Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.cloudthinker.io/llms.txt

Use this file to discover all available pages before exploring further.

Google Cloud

Connect your GCP projects to enable CloudThinker agents to analyze costs, optimize resources, and manage infrastructure across Google Cloud services.

Setup

1

Create Service Account

Set up a service account with viewer permissions
  1. Go to Google Cloud Console and select your project
  2. Navigate to IAM & Admin → Service accounts
  3. Click Create Service Account
  4. Enter details:
    • Name: cloudthinker-readonly
    • Description: Read-only access for CloudThinker monitoring
2

Assign Roles

Grant the required viewer roles:
  • Viewer (basic read access)
  • Monitoring Viewer (for monitoring data)
  • Security Reviewer (for security analysis)
3

Generate JSON Key

Create and download a key file
  1. Click on the created service account from the list
  2. Go to Keys tab → Add keyCreate new key
  3. Select JSON format and click Create
  4. Download the key file and store securely
4

Add Connection in CloudThinker

Navigate to Connections → GCP and:
  • Upload the JSON key file, or
  • Paste the JSON content directly
5

Test Connection

Click Test Connection to verify access

JSON Key Format

The service account key file contains: 
{
  "type": "service_account",
  "project_id": "your-project-id",
  "private_key_id": "key-id",
  "private_key": "-----BEGIN PRIVATE KEY-----\n...\n-----END PRIVATE KEY-----\n",
  "client_email": "cloudthinker-readonly@your-project.iam.gserviceaccount.com",
  "client_id": "123456789012345678901",
  "auth_uri": "https://accounts.google.com/o/oauth2/auth",
  "token_uri": "https://oauth2.googleapis.com/token"
}
Store the JSON key file securely. Never commit it to version control or share it publicly.

Required Roles

Minimum (Read-Only Analysis)

roles/viewer                    # Basic read access
roles/monitoring.viewer         # Cloud Monitoring access
roles/logging.viewer           # Cloud Logging access

# All of the above, plus:
roles/compute.viewer           # Compute Engine details
roles/container.viewer         # GKE cluster access
roles/cloudsql.viewer          # Cloud SQL access
roles/bigquery.dataViewer      # BigQuery analysis
roles/billing.viewer           # Billing and cost data
roles/securitycenter.viewer    # Security Command Center

Agent Capabilities

Once connected, agents can:
AgentGCP Capabilities
AlexCost analysis, VM right-sizing, committed use recommendations, resource optimization
OliverSecurity Command Center findings, IAM audits, compliance checks
TonyCloud SQL performance, BigQuery optimization, Spanner tuning
KaiGKE cluster management, workload optimization, Autopilot analysis

Multi-Project Setup

For organizations with multiple GCP projects:
1

Organization-Level Access

Grant the service account roles at the organization or folder level
2

Billing Account Access

Add Billing Account Viewer for cross-project cost analysis
3

Add Projects

CloudThinker will automatically discover accessible projects

Troubleshooting

  • Verify the service account has required roles
  • Check project-level IAM bindings
  • Ensure APIs are enabled (Compute, Monitoring, etc.)
  • Confirm the JSON key is valid and not expired
  • Verify the JSON file is complete and properly formatted
  • Check that the private key hasn’t been truncated
  • Ensure no extra whitespace or characters were added
  • Try regenerating the key from GCP Console
  • Verify Billing Account Viewer role is assigned
  • Enable Cloud Billing API
  • Check billing export to BigQuery is configured
  • Ensure Kubernetes Engine Viewer role is assigned
  • Verify cluster is in an accessible project
  • Check if cluster uses Workload Identity

Security Best Practices

  • Minimal permissions - Grant only required viewer roles
  • Project scope - Limit access to necessary projects only
  • Key rotation - Rotate service account keys every 90 days
  • Audit logging - Enable Cloud Audit Logs for API access tracking
  • Key storage - Store JSON keys in secure credential managers

AWS Connection

Connect Amazon Web Services

Kai Agent

Kubernetes-focused agent for GKE