Skip to main content
To connect Google Cloud Platform as a data source for infrastructure inventory, observability, cost analysis, and optimization insights, you need to create a service account with a custom role.

Prerequisites

  1. Google Cloud CLI (gcloud) installed and configured
  2. A GCP project with appropriate admin access to create roles and service accounts
  3. Billing account access (for cost-related permissions)

Step 1: Get Your Project ID

Run the following command to get your GCP project ID: 
gcloud config get-value project
Or list all projects: 
gcloud projects list

Step 2: Create a Custom Role

Save the following role definition to a file called custom-role.yaml: 
title: "Infrastructure and Cost Analysis Reader"
description: "Read-only access for infrastructure inventory, observability, cost analysis, and optimization insights"
stage: "GA"
includedPermissions:
  # Compute Engine
  - compute.instances.list
  - compute.instances.get
  - compute.disks.list
  - compute.disks.get
  - compute.networks.list
  - compute.networks.get
  - compute.subnetworks.list
  - compute.subnetworks.get
  - compute.firewalls.list
  - compute.firewalls.get
  - compute.addresses.list
  - compute.addresses.get
  - compute.zones.list
  - compute.regions.list
  - compute.machineTypes.list

  # GKE (Kubernetes Engine)
  - container.clusters.list
  - container.clusters.get
  - container.nodes.list
  - container.nodes.get
  - container.pods.list
  - container.pods.get
  - container.services.list
  - container.services.get

  # Cloud SQL
  - cloudsql.instances.list
  - cloudsql.instances.get
  - cloudsql.databases.list
  - cloudsql.databases.get

  # Cloud Storage
  - storage.buckets.list
  - storage.buckets.get
  - storage.objects.list
  - storage.objects.get

  # Cloud Monitoring
  - monitoring.metricDescriptors.list
  - monitoring.metricDescriptors.get
  - monitoring.timeSeries.list
  - monitoring.dashboards.list
  - monitoring.dashboards.get
  - monitoring.alertPolicies.list
  - monitoring.alertPolicies.get
  - monitoring.groups.list
  - monitoring.groups.get
  - monitoring.uptimeCheckConfigs.list
  - monitoring.uptimeCheckConfigs.get

  # Cloud Logging
  - logging.logEntries.list
  - logging.logs.list
  - logging.logMetrics.list
  - logging.logMetrics.get
  - logging.sinks.list
  - logging.sinks.get

  # IAM
  - iam.serviceAccounts.list
  - iam.serviceAccounts.get
  - iam.roles.list
  - iam.roles.get
  - resourcemanager.projects.get
  - resourcemanager.projects.getIamPolicy

  # Billing & Cost
  - billing.accounts.list
  - billing.accounts.get
  - billing.budgets.list
  - billing.budgets.get

  # Cloud Asset Inventory
  - cloudasset.assets.listResource
  - cloudasset.assets.searchAllResources
  - cloudasset.assets.searchAllIamPolicies

  # Recommender (Cost Optimization)
  - recommender.computeInstanceMachineTypeRecommendations.list
  - recommender.computeInstanceMachineTypeRecommendations.get
  - recommender.computeInstanceIdleResourceRecommendations.list
  - recommender.computeInstanceIdleResourceRecommendations.get

  # Resource Manager
  - resourcemanager.projects.list
  - resourcemanager.folders.list
  - resourcemanager.organizations.get
Create the custom role using gcloud CLI: 
# Set your project ID
export PROJECT_ID="your-project-id"

# Create the custom role
gcloud iam roles create infrastructureCostReader \
  --project=$PROJECT_ID \
  --file=custom-role.yaml

Step 3: Create a Service Account

Create a new service account for the Doctor Droid integration: 
# Create the service account
gcloud iam service-accounts create drdroid-reader \
  --display-name="Doctor Droid Infrastructure Reader" \
  --description="Service account for Doctor Droid integration" \
  --project=$PROJECT_ID

Step 4: Assign the Custom Role to the Service Account

Bind the custom role to the service account: 
# Get the service account email
export SA_EMAIL="drdroid-reader@${PROJECT_ID}.iam.gserviceaccount.com"

# Assign the custom role
gcloud projects add-iam-policy-binding $PROJECT_ID \
  --member="serviceAccount:${SA_EMAIL}" \
  --role="projects/${PROJECT_ID}/roles/infrastructureCostReader"

Step 5: Create and Download Service Account Key

Generate a JSON key file for the service account: 
gcloud iam service-accounts keys create drdroid-key.json \
  --iam-account=$SA_EMAIL \
  --project=$PROJECT_ID
This will create a drdroid-key.json file containing the service account credentials. Important: Store this key securely. It provides access to your GCP resources.

Step 6: Configure in Doctor Droid Platform

  1. Navigate to the Integrations tab in the Doctor Droid platform
  2. Click Add New Integration
  3. Select Google Cloud and click Connect
  4. Fill in the following credentials:
FieldDescriptionExample
Integration NameA descriptive name to identify this integrationProduction GCP
Project IDYour GCP Project ID (found in the JSON key file)my-project-123456
Service Account JSONThe entire contents of the JSON key file{"type": "service_account", ...}
  1. Click Test Connection to verify the setup
  2. Click Save to complete the integration

Permissions Overview

The custom role provides read-only access to:
CategoryResources
Compute EngineInstances, Disks, Networks, Subnetworks, Firewalls, Addresses
GKEClusters, Nodes, Pods, Services
Cloud SQLInstances, Databases
Cloud StorageBuckets, Objects
Cloud MonitoringMetrics, Dashboards, Alert Policies, Uptime Checks
Cloud LoggingLog Entries, Log Metrics, Sinks
IAMService Accounts, Roles, IAM Policies
Billing & CostBilling Accounts, Budgets
Cloud Asset InventoryResource search, IAM policy search
RecommenderMachine type recommendations, Idle resource recommendations
Resource ManagerProjects, Folders, Organizations

Organization-Level Access (Optional)

To grant access across multiple projects in an organization, create the role at the organization level: 
# Set your organization ID
export ORG_ID="your-org-id"

# Create role at organization level
gcloud iam roles create infrastructureCostReader \
  --organization=$ORG_ID \
  --file=custom-role.yaml

# Assign to service account at organization level
gcloud organizations add-iam-policy-binding $ORG_ID \
  --member="serviceAccount:${SA_EMAIL}" \
  --role="organizations/${ORG_ID}/roles/infrastructureCostReader"

Troubleshooting

Role Creation Failed

Ensure you have roles/iam.roleAdmin or roles/owner permission on the project. You may need to enable the IAM API: 
gcloud services enable iam.googleapis.com --project=$PROJECT_ID

Service Account Creation Failed

Verify that:
  • The IAM API is enabled
  • You have iam.serviceAccounts.create permission
  • The service account name is unique

Permission Denied Errors

Some permissions require specific APIs to be enabled: 
# Enable required APIs
gcloud services enable compute.googleapis.com --project=$PROJECT_ID
gcloud services enable container.googleapis.com --project=$PROJECT_ID
gcloud services enable sqladmin.googleapis.com --project=$PROJECT_ID
gcloud services enable monitoring.googleapis.com --project=$PROJECT_ID
gcloud services enable logging.googleapis.com --project=$PROJECT_ID
gcloud services enable cloudasset.googleapis.com --project=$PROJECT_ID
gcloud services enable recommender.googleapis.com --project=$PROJECT_ID
gcloud services enable cloudbilling.googleapis.com --project=$PROJECT_ID

Integration Test Failed

Check that:
  • The Project ID is correct
  • The JSON key file contents are complete and properly formatted
  • The service account has the custom role assigned
  • Required APIs are enabled in the project

Billing Permissions Not Working

Billing permissions require the service account to be added to the billing account:
  1. Go to Billing Console
  2. Select your billing account
  3. Click Account Management
  4. Add the service account email with Billing Account Viewer role