cloud Identity access for group expansion (organization scope only).
  • roles/viewer — read the project display name (project scope only).
• Grant the service account the Groups Reader admin role in the Google Workspace Admin Console (regardless of scope).

Required keys

• Sync Scope — Organization or Project.
• GCP Organization ID (if Organization scope) — numeric, e.g. 123456789012.
• GCP Project ID (if Project scope) — e.g. my-project-id.
• Service Account Email — ends in .iam.gserviceaccount.com.
• Service Account Private Key — the private_key field from the downloaded JSON key file.

How to Generate the Required Values

Step 1: Enable the required Google Cloud APIs

Enable the following APIs on the Google Cloud project that will host the service account. If any are disabled, the Torii sync will return 403 errors even with valid credentials.

Open each API's Library page below, select the project that will host the service account, and click Enable:

• IAM API — https://console.cloud.google.com/apis/library/iam.googleapis.com — for service account creation and role listing.
• Cloud Resource Manager API — https://console.cloud.google.com/apis/library/cloudresourcemanager.googleapis.com — for reading IAM policy bindings on the organization or project.
• Cloud Identity API — https://console.cloud.google.com/apis/library/cloudidentity.googleapis.com — for expanding Google Workspace group: principals into the underlying users.

Step 2: Create a service account

1. Go to https://console.cloud.google.com/projectselector/iam-admin/serviceaccounts/create.
2. Select your Google Cloud project.
3. Enter a service account name (e.g. torii-gcp).
4. Click Create and continue, skip role assignment, click Done.

Step 3: Create and download a JSON key

1. In the Service Accounts list, click the email of the service account you just created.
2. Open the Keys tab.
3. Click Add key → Create new key.
4. Choose JSON and click Create.
5. From the downloaded JSON file, copy client_email (Service Account Email) and private_key (Service Account Private Key).

Step 4: Grant IAM roles

For Organization scope:

1. Go to https://console.cloud.google.com/iam-admin/iam and select your organization in the top resource picker.
2. Click Grant Access, paste the service account email, add roles Security Reviewer and Organization Viewer, click Save.

For Project scope:

1. Go to https://console.cloud.google.com/iam-admin/iam and select the target project.
2. Click Grant Access, paste the service account email, add roles Security Reviewer and Viewer, click Save.

Step 5: Grant Groups Reader admin role (Workspace)

Whether you connect at Organization or Project scope, grant the service account the Groups Reader admin role in your Google Workspace Admin Console.

1. Sign in to https://admin.google.com as a Google Workspace super admin.
2. Go to Account → Admin roles → Groups Reader.
3. Click Admins → Assign service accounts.
4. Paste the service account email, click Add → Assign role.

Step 6: Find your Organization ID / Project ID

• Cloud Console → resource picker (top bar) → hover your org or project; the numeric Organization ID or textual Project ID appears next to the name.

How to Connect the Integration

1. Go to the Integrations page in Torii.
2. Search for Google Cloud Platform and click Connect.
3. Choose the Sync Scope (Organization or Project).
4. Enter the GCP Organization ID or GCP Project ID accordingly.
5. Enter the Service Account Email and Service Account Private Key.
6. Click Connect.

Additional Notes

• One connection covers either one organization or one project — Torii does not iterate child projects from an org-scoped connection. Use multiple connections (multi-account support) to cover more scopes.

For any further questions, please contact Torii Support.