Coordimap
ConfigurationGCP

Google Cloud Platform Configuration

Configuring A Google Cloud Platform Data Source In Coordimap

This guide explains how to configure the Coordimap agent to crawl resources in a Google Cloud project. With the GCP crawler in place, Coordimap can discover infrastructure such as Compute Engine instances, VPC networks, Cloud SQL instances, load balancers, and other project-scoped assets.

For GCP, the most important identity rule is simple: use the project number as scope_id. Do not use the project ID and do not use the Coordimap data_source_id.

Prerequisites

Before configuring the agent, make sure you have:

  1. Installed the Coordimap agent in an environment that can reach Google Cloud APIs.
  2. Added the GCP data source in the Coordimap UI so you have a data_source_id.
  3. Created a service account key with read-only access to the project being crawled.

Find The Correct scope_id

Use the GCP project number:

gcloud projects describe PROJECT_ID --format='value(projectNumber)'

You may also need the project ID for API targeting:

gcloud projects describe PROJECT_ID --format='value(projectId)'

Project ID vs project number

project_id tells the crawler which GCP project to query. scope_id tells Coordimap what stable upstream identity owns the discovered assets. For GCP, that stable identity is the project number.

Configuration File Structure

coordimap:
  api_key: ${COORDIMAP_API_KEY}
  data_sources:
    - type: gcp
      data_source_id: <YOUR_DATASOURCE_ID_FROM_UI>
      config:
        - name: scope_id
          value: "<GCP_PROJECT_NUMBER>"
        - name: credentials_file
          value: "/path/to/your/gcp-service-account-key.json"
        - name: project_id
          value: "your-gcp-project-id"
        - name: crawl_interval
          value: "5m"
        - name: gcp_flows
          value: "false"
        - name: external_mappings
          value: "europe-west1-my-gke-cluster@<KUBERNETES_CLUSTER_UID>"

Configuration Options Explained

Prop

Type

Visualizing Network Flows With VPC Flow Logs

To visualize communication paths between GCP resources, enable VPC Flow Logs on the relevant subnets and set gcp_flows to "true".

If you map those flows to Kubernetes workloads, the mapping must reference the Kubernetes cluster UID used as that cluster's scope_id. That is what lets Coordimap join GCP flow records and Kubernetes resources into the same graph.

Understanding external_mappings

external_mappings tells Coordimap how a value seen in flow telemetry should map to another scoped identity.

Format:

<mapping-key>@<mapping-value>

For GCP, that often looks like this:

europe-west1-my-gke-cluster@6f5f56e3-0123-4567-89ab-6c8f1e2a0cde

In that example:

  • europe-west1-my-gke-cluster is the value seen in GCP flow metadata
  • 6f5f56e3-0123-4567-89ab-6c8f1e2a0cde is the Kubernetes cluster UID used as the Kubernetes scope_id

You can define multiple mappings as a space-separated list when needed.

Learn how to enable and configure flow logs here: Google Cloud Platform Flow Logs Configuration.

Google Cloud Platform Flow Logs

Enable Google Cloud VPC Flow Logs in the Console or Terraform so Coordimap can visualize service-to-service network traffic and attach flows to the correct scope_id.

eBPF Flows Configuration

Configure the Coordimap eBPF flows datasource to capture runtime network traffic with interface selection, deployment mode, external mappings, and crawl intervals.

On this page

Configuring A Google Cloud Platform Data Source In CoordimapPrerequisitesFind The Correct scope_idConfiguration File StructureConfiguration Options ExplainedVisualizing Network Flows With VPC Flow LogsUnderstanding external_mappingsRelated Reading