Documentation Index
Fetch the complete documentation index at: https://docs.drdroid.io/llms.txt
Use this file to discover all available pages before exploring further.
To connect Google Cloud Platform as a data source for infrastructure inventory, observability, cost analysis, and optimization insights, you need to create a service account with a custom role.
Prerequisites
- Google Cloud CLI (gcloud) installed and configured
- A GCP project with appropriate admin access to create roles and service accounts
- Billing account access (for cost-related permissions)
Step 1: Get Your Project ID
Run the following command to get your GCP project ID:
gcloud config get-value project
Step 2: Create a Custom Role
Save the following role definition to a file called custom-role.yaml:
title: "Infrastructure and Cost Analysis Reader"
description: "Read-only access for infrastructure inventory, observability, cost analysis, and optimization insights"
stage: "GA"
includedPermissions:
# Compute Engine
- compute.instances.list
- compute.instances.get
- compute.disks.list
- compute.disks.get
- compute.networks.list
- compute.networks.get
- compute.subnetworks.list
- compute.subnetworks.get
- compute.firewalls.list
- compute.firewalls.get
- compute.addresses.list
- compute.addresses.get
- compute.zones.list
- compute.regions.list
- compute.machineTypes.list
# GKE (Kubernetes Engine)
- container.clusters.list
- container.clusters.get
- container.nodes.list
- container.nodes.get
- container.pods.list
- container.pods.get
- container.services.list
- container.services.get
# Cloud SQL
- cloudsql.instances.list
- cloudsql.instances.get
- cloudsql.databases.list
- cloudsql.databases.get
# Cloud Storage
- storage.buckets.list
- storage.buckets.get
- storage.objects.list
- storage.objects.get
# Cloud Monitoring
- monitoring.metricDescriptors.list
- monitoring.metricDescriptors.get
- monitoring.timeSeries.list
- monitoring.dashboards.list
- monitoring.dashboards.get
- monitoring.alertPolicies.list
- monitoring.alertPolicies.get
- monitoring.groups.list
- monitoring.groups.get
- monitoring.uptimeCheckConfigs.list
- monitoring.uptimeCheckConfigs.get
# Cloud Logging
- logging.logEntries.list
- logging.logs.list
- logging.logMetrics.list
- logging.logMetrics.get
- logging.sinks.list
- logging.sinks.get
# IAM
- iam.serviceAccounts.list
- iam.serviceAccounts.get
- iam.roles.list
- iam.roles.get
- resourcemanager.projects.get
- resourcemanager.projects.getIamPolicy
# Billing & Cost
- billing.accounts.list
- billing.accounts.get
- billing.budgets.list
- billing.budgets.get
# Cloud Asset Inventory
- cloudasset.assets.listResource
- cloudasset.assets.searchAllResources
- cloudasset.assets.searchAllIamPolicies
# Recommender (Cost Optimization)
- recommender.computeInstanceMachineTypeRecommendations.list
- recommender.computeInstanceMachineTypeRecommendations.get
- recommender.computeInstanceIdleResourceRecommendations.list
- recommender.computeInstanceIdleResourceRecommendations.get
# Resource Manager
- resourcemanager.projects.list
- resourcemanager.folders.list
- resourcemanager.organizations.get
# Set your project ID
export PROJECT_ID="your-project-id"
# Create the custom role
gcloud iam roles create infrastructureCostReader \
--project=$PROJECT_ID \
--file=custom-role.yaml
Step 3: Create a Service Account
Create a new service account for the Doctor Droid integration:
# Create the service account
gcloud iam service-accounts create drdroid-reader \
--display-name="Doctor Droid Infrastructure Reader" \
--description="Service account for Doctor Droid integration" \
--project=$PROJECT_ID
Step 4: Assign the Custom Role to the Service Account
Bind the custom role to the service account:
# Get the service account email
export SA_EMAIL="drdroid-reader@${PROJECT_ID}.iam.gserviceaccount.com"
# Assign the custom role
gcloud projects add-iam-policy-binding $PROJECT_ID \
--member="serviceAccount:${SA_EMAIL}" \
--role="projects/${PROJECT_ID}/roles/infrastructureCostReader"
Step 5: Create and Download Service Account Key
Generate a JSON key file for the service account:
gcloud iam service-accounts keys create drdroid-key.json \
--iam-account=$SA_EMAIL \
--project=$PROJECT_ID
drdroid-key.json file containing the service account credentials.
Important: Store this key securely. It provides access to your GCP resources.
- Navigate to the Integrations tab in the Doctor Droid platform
- Click Add New Integration
- Select Google Cloud and click Connect
- Fill in the following credentials:
| Field | Description | Example |
|---|
| Integration Name | A descriptive name to identify this integration | Production GCP |
| Project ID | Your GCP Project ID (found in the JSON key file) | my-project-123456 |
| Service Account JSON | The entire contents of the JSON key file | {"type": "service_account", ...} |
- Click Test Connection to verify the setup
- Click Save to complete the integration
Permissions Overview
The custom role provides read-only access to:
| Category | Resources |
|---|
| Compute Engine | Instances, Disks, Networks, Subnetworks, Firewalls, Addresses |
| GKE | Clusters, Nodes, Pods, Services |
| Cloud SQL | Instances, Databases |
| Cloud Storage | Buckets, Objects |
| Cloud Monitoring | Metrics, Dashboards, Alert Policies, Uptime Checks |
| Cloud Logging | Log Entries, Log Metrics, Sinks |
| IAM | Service Accounts, Roles, IAM Policies |
| Billing & Cost | Billing Accounts, Budgets |
| Cloud Asset Inventory | Resource search, IAM policy search |
| Recommender | Machine type recommendations, Idle resource recommendations |
| Resource Manager | Projects, Folders, Organizations |
Organization-Level Access (Optional)
To grant access across multiple projects in an organization, create the role at the organization level:
# Set your organization ID
export ORG_ID="your-org-id"
# Create role at organization level
gcloud iam roles create infrastructureCostReader \
--organization=$ORG_ID \
--file=custom-role.yaml
# Assign to service account at organization level
gcloud organizations add-iam-policy-binding $ORG_ID \
--member="serviceAccount:${SA_EMAIL}" \
--role="organizations/${ORG_ID}/roles/infrastructureCostReader"
Troubleshooting
Role Creation Failed
Ensure you have roles/iam.roleAdmin or roles/owner permission on the project. You may need to enable the IAM API:
gcloud services enable iam.googleapis.com --project=$PROJECT_ID
Service Account Creation Failed
Verify that:
- The IAM API is enabled
- You have
iam.serviceAccounts.create permission
- The service account name is unique
Permission Denied Errors
Some permissions require specific APIs to be enabled:
# Enable required APIs
gcloud services enable compute.googleapis.com --project=$PROJECT_ID
gcloud services enable container.googleapis.com --project=$PROJECT_ID
gcloud services enable sqladmin.googleapis.com --project=$PROJECT_ID
gcloud services enable monitoring.googleapis.com --project=$PROJECT_ID
gcloud services enable logging.googleapis.com --project=$PROJECT_ID
gcloud services enable cloudasset.googleapis.com --project=$PROJECT_ID
gcloud services enable recommender.googleapis.com --project=$PROJECT_ID
gcloud services enable cloudbilling.googleapis.com --project=$PROJECT_ID
Integration Test Failed
Check that:
- The Project ID is correct
- The JSON key file contents are complete and properly formatted
- The service account has the custom role assigned
- Required APIs are enabled in the project
Billing Permissions Not Working
Billing permissions require the service account to be added to the billing account:
- Go to Billing Console
- Select your billing account
- Click Account Management
- Add the service account email with Billing Account Viewer role
