Skip to main content
GCP Cloud Logging monitors ingest Google Cloud audit logs through Pub/Sub push delivery. Each monitor is scoped to one GCP project, so webhook delivery, OIDC verification, and signal rules stay bound to that project.

Setup options

Use guided setup when possible. Clarion will create or update the Pub/Sub topic, log sink, push subscription, OIDC signer, and IAM grants for the selected project. Use manual setup when you need to provision GCP resources yourself. Clarion will show the monitor webhook URL and ask you to save the Pub/Sub subscription resource plus the OIDC service account metadata.

Runtime credentials

Before agent tools can investigate GCP alerts, configure runtime credentials on the GCP integration page. These credentials authenticate Clarion’s outbound GCP API calls. The runtime credential project is separate from the monitored project. Add a GCP Cloud Logging monitor for each project you want to ingest, then grant the runtime service account the required roles in that target project. Guided setup uses Keyless via Workload Identity Federation by default when Clarion’s central GCP bridge is configured. This creates or reuses the clarion-agent service account and grants Clarion’s central bridge service account permission to impersonate it, storing only non-secret metadata (no private key). Use JSON service account key mode only for local development or fallback.

Guided setup

  1. Go to Integrations > GCP.
  2. Connect runtime credentials if they are not already configured. Guided setup will prefer keyless WIF on Vercel.
  3. Add a GCP Cloud Logging monitor.
  4. Choose Run guided setup.
  5. Select the GCP project to monitor.
  6. Approve the setup steps and save the monitor.
Clarion seeds a curated managed Admin Activity signal-rule set for the monitor, including IAM, logging, storage, KMS, Secret Manager, GKE, Cloud Run, Cloud Functions, Cloud SQL, and network/perimeter detections. The catch-all template remains available for explicit testing or heavily pre-filtered sinks, but it is not enabled by default.

Manual setup

  1. Create or open a GCP Cloud Logging monitor in Clarion.
  2. Copy the monitor webhook URL.
  3. In Google Cloud, route Cloud Logging entries to a Pub/Sub topic with a log sink.
  4. Grant the log sink writer identity roles/pubsub.publisher on the topic.
  5. Create a Pub/Sub push subscription that targets the monitor webhook URL.
  6. Enable OIDC authentication on the push subscription.
  7. Save these values on the monitor:
    • GCP project ID
    • Pub/Sub subscription resource
    • OIDC service account email
    • OIDC client ID, if configured
The OIDC token audience must match the webhook URL shown by Clarion.

Multiple projects

Create one active GCP Cloud Logging monitor per workspace/project pair. Reuse the same runtime credentials, then run guided setup or apply manual IAM grants for each target project.