Skip to main content

Google Cloud

Connect your GCP projects to enable CloudThinker agents to analyze costs, optimize resources, and manage infrastructure across Google Cloud services.

Setup

1

Create Service Account

Set up a service account with viewer permissions
  1. Go to Google Cloud Console and select your project
  2. Navigate to IAM & Admin → Service accounts
  3. Click Create Service Account
  4. Enter details:
    • Name: cloudthinker-readonly
    • Description: Read-only access for CloudThinker monitoring
2

Assign Roles

Grant the required viewer roles:
  • Viewer (basic read access)
  • Monitoring Viewer (for monitoring data)
  • Security Reviewer (for security analysis)
3

Generate JSON Key

Create and download a key file
  1. Click on the created service account from the list
  2. Go to Keys tab → Add keyCreate new key
  3. Select JSON format and click Create
  4. Download the key file and store securely
4

Add Connection in CloudThinker

Navigate to Connections → GCP and:
  • Upload the JSON key file, or
  • Paste the JSON content directly
5

Test Connection

Click Test Connection to verify access

JSON Key Format

The service account key file contains: 
{
  "type": "service_account",
  "project_id": "your-project-id",
  "private_key_id": "key-id",
  "private_key": "-----BEGIN PRIVATE KEY-----\n...\n-----END PRIVATE KEY-----\n",
  "client_email": "[email protected]",
  "client_id": "123456789012345678901",
  "auth_uri": "https://accounts.google.com/o/oauth2/auth",
  "token_uri": "https://oauth2.googleapis.com/token"
}
Store the JSON key file securely. Never commit it to version control or share it publicly.

Required Roles

Minimum (Read-Only Analysis)

roles/viewer                    # Basic read access
roles/monitoring.viewer         # Cloud Monitoring access
roles/logging.viewer           # Cloud Logging access

# All of the above, plus:
roles/compute.viewer           # Compute Engine details
roles/container.viewer         # GKE cluster access
roles/cloudsql.viewer          # Cloud SQL access
roles/bigquery.dataViewer      # BigQuery analysis
roles/billing.viewer           # Billing and cost data
roles/securitycenter.viewer    # Security Command Center

Agent Capabilities

Once connected, agents can:
AgentGCP Capabilities
AlexCost analysis, VM right-sizing, committed use recommendations, resource optimization
OliverSecurity Command Center findings, IAM audits, compliance checks
TonyCloud SQL performance, BigQuery optimization, Spanner tuning
KaiGKE cluster management, workload optimization, Autopilot analysis

Multi-Project Setup

For organizations with multiple GCP projects:
1

Organization-Level Access

Grant the service account roles at the organization or folder level
2

Billing Account Access

Add Billing Account Viewer for cross-project cost analysis
3

Add Projects

CloudThinker will automatically discover accessible projects

Troubleshooting

  • Verify the service account has required roles
  • Check project-level IAM bindings
  • Ensure APIs are enabled (Compute, Monitoring, etc.)
  • Confirm the JSON key is valid and not expired
  • Verify the JSON file is complete and properly formatted
  • Check that the private key hasn’t been truncated
  • Ensure no extra whitespace or characters were added
  • Try regenerating the key from GCP Console
  • Verify Billing Account Viewer role is assigned
  • Enable Cloud Billing API
  • Check billing export to BigQuery is configured
  • Ensure Kubernetes Engine Viewer role is assigned
  • Verify cluster is in an accessible project
  • Check if cluster uses Workload Identity

Security Best Practices

  • Minimal permissions - Grant only required viewer roles
  • Project scope - Limit access to necessary projects only
  • Key rotation - Rotate service account keys every 90 days
  • Audit logging - Enable Cloud Audit Logs for API access tracking
  • Key storage - Store JSON keys in secure credential managers

AWS Connection

Connect Amazon Web Services

Kai Agent

Kubernetes-focused agent for GKE