> ## Documentation Index
> Fetch the complete documentation index at: https://docs.cloudthinker.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Google Cloud

> Connect Google Cloud to CloudThinker for resource management, cost optimization, and security monitoring via service account

Connect your GCP projects to enable CloudThinker agents to analyze costs, optimize resources, and manage infrastructure across Google Cloud services.

***

## Setup

<Steps>
  <Step title="Create Service Account">
    Set up a service account with viewer permissions

    1. Go to [Google Cloud Console](https://console.cloud.google.com/) and select your project
    2. Navigate to **IAM & Admin → Service accounts**
    3. Click **Create Service Account**
    4. Enter details:
       * **Name**: `cloudthinker-readonly`
       * **Description**: Read-only access for CloudThinker monitoring
  </Step>

  <Step title="Assign Roles">
    Grant the required viewer roles:

    * `Viewer` (basic read access)
    * `Monitoring Viewer` (for monitoring data)
    * `Security Reviewer` (for security analysis)
  </Step>

  <Step title="Generate JSON Key">
    Create and download a key file

    1. Click on the created service account from the list
    2. Go to **Keys** tab → **Add key** → **Create new key**
    3. Select **JSON** format and click **Create**
    4. Download the key file and store securely
  </Step>

  <Step title="Add Connection in CloudThinker">
    Navigate to **Connections → GCP** and:

    * Upload the JSON key file, or
    * Paste the JSON content directly
  </Step>

  <Step title="Test Connection">
    Click **Test Connection** to verify access
  </Step>
</Steps>

***

## JSON Key Format

The service account key file contains:

```json theme={null}
{
  "type": "service_account",
  "project_id": "your-project-id",
  "private_key_id": "key-id",
  "private_key": "-----BEGIN PRIVATE KEY-----\n...\n-----END PRIVATE KEY-----\n",
  "client_email": "cloudthinker-readonly@your-project.iam.gserviceaccount.com",
  "client_id": "123456789012345678901",
  "auth_uri": "https://accounts.google.com/o/oauth2/auth",
  "token_uri": "https://oauth2.googleapis.com/token"
}
```

<Warning>
  Store the JSON key file securely. Never commit it to version control or share it publicly.
</Warning>

***

## Required Roles

### Minimum (Read-Only Analysis)

```
roles/viewer                    # Basic read access
roles/monitoring.viewer         # Cloud Monitoring access
roles/logging.viewer           # Cloud Logging access
```

### Recommended (Full Analysis)

```
# All of the above, plus:
roles/compute.viewer           # Compute Engine details
roles/container.viewer         # GKE cluster access
roles/cloudsql.viewer          # Cloud SQL access
roles/bigquery.dataViewer      # BigQuery analysis
roles/billing.viewer           # Billing and cost data
roles/securitycenter.viewer    # Security Command Center
```

***

## Agent Capabilities

Once connected, agents can:

| Agent                              | GCP Capabilities                                                                     |
| ---------------------------------- | ------------------------------------------------------------------------------------ |
| **[Alex](/guide/agents/alex)**     | Cost analysis, VM right-sizing, committed use recommendations, resource optimization |
| **[Oliver](/guide/agents/oliver)** | Security Command Center findings, IAM audits, compliance checks                      |
| **[Tony](/guide/agents/tony)**     | Cloud SQL performance, BigQuery optimization, Spanner tuning                         |
| **[Kai](/guide/agents/kai)**       | GKE cluster management, workload optimization, Autopilot analysis                    |

***

## Multi-Project Setup

For organizations with multiple GCP projects:

<Steps>
  <Step title="Organization-Level Access">
    Grant the service account roles at the organization or folder level
  </Step>

  <Step title="Billing Account Access">
    Add **Billing Account Viewer** for cross-project cost analysis
  </Step>

  <Step title="Add Projects">
    CloudThinker will automatically discover accessible projects
  </Step>
</Steps>

***

## Troubleshooting

<Accordion title="Permission denied errors">
  * Verify the service account has required roles
  * Check project-level IAM bindings
  * Ensure APIs are enabled (Compute, Monitoring, etc.)
  * Confirm the JSON key is valid and not expired
</Accordion>

<Accordion title="Invalid key file">
  * Verify the JSON file is complete and properly formatted
  * Check that the private key hasn't been truncated
  * Ensure no extra whitespace or characters were added
  * Try regenerating the key from GCP Console
</Accordion>

<Accordion title="Missing billing data">
  * Verify **Billing Account Viewer** role is assigned
  * Enable Cloud Billing API
  * Check billing export to BigQuery is configured
</Accordion>

<Accordion title="GKE access issues">
  * Ensure **Kubernetes Engine Viewer** role is assigned
  * Verify cluster is in an accessible project
  * Check if cluster uses Workload Identity
</Accordion>

***

## Security Best Practices

* **Minimal permissions** - Grant only required viewer roles
* **Project scope** - Limit access to necessary projects only
* **Key rotation** - Rotate service account keys every 90 days
* **Audit logging** - Enable Cloud Audit Logs for API access tracking
* **Key storage** - Store JSON keys in secure credential managers

***

## Related

<CardGroup cols={2}>
  <Card title="AWS Connection" icon="https://mintcdn.com/cloudthinker/aLd-ttc-SCW-aFky/images/icons/aws.svg?fit=max&auto=format&n=aLd-ttc-SCW-aFky&q=85&s=45d526a3e9345214c0345f277da2e829" href="/guide/connections/aws" width="24" height="24" data-path="images/icons/aws.svg">
    Connect Amazon Web Services
  </Card>

  <Card title="Kai Agent" icon="dharmachakra" href="/guide/agents/kai">
    Kubernetes-focused agent for GKE
  </Card>
</CardGroup>