GCP Integration
Connect OpsCompanion to your GCP projects using Workload Identity Federation.
Connect your GCP projects to OpsCompanion using Workload Identity Federation with read-only permissions.
What OpsCompanion Monitors in GCP
Compute
- Compute Engine VMs, instance groups, disks
- GKE clusters, nodes, workloads
- Cloud Run services and revisions
- App Engine applications and versions
Storage and Databases
- Cloud Storage buckets and policies
- Cloud SQL instances and backups
- BigQuery datasets and tables
- Firestore databases
Networking
- VPC networks, subnets, firewall rules
- Cloud DNS zones and records
- Cloud Load Balancing configurations
- Cloud CDN settings
Security and Identity
- IAM service accounts, roles, policies
- Cloud KMS keys and key rings
- Secret Manager (metadata only)
- Security Command Center findings
Operations
- Cloud Logging entries and sinks
- Cloud Monitoring metrics and alerts
- Cloud Trace performance data
- Error Reporting
How GCP Integration Works
- You create a service account with viewer permissions
- Workload Identity Federation is configured
- OpsCompanion authenticates without static keys
- Short-lived credentials are used for each request
What OpsCompanion Can Access
- Resource metadata and configuration
- Logs and metrics
- Audit log entries
- IAM policy documents
What OpsCompanion Cannot Access
- Secret values or credentials
- Encrypted data contents
- Write or modify permissions
- Billing settings
Constraints
- Viewer-only IAM permissions
- No service account keys stored
- Workload Identity Federation required
- Cannot create, update, or delete resources
Setup
GCP Setup Guide - Configure Workload Identity Federation and service account.