Select GA4 and GTM
This is the first page of Audit. It records the two primary bindings for the setup — the existing GTM web container and the existing GA4 property — and confirms that the container is already forwarding events to that property. These selections drive every downstream stage; they're the source of truth for what GSS will mirror server-side.
Nothing in your live GTM or GA4 changes here. GSS only reads. Writes happen later, in Connect, against draft GTM workspaces.
Happy path
- Step 1 — click Discover resources (or Refresh discovery if you've been here before) to populate the pickers.
- Step 2 — pick the GTM web container that runs your site, click Save GTM selection.
- Step 3 — pick the GA4 property that container reports to, click Save GA4 selection.
- Step 4 — click Check; the primary-tag wiring check turns green.
- Continue to Review Audit Report.
Glossary▶
- Primary binding
- The two selections that anchor the whole setup: the GTM web container and the GA4 property GSS will audit and mirror. Every downstream binding is derived from or layered on top of these.
- Discovery
- The cached list of GA4 properties and GTM containers your connected Google account can see. The Discover-resources / Refresh-discovery button is what refreshes that cache; the Step 2 / Step 3 pickers render directly from it.
- Primary-tag wiring check
- Step 4's structural check. GSS fetches the live (published) GTM container, walks every GA4 tag and trigger, and verifies that at least one tag with no blockers forwards to the selected GA4 property's measurement ID.
- Acknowledge primary-tag issues
- The override on Step 4 that lets you proceed even though the wiring check is failing. Use it for greenfield containers (you'll wire the tags in Connect) or when you've decided to fix the wiring in GTM after Audit.
- Locked setup
- State the setup enters once Cloud Run, the tagging endpoint, or other Tier 3 resources have been created. Changing the primary GA4 or GTM would orphan those resources; the page surfaces the Archive flow instead of letting you re-save.
Not covered on this page: connecting Google access (Platform Setup), the actual audit scan and readiness report (Review Audit Report), or downstream stages that consume these bindings.
Before you start
- Connected Google account with GTM + GA4 access (see Platform Setup).
- At least View access on the target GTM web container and the GA4 property. Edit access isn't required for Audit; it's needed later in Connect.
- Ideally the GTM container already has at least one working GA4 tag pointing at the selected GA4 property. If it doesn't, Step 4's check will fail and you'll either fix the wiring in GTM or acknowledge the issue and continue.
Selected audit target (decision record)
The card at the top of the page summarises the four facts the rest of Audit depends on. Each row reflects what you've actually saved so far — they fill in as you complete the steps below.
| Row | Where it comes from | What "done" looks like |
|---|---|---|
| GTM web container | Step 2 — Save GTM selection. | Container name + GTM-XXXXXXX public ID shown. |
| Primary GA4 property | Step 3 — Save GA4 selection. | Property display name + measurement ID (G-XXXXXXX) shown. |
| Relationship | Step 4 — Check. | "Measurement ID checked" once the primary-tag wiring check passes (or is acknowledged via the override). |
| Access | Auto, once both selections are saved. | "GSS can use the saved selection for audit". |
1 Find GA4 properties and GTM containers
Before either picker can render, GSS needs to know which GA4 properties and GTM containers your connected Google account can see. On a fresh visit Step 1 shows a Discover resources button; click it and GSS calls the Tag Manager and Analytics Admin APIs and caches the results.
Once discovery has run, Step 1 collapses to the status line "Found N GTM web containers, M GA4 properties" with a Refresh discovery link and a "last refreshed" timestamp. Click Refresh discovery whenever you've changed account access in GA4 / GTM admin (added a new container, granted yourself access, etc.) and want the pickers below to pick that up. A refresh only re-fetches the discovery cache; it doesn't change any saved selections.
2 Which GTM web container represents this site?
The picker lists every GTM web container your account can see, grouped by account. Server containers are filtered out — they're picked separately in Connect. Each row shows the container name, the GTM-XXXXXXX public ID (which links out to Tag Manager), and a small badge that GSS fills in dynamically: it inspects the container's live GA4 tags and reports which GA4 property they forward to, or lists the measurement IDs it found, or "No GA4 tags found".
Pick the container that runs your live site, then click Save GTM selection. The button is disabled until you've actually changed the selection. The status pill flips to Selected — <name> (GTM-XXXXXXX) and the row stays highlighted. If Step 4 had already been verified, the page warns that re-saving will clear that verification.
3 Which GA4 property should GSS pair with it?
The picker lists every GA4 property your account can see, grouped by account. Each row shows the property's display name, its measurement ID (linking out to GA4), and the web stream URL when there is one. Pick the production property the GTM container above is reporting to today, then click Save GA4 selection.
Save records the binding and, behind the scenes, tries to bind the property's primary web data stream too (preferring an exact MID match, then any stream with a MID, then the first stream). That stream binding is silent on failure — if the property has no web stream, downstream Connect-stage steps will surface it. Again, if Step 4 had already been verified, re-saving here clears that verification.
4 Does this GTM container and GA4 property belong together?
Click Check. GSS fetches the GTM container's live (published) version, walks every GA4 tag, resolves measurementId / tagId parameters (with one level of variable indirection), and confirms that the selected GA4 property's measurement ID is wired through at least one tag with no blockers. The status pill above the rows shows Verified — X of Y requirements pass, Failed — X of Y requirements not met, or Pending. A "Last checked" timestamp sits next to the Check button after the first run.
Each requirement renders as its own LED row below the status pill. When the check fails, a per-tag findings list appears underneath, with each affected tag's name and reasons (paused, blocked, wrong MID, unresolved variable, no/filtered trigger, etc.) and, where relevant, the resolved measurement ID vs. the one GSS expected.
If the check fails and you want to continue anyway, tick the "Acknowledge primary-tag issues and continue anyway. I'll fix the wiring in GTM before going live." checkbox. The failing rows visually flip to pass and Audit treats the relationship as resolved. The acknowledgement is stored per-pair; changing the GTM or GA4 selection clears it.
The acknowledge toggle isn't just a UI bypass
When you tick the override, GSS records it against the specific GA4 property currently bound (in the GTM binding's mismatch_override_for_ga4 metadata). If you later save a different GA4 selection, the override is wiped and you'll need to re-check or re-acknowledge. That makes it a deliberate, scoped decision per pair, not a permanent escape hatch.
If the setup is locked
Once GSS has created Tier 3 resources for this setup (Cloud Run service, tagging endpoint, custom domain mapping, etc.), the pickers in Steps 2 and 3 are disabled and a callout appears at the bottom of the page titled "Your primary GA4 and GTM are locked for this setup." It lists the specific resources that would be orphaned by a change, plus any active DNS configuration as supplemental context.
Two actions are available in the locked panel:
- Archive This Setup and Start Over — opens a confirmation modal that warns the archive is irreversible. Confirming archives the current setup; a new setup can then be created for the same domain. To avoid Cloud Run / domain-mapping name collisions during the new setup's Build, you typically need to manually decommission the archived setup's resources via Overview → Resources first.
- View Existing Resources → — links to the Resources page so you can inspect what's already deployed before deciding.
Lock state is by design. If you want to test against a different audit selection without disturbing this one, archive and re-create rather than trying to change the primary bindings in place.
Common errors & failure modes
| Symptom | Likely cause | Where to fix |
|---|---|---|
| Discovery | ||
| The container or property I'm looking for isn't in the picker | Discovery is stale, or your connected Google account doesn't have access. | Click Refresh discovery. If it still doesn't appear, grant View (at minimum) in GA4 / Tag Manager admin, then refresh again. |
| Save GTM / Save GA4 returns an error about your selection not being in discovery | The discovery cache was refreshed in another tab and your draft selection is no longer in the list. | Click Refresh discovery here, then re-pick from the fresh list. |
| Primary-tag wiring check | ||
| Check returns "No GA4 tags found" or similar | The selected GTM container doesn't have any GA4 tags. Common in greenfield setups. | Two options: add a working GA4 tag in GTM first and re-Check, or tick the Acknowledge checkbox and continue — Connect will wire the canonical roles. |
| Check reports "wrong MID" or that a tag forwards somewhere else | The container's GA4 tags forward to a different property's MID than the one selected in Step 3. | Verify in GA4 which property your real traffic is reporting to (Admin → Property Settings → Measurement ID). Either pick that property in Step 3, or fix the GTM tags and re-Check. |
| Check is stuck on Pending after I clicked it | The structural check couldn't run — usually because Google credentials weren't available or the live GTM fetch failed. | The status pill area surfaces the underlying message. Re-Check after the listed issue is resolved (re-connect Google, retry the GTM fetch, etc.). |
| Re-saving after Step 4 verified | ||
| Re-saving Step 2 or Step 3 warned me the verification would be cleared | Expected. Step 4's verification is bound to the saved pair; any new pair has to be re-checked. | Save, then re-run Check in Step 4 with the new selection. |
| Locked setup | ||
| Pickers are disabled and the locked panel is showing | Tier 3 resources (Cloud Run, tagging endpoint, etc.) already exist for this setup. Changing primaries would orphan them. | Read the locked panel's reasons; either continue with the current selection or use Archive This Setup and Start Over and create a fresh setup for the same domain. |
Next step
Once both selections are saved and Step 4 is Verified (or the override is active), the bottom-of-page link Audit: Review Report → enables. Continue to Review Audit Report — running the audit scan and walking through the readiness findings.