elastic · benironside · Sep 28, 2023 · Sep 28, 2023
diff --git a/docs/cloud-native-security/cspm-get-started-aws.asciidoc b/docs/cloud-native-security/cspm-get-started-aws.asciidoc
@@ -62,7 +62,7 @@ When you return to {kib}, click *View assets* to review the data being collected
 
 [discrete]
 [[cspm-setup-organization-manual]]
-=== Manual authentication for organization-level onboarding
+== Manual authentication for organization-level onboarding
 
 NOTE: If you're onboarding a single account instead of an organization, skip this section.
 
@@ -156,7 +156,9 @@ IMPORTANT: You must replace `<Management account ID>` in the trust policy with y
 
 IMPORTANT: You must replace `<Management account ID>` in the trust policy with your AWS account ID.
 
-After creating the necessary roles, authenticate using the <<cspm-use-instance-role, default instance role>> method.
+After creating the necessary roles, authenticate using one of the manual authentication methods.
+
+IMPORTANT: When deploying to an organization using any of the authentication methods below, you need to make sure that the credentials you provide grant permission to assume `cloudbeat-root` privileges.
 
 [discrete]
 [[cspm-set-up-manual]]

diff --git a/docs/cloud-native-security/cspm-get-started-gcp.asciidoc b/docs/cloud-native-security/cspm-get-started-gcp.asciidoc
@@ -63,13 +63,32 @@ https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.projectIam
 
 [discrete]
 [[cspm-set-up-manual-gcp]]
-=== Manual setup
+=== Manual authentication
 
-. Under **Setup Access** select **Manual**.
+To authenticate manually, you'll first need to generate credentials for a new GCP service account with the necessary roles, then provide those credentials to the CSPM integration.
+
+Generate GCP credentials:
+
+. Access the GCP console and select your project.
+. Navigate to **IAM & Admin -> Service accounts**.
+. Click **Create Service Account**.
+. Provide an account name.
+. Enable the required roles:
+.. `Cloud Asset Viewer`: Grants read access to cloud asset metadata.
+.. `Browser`: Grants read access to the project hierarchy.
+. Click **Continue**, then click **Done**.
+. Select the new service account from the list.
+. Go to the **KEYS** tab, then click **ADD KEY**.
+. Select **JSON** as the key type, then click **CREATE**.
+
+The credentials JSON will download to your local machine. Keep it secure since it provides access to your GCP resources.
+
+Provide credentials to the CSPM integration:
+
+. On the CSPM setup screen under **Setup Access**, select **Manual**.
 . Enter your GCP **Project ID**.
-. Select either **Credentials File** or **Credentials JSON**.
-. Enter the credentials information in your selected format.
-. Under **Where to add this integration**,
+. Select either **Credentials File** or **Credentials JSON**, and enter the credentials information in your selected format.
+. Under **Where to add this integration**:
 .. If you want to monitor a GCP project where you have not yet deployed {agent}:
 ... Select **New Hosts**.
 ... Name the {agent} policy. Use a name that matches the purpose or team of the cloud account or accounts you want to monitor. For example, `dev-gcp-account`.