Discovering hosts in GCP by using IAP

You can perform a detailed discovery of Google Compute Engine hosts running in Google Cloud Platform (GCP) by using Identity-Aware Proxy (IAP) and Identity Access Management (IAM). This discovery process does not require a direct SSH connection.

BMC Helix Discovery has previously been able to scan hosts in GCP, but it required a direct SSH connection from BMC Helix Discovery. Also, the discovery was limited to hosts with a public IP address and required SSH ports, host credentials, key pairs, or passwords.

BMC Helix Discovery uses a Google credential to access IAM and IAP. IAM authenticates users by using the Google credential, and if they have the correct role, then IAP returns the hosts that are permitted to be accessed by using that credential. BMC Helix Discovery creates implicit scans to discover those hosts. IAP then creates a tunnel to the host, by using port 22 (SSH) for Linux hosts, and ports 5985/5986 (PowerShell HTTP/HTTPS) for Windows hosts. The firewall for your project ports must be open in the firewall between IAP and the target hosts.

The Google credential is not used to authenticate with the hosts. For authentication purposes, generated SSH keys are used for Linux hosts, and one-time passwords are used for Windows hosts.

Discovering hosts in GCP by using IAP provides the following advantages:

  • You can discover your entire GCP estate by using your existing GCP credentials. There are no additional credentials to manage.
  • Irrespective of how your GCP deployment's network is segmented, a single GCP IAM credential enables you to discover all of your GCP estate.
  • There is no requirement for an SSH configuration and GCP host key pairs.

When you discover hosts in GCP by using IAP, the target is known to be hosted in GCP, so cloud detection is disabled and only the appropriate GCP methods are used. In a normal IP scan of a host, cloud detection is used to determine whether the target is cloud hosted, and if so, to detect the cloud provider. 

If the target host cannot be accessed by using the IAP key or a one-time password, BMC Helix Discovery attempts to match an existing credential. When hosts are discovered through IAP by using an existing credential, the hosts do not need a public IP address.

GCP IAM and IAP overview

GCP IAM Open link is a GCP service that enables you to create and manage permissions for all of your Google Cloud resources. 

GCP Identity-aware Open link is an authorization service that enables you to manage HTTPS access to applications running in GCP. IAP requires you to use signed headers Open link or the App Engine standard environment  Users API Open link .

Before you begin

Before you can discover hosts by using IAP, you must configure the correct permissions in the IAP console. Assign the following permissions for the service account that you use for discovery:

  • compute.projects.setCommonInstanceMetadata
  • iam.serviceAccounts.actAs

The IAP-secured Tunnel User role has these permissions and more. This role is suitable for discovering hosts by using IAP, though you might choose to configure a more restricted role.

The permissions are checked when you test the discovery credentials, and any missing permissions are indicated.

Firewall rules

You must enable IAP to access your hosts that use the GCP firewall. The following ports are required:

  • SSH — TCP/22
  • PowerShell/HTTP — TCP/5985
  • PowerShell/HTTPS — TCP/5986

If you use custom ports to run SSH, for example, then you can configure BMC Helix Discovery to use those ports. For more information, see Configuring discovery settings.

To discover Compute Engine hosts by using IAP

To discover Compute Engine hosts by using IAP, enable Identity-Aware Proxy Sessions when you add a new Google Cloud Platform discovery run


For IP addresses scanned through GCP by using IAP, the scope of an IP address is set as the default network.

Was this page helpful? Yes No Submitting... Thank you