> ## Documentation Index
> Fetch the complete documentation index at: https://docs.drdroid.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Google Cloud Platform (GCP)

To connect Google Cloud Platform as a data source for infrastructure inventory, observability, cost analysis, and optimization insights, you need to create a service account with a custom role.

## Prerequisites

1. **Google Cloud CLI (gcloud)** installed and configured
2. A **GCP project** with appropriate admin access to create roles and service accounts
3. **Billing account** access (for cost-related permissions)

## Step 1: Get Your Project ID

Run the following command to get your GCP project ID:

```bash theme={null}
gcloud config get-value project
```

Or list all projects:

```bash theme={null}
gcloud projects list
```

## Step 2: Create a Custom Role

Save the following role definition to a file called `custom-role.yaml`:

```yaml theme={null}
title: "Infrastructure and Cost Analysis Reader"
description: "Read-only access for infrastructure inventory, observability, cost analysis, and optimization insights"
stage: "GA"
includedPermissions:
  # Compute Engine
  - compute.instances.list
  - compute.instances.get
  - compute.disks.list
  - compute.disks.get
  - compute.networks.list
  - compute.networks.get
  - compute.subnetworks.list
  - compute.subnetworks.get
  - compute.firewalls.list
  - compute.firewalls.get
  - compute.addresses.list
  - compute.addresses.get
  - compute.zones.list
  - compute.regions.list
  - compute.machineTypes.list

  # GKE (Kubernetes Engine)
  - container.clusters.list
  - container.clusters.get
  - container.nodes.list
  - container.nodes.get
  - container.pods.list
  - container.pods.get
  - container.services.list
  - container.services.get

  # Cloud SQL
  - cloudsql.instances.list
  - cloudsql.instances.get
  - cloudsql.databases.list
  - cloudsql.databases.get

  # Cloud Storage
  - storage.buckets.list
  - storage.buckets.get
  - storage.objects.list
  - storage.objects.get

  # Cloud Monitoring
  - monitoring.metricDescriptors.list
  - monitoring.metricDescriptors.get
  - monitoring.timeSeries.list
  - monitoring.dashboards.list
  - monitoring.dashboards.get
  - monitoring.alertPolicies.list
  - monitoring.alertPolicies.get
  - monitoring.groups.list
  - monitoring.groups.get
  - monitoring.uptimeCheckConfigs.list
  - monitoring.uptimeCheckConfigs.get

  # Cloud Logging
  - logging.logEntries.list
  - logging.logs.list
  - logging.logMetrics.list
  - logging.logMetrics.get
  - logging.sinks.list
  - logging.sinks.get

  # IAM
  - iam.serviceAccounts.list
  - iam.serviceAccounts.get
  - iam.roles.list
  - iam.roles.get
  - resourcemanager.projects.get
  - resourcemanager.projects.getIamPolicy

  # Billing & Cost
  - billing.accounts.list
  - billing.accounts.get
  - billing.budgets.list
  - billing.budgets.get

  # Cloud Asset Inventory
  - cloudasset.assets.listResource
  - cloudasset.assets.searchAllResources
  - cloudasset.assets.searchAllIamPolicies

  # Recommender (Cost Optimization)
  - recommender.computeInstanceMachineTypeRecommendations.list
  - recommender.computeInstanceMachineTypeRecommendations.get
  - recommender.computeInstanceIdleResourceRecommendations.list
  - recommender.computeInstanceIdleResourceRecommendations.get

  # Resource Manager
  - resourcemanager.projects.list
  - resourcemanager.folders.list
  - resourcemanager.organizations.get
```

Create the custom role using gcloud CLI:

```bash theme={null}
# Set your project ID
export PROJECT_ID="your-project-id"

# Create the custom role
gcloud iam roles create infrastructureCostReader \
  --project=$PROJECT_ID \
  --file=custom-role.yaml
```

## Step 3: Create a Service Account

Create a new service account for the Doctor Droid integration:

```bash theme={null}
# Create the service account
gcloud iam service-accounts create drdroid-reader \
  --display-name="Doctor Droid Infrastructure Reader" \
  --description="Service account for Doctor Droid integration" \
  --project=$PROJECT_ID
```

## Step 4: Assign the Custom Role to the Service Account

Bind the custom role to the service account:

```bash theme={null}
# Get the service account email
export SA_EMAIL="drdroid-reader@${PROJECT_ID}.iam.gserviceaccount.com"

# Assign the custom role
gcloud projects add-iam-policy-binding $PROJECT_ID \
  --member="serviceAccount:${SA_EMAIL}" \
  --role="projects/${PROJECT_ID}/roles/infrastructureCostReader"
```

## Step 5: Create and Download Service Account Key

Generate a JSON key file for the service account:

```bash theme={null}
gcloud iam service-accounts keys create drdroid-key.json \
  --iam-account=$SA_EMAIL \
  --project=$PROJECT_ID
```

This will create a `drdroid-key.json` file containing the service account credentials.

**Important:** Store this key securely. It provides access to your GCP resources.

## Step 6: Configure in Doctor Droid Platform

1. Navigate to the **Integrations** tab in the Doctor Droid platform
2. Click **Add New Integration**
3. Select **Google Cloud** and click **Connect**
4. Fill in the following credentials:

| Field                    | Description                                      | Example                            |
| ------------------------ | ------------------------------------------------ | ---------------------------------- |
| **Integration Name**     | A descriptive name to identify this integration  | `Production GCP`                   |
| **Project ID**           | Your GCP Project ID (found in the JSON key file) | `my-project-123456`                |
| **Service Account JSON** | The entire contents of the JSON key file         | `{"type": "service_account", ...}` |

5. Click **Test Connection** to verify the setup
6. Click **Save** to complete the integration

## Permissions Overview

The custom role provides read-only access to:

| Category                  | Resources                                                     |
| ------------------------- | ------------------------------------------------------------- |
| **Compute Engine**        | Instances, Disks, Networks, Subnetworks, Firewalls, Addresses |
| **GKE**                   | Clusters, Nodes, Pods, Services                               |
| **Cloud SQL**             | Instances, Databases                                          |
| **Cloud Storage**         | Buckets, Objects                                              |
| **Cloud Monitoring**      | Metrics, Dashboards, Alert Policies, Uptime Checks            |
| **Cloud Logging**         | Log Entries, Log Metrics, Sinks                               |
| **IAM**                   | Service Accounts, Roles, IAM Policies                         |
| **Billing & Cost**        | Billing Accounts, Budgets                                     |
| **Cloud Asset Inventory** | Resource search, IAM policy search                            |
| **Recommender**           | Machine type recommendations, Idle resource recommendations   |
| **Resource Manager**      | Projects, Folders, Organizations                              |

## Organization-Level Access (Optional)

To grant access across multiple projects in an organization, create the role at the organization level:

```bash theme={null}
# Set your organization ID
export ORG_ID="your-org-id"

# Create role at organization level
gcloud iam roles create infrastructureCostReader \
  --organization=$ORG_ID \
  --file=custom-role.yaml

# Assign to service account at organization level
gcloud organizations add-iam-policy-binding $ORG_ID \
  --member="serviceAccount:${SA_EMAIL}" \
  --role="organizations/${ORG_ID}/roles/infrastructureCostReader"
```

## Troubleshooting

### Role Creation Failed

Ensure you have `roles/iam.roleAdmin` or `roles/owner` permission on the project. You may need to enable the IAM API:

```bash theme={null}
gcloud services enable iam.googleapis.com --project=$PROJECT_ID
```

### Service Account Creation Failed

Verify that:

* The IAM API is enabled
* You have `iam.serviceAccounts.create` permission
* The service account name is unique

### Permission Denied Errors

Some permissions require specific APIs to be enabled:

```bash theme={null}
# Enable required APIs
gcloud services enable compute.googleapis.com --project=$PROJECT_ID
gcloud services enable container.googleapis.com --project=$PROJECT_ID
gcloud services enable sqladmin.googleapis.com --project=$PROJECT_ID
gcloud services enable monitoring.googleapis.com --project=$PROJECT_ID
gcloud services enable logging.googleapis.com --project=$PROJECT_ID
gcloud services enable cloudasset.googleapis.com --project=$PROJECT_ID
gcloud services enable recommender.googleapis.com --project=$PROJECT_ID
gcloud services enable cloudbilling.googleapis.com --project=$PROJECT_ID
```

### Integration Test Failed

Check that:

* The Project ID is correct
* The JSON key file contents are complete and properly formatted
* The service account has the custom role assigned
* Required APIs are enabled in the project

### Billing Permissions Not Working

Billing permissions require the service account to be added to the billing account:

1. Go to [Billing Console](https://console.cloud.google.com/billing)
2. Select your billing account
3. Click **Account Management**
4. Add the service account email with **Billing Account Viewer** role