GCP SQL - User Guide

In this article, you will understand step by step how to easily integrate with GCP SQL

GCP SQL monitors your SQL databases and validates that they are encrypted. The storage of sensitive information should be encrypted and backed up as key criteria when checking security and availability in the SOC 2 framework.


All the permissions that are required for the integration with GCP SQL are read-only permissions and do not allow Scytale to perform any actions within your GCP account.

  • cloudsql.instances.list
  • cloudsql.backupRuns.list 

How to connect GCP SQL integration?

Before connecting to GCP SQL, the following links must be enabled in Google API:

  1. https://console.developers.google.com/apis/api/serviceusage.googleapis.com/overview
  2. https://console.developers.google.com/apis/api/cloudresourcemanager.googleapis.com/overview
  3. https://console.developers.google.com/apis/api/sqladmin.googleapis.com/overview


Step 1: Create a role within the GCP Console

  • Log in to GCP Console
  • Select IAM & Admin
  • Select Roles.
  • Click on "Create Role" - create a custom role for Scytale with the relevant permissions for the integration.
  • Fill in the details:
    Title - SQL Scytale Role
    ID - ScytaleSQL

  • Select "Add Permissions", click on the specific permissions and add them:

      • cloudsql.instances.list
      • cloudsql.backupRuns.list
  • As shown in the image below, once all permissions have been added, a list of the assigned permissions will appear.

Click on "Create"




Step 2: Create service account within GCP Console

  • Go to IAM & Admin
  • Select Service Accounts
  • Click on "Create service account"

  • Fill in the details:

    • Phase 1 - Service account details

      Service account name - scytale_sql
      Service account ID - after writing the service account name, this field is automatically filled in
      Click "Create and continue"

    • Phase 2 - Grant service account access to role

      Select the role that you created in the previous step above (SQL Scytale Role)
      Click "Continue"

    • Phase 3 - Grant users access to this service account (optional)
      No need to fill

  • Click on "Done"


Step 3: Generate JSON file

  • Go to IAM & Admin
  • Select Service Accounts. You can see the list of all the service accounts that you have
  • Select the service account that you created in the previous step - scytale_sql
  • Go to the "Keys" tab
  • Click on "Add Key" and select the "Create new key" option

  • In "Key type", select JSON and "Create"

Copy the following fields from the JSON that was downloaded:

  • client email -  please copy without ""
  • private_key - Verify that you included all key values, including "-----BEGIN PRIVATE KEY-----  n-----END PRIVATE KEY-----\n"
  • project_id - please copy without ""



Step 4: Log in to the Scytale web app

  • Click on the "Integrations" menu screen to the left.

  • Click on the "Connect" button under the GCP SQL icon.

  • Paste the generated keys from the JSON file (see step 3 above) from the GCP Console: Client Email, Private Key, Project ID
  • Connection Name - is used to differentiate between your connections.
    For instance, if you manage multiple accounts or would like to connect multiple times to the integration. It's automatically titled (Connection 1,2,3 etc), but you can change it to a custom name to make it easier to identify.
    For example: scytale-production-env.
  • Click on Connect