Export Data to a Google Cloud Storage Bucket

Set up continuous export of assets and vulnerabilities from Mondoo to a Google Cloud Storage bucket using a service account key or Workload Identity Federation (WIF).

Export your Mondoo security data to a Google Cloud Storage bucket for long-term retention, custom reporting, or integration with your GCP data pipeline. Once configured, Mondoo automatically exports assets and vulnerabilities approximately every 24 hours.

Requirements

A GCP project
The GCP CLI (gcloud) installed
Editor or Owner access to the Mondoo space from which you want to export data

Create a Cloud Storage bucket

Your Cloud Storage integration needs a bucket to which to export data. To learn about buckets, read About Cloud Storage buckets in the Google documentation.

Create a new GCP Cloud Storage bucket for the Mondoo integration to use. For instructions, read Create buckets in the Google documentation.

Note the bucket name. You need it when you configure the integration.

Set up authentication

Mondoo supports two ways to authenticate with GCP for Cloud Storage exports:

Workload Identity Federation (WIF) eliminates the need to store and rotate service account keys. Mondoo authenticates to GCP using short-lived OIDC tokens that GCP validates and exchanges for temporary credentials. This is the recommended approach.
Service account key uses a static JSON key file. This is simpler to set up but requires you to securely store and regularly rotate the key.

With WIF, Mondoo acts as an OIDC identity provider. When it's time to export, Mondoo issues a short-lived OIDC token and presents it to GCP. GCP validates the token against Mondoo's public signing keys (fetched from Mondoo's OIDC discovery endpoint), then issues temporary GCP credentials that Mondoo uses to write data to Cloud Storage. No static keys are stored or transmitted.

Step 1: Create a GCP service account

Create a GCP service account that Mondoo will impersonate to write data to your Cloud Storage bucket. Do not create a key for this service account—WIF replaces the need for static keys.

In the GCP Console, navigate to IAM & Admin > Service Accounts.
Select Create Service Account.
Give the service account a name (for example, mondoo-gcs-export) and select Create and Continue.
Grant the service account the Storage Object Creator role (roles/storage.objectCreator) for the bucket.

For instructions, read Manage access to projects, folders, and organizations in the Google documentation.
Select Done. Note the service account email address (for example, mondoo-gcs-export@PROJECT_ID.iam.gserviceaccount.com).

Step 2: Create a Workload Identity Pool

A Workload Identity Pool is a GCP resource that manages external identities. You create one pool and add Mondoo as an OIDC provider within it.

:::tip

If you already created a Workload Identity Pool and Mondoo OIDC provider for another export (such as BigQuery), you can reuse it. Skip to Step 4.

:::

In the GCP Console, navigate to IAM & Admin > Workload Identity Federation.
Select Create Pool.
Enter a name for the pool (for example, mondoo-export-pool) and an optional description.
Make sure the pool is Enabled and select Continue.

Step 3: Add Mondoo as an OIDC provider to the pool

Within the Workload Identity Pool, add Mondoo as a trusted OpenID Connect (OIDC) identity provider.

In the pool you just created, select Add Provider.
For Select a provider, choose OpenID Connect (OIDC).
Enter a provider name (for example, mondoo-provider).
Set the Issuer (URL) to the Mondoo API endpoint for your environment:

Environment Issuer URL
Mondoo (US) https://api.mondoo.com
Mondoo (EU) https://eu.api.mondoo.com
Mondoo Edge https://api.edge.mondoo.com
Dedicated deployment https://api.mondoo.CUSTOMER.com

GCP automatically fetches the OIDC discovery document from <issuer>/.well-known/openid-configuration to obtain Mondoo's signing keys. To learn more about Mondoo's OIDC endpoints, see Mondoo as an OIDC identity provider.
Under Audiences, select Allowed audiences and leave the default value. The audience is the full provider resource name, which you note in the next step.
Under Attribute Mapping, add this mapping:

Google attribute OIDC attribute
google.subject assertion.sub
Select Save.

Environment	Issuer URL
Mondoo (US)	`https://api.mondoo.com`
Mondoo (EU)	`https://eu.api.mondoo.com`
Mondoo Edge	`https://api.edge.mondoo.com`
Dedicated deployment	`https://api.mondoo.CUSTOMER.com`

Google attribute	OIDC attribute
`google.subject`	`assertion.sub`

Step 4: Note the WIF audience URL

After creating the provider, note the full audience URL. It follows this format:

https://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/providers/PROVIDER_ID

You can find this on the provider details page in the GCP Console. You enter this value in Mondoo in the next step.

:::tip

PROJECT_NUMBER is a numeric value, not the project ID string. Find it on your GCP project's dashboard or by running:

gcloud projects describe PROJECT_ID --format='value(projectNumber)'

:::

Step 5: Create the Cloud Storage export integration in Mondoo

In the Mondoo Console, navigate to the space from which you want to export data.
In the side navigation bar, select Integrations. Under Exports, select GCP Cloud Storage Bucket.
Enter a name for the integration.
In the Bucket name box, enter the name of the bucket you created earlier.
Under Export as, select .jsonl or .csv.
Under Configure authentication, select Workload Identity Federation.
In the WIF Audience URL box, enter the audience URL from Step 4.
In the Service Account Email box, enter the email of the service account you created in Step 1 (for example, mondoo-gcs-export@PROJECT_ID.iam.gserviceaccount.com).
Select CREATE EXPORT.

Step 6: Copy the WIF subject value

After you create the integration, Mondoo computes a WIF subject value that uniquely identifies this integration. You need this value to authorize Mondoo in GCP.

On the integration details page in the Mondoo Console, find the WifSubject field.
Copy the subject value. It has the format INTEGRATION_ID@integrations.SPACE_ID.

:::note

The WIF subject is a computed, read-only value. Mondoo generates it automatically when you create the integration—you cannot set or change it.

:::

Step 7: Authorize the WIF subject to impersonate the service account

Back in GCP, grant the WIF subject the Workload Identity User role on the service account you created in Step 1. This allows Mondoo's OIDC-validated identity to impersonate the service account and write to Cloud Storage.

Run this gcloud command, substituting your own values:

gcloud iam service-accounts add-iam-policy-binding \
  mondoo-gcs-export@PROJECT_ID.iam.gserviceaccount.com \
  --project=PROJECT_ID \
  --role="roles/iam.workloadIdentityUser" \
  --member="principal://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/subject/SUBJECT_VALUE"

Placeholder	Replace with
`PROJECT_ID`	Your GCP project ID (the string identifier, not the number)
`PROJECT_NUMBER`	Your GCP project number (numeric)
`POOL_ID`	The Workload Identity Pool ID from Step 2
`SUBJECT_VALUE`	The WIF subject value you copied in Step 6

Step 8: Verify the integration

The export runs on its configured schedule (approximately every 24 hours). To verify the setup works immediately:

Return to the integration details page in the Mondoo Console.
Select the SCHEDULE NOW button to trigger an immediate export.
Wait for the export to complete. If the status changes to active, the setup is working correctly.

If the export fails, double-check:

The WIF audience URL matches the full provider resource name in GCP exactly (including project number, pool ID, and provider ID).
The service account email is correct.
The gcloud iam service-accounts add-iam-policy-binding command completed successfully with the correct subject value.
The service account has the required Storage Object Creator role.

Step 1: Create a GCP service account and JSON key

To access Cloud Storage, your integration needs a GCP service account with a JSON key. To learn about service accounts, read Understanding service accounts in the Google documentation.

Create a new GCP service account for the Mondoo integration to use.

For instructions, read Creating and managing service accounts in the Google documentation.

Note the email address created for the new service account.
Grant the service account the Storage Object Creator role (roles/storage.objectCreator) for the bucket.

For instructions, read Manage access to projects, folders, and organizations in the Google documentation.
Create a JSON key for the service account.

For instructions, read Create and manage service account keys in the Google documentation.

Save the JSON file that downloads to your workstation when you create the key. You need it to configure the integration in the next step.

Step 2: Add the integration in Mondoo

In the Mondoo Console, navigate to the space from which you want to export data. In the side navigation bar, select Integrations. Under Exports, select GCP Cloud Storage Bucket.
Enter a name for the integration.
In the Bucket name box, enter the name of the bucket you created in the previous section.
Under Export as, select .jsonl or .csv.
Under Configure authentication, select Service Account Key.
Drag and drop the JSON key file you downloaded earlier, or select the cloud icon to browse for it.
Select CREATE EXPORT.

Mondoo begins exporting data from your space. When the initial export completes, the status becomes active. Exports then run automatically approximately every 24 hours.

Status	Meaning
active	The integration is healthy and exporting on schedule.
pending	Mondoo has not yet attempted the first export.
error	Mondoo encountered an error during the last export.

Remove the integration

Select the trash can icon and confirm the deletion. Mondoo stops future exports but does not delete data already exported to Cloud Storage.