Google Cloud Platform (GCP) Onboarding

Connect your Google Cloud Platform projects to Yasu for comprehensive cost optimization and resource monitoring

Connecting your Google Cloud Platform projects to Yasu enables detailed cost analysis, resource optimization recommendations, and automated insights across all your GCP services.

Prerequisites

Before connecting your GCP projects, ensure you have:

Project Owner or Billing Account Administrator permissions
Access to Google Cloud Console
gcloud CLI installed (optional but recommended)
Understanding of GCP IAM and service accounts

Connection Methods

Yasu connects to GCP through service accounts with specific roles and permissions, following Google Cloud security best practices.

Service Account Setup

Step 1: Create Service Account

Open Google Cloud Console and select your project
Navigate to IAM & Admin > Service Accounts
Click "Create Service Account"
Enter details:
- Name: yasu-cost-optimization
- Description: Service account for Yasu cost optimization platform
Click "Create and Continue"

Step 2: Assign Required Roles

Grant the following predefined roles to the service account:

Billing Roles:

roles/billing.viewer
roles/billing.costsManager

Monitoring and Resource Roles:

roles/monitoring.viewer
roles/compute.viewer
roles/storage.objectViewer
roles/cloudsql.viewer
roles/container.viewer
roles/run.viewer

Custom Role for Enhanced Access:

{
  "title": "Yasu Cost Optimization",
  "description": "Custom role for Yasu platform access",
  "stage": "GA",
  "includedPermissions": [
    "billing.accounts.get",
    "billing.accounts.list",
    "billing.budgets.get",
    "billing.budgets.list",
    "cloudasset.assets.listResource",
    "cloudasset.assets.searchAllResources",
    "compute.instances.list",
    "compute.disks.list",
    "compute.images.list",
    "container.clusters.list",
    "container.clusters.get",
    "monitoring.metricDescriptors.list",
    "monitoring.timeSeries.list",
    "resourcemanager.projects.get",
    "recommender.computeInstanceGroupManagerMachineTypeRecommendations.list",
    "recommender.computeInstanceMachineTypeRecommendations.list",
    "recommender.computeDiskIdleResourceRecommendations.list"
  ]
}

Step 3: Generate Service Account Key

Click on the created service account
Go to "Keys" tab
Click "Add Key" > "Create new key"
Select "JSON" format
Download the key file - keep this secure!

Step 4: Enable Required APIs

Enable these APIs in your GCP project:

gcloud services enable cloudbilling.googleapis.com
gcloud services enable cloudresourcemanager.googleapis.com
gcloud services enable monitoring.googleapis.com
gcloud services enable compute.googleapis.com
gcloud services enable container.googleapis.com
gcloud services enable cloudasset.googleapis.com
gcloud services enable recommender.googleapis.com

Multi-Project Setup

For organizations with multiple GCP projects:

Organization-Level Access

Navigate to IAM & Admin at organization level
Add the service account with organization-wide roles:
- roles/resourcemanager.organizationViewer
- roles/billing.viewer

Project-Level Access

For each project you want to monitor:

Add the service account to each project
Grant required roles listed above
Enable APIs in each project

Using Terraform (Recommended for Multiple Projects)

resource "google_service_account" "yasu_optimizer" {
  account_id   = "yasu-cost-optimization"
  display_name = "Yasu Cost Optimization"
  description  = "Service account for Yasu cost optimization platform"
  project      = var.project_id
}

resource "google_project_iam_member" "yasu_roles" {
  for_each = toset([
    "roles/billing.viewer",
    "roles/billing.costsManager",
    "roles/monitoring.viewer",
    "roles/compute.viewer",
    "roles/storage.objectViewer",
    "roles/cloudsql.viewer",
    "roles/container.viewer",
    "roles/run.viewer"
  ])
  
  project = var.project_id
  role    = each.value
  member  = "serviceAccount:${google_service_account.yasu_optimizer.email}"
}

resource "google_service_account_key" "yasu_key" {
  service_account_id = google_service_account.yasu_optimizer.name
  public_key_type    = "TYPE_X509_PEM_FILE"
}

Connecting in Yasu Dashboard

Navigate to Team Settings in your Yasu dashboard
Click "Connect GCP Project"
Upload the service account JSON key or paste the contents
Enter your Project ID(s) - add multiple projects if needed
Test the connection - Yasu will verify permissions
Complete setup - Data synchronization will begin

Data Sync and Processing

Initial Sync

Billing data: Historical data for the past 13 months
Resource inventory: Current Compute Engine, Cloud SQL, GKE, and Cloud Storage resources
Usage metrics: CPU, memory, disk, and network utilization
Recommendations: Available within 24 hours

Ongoing Sync

Billing data: Updated daily
Resource metrics: Updated every 5 minutes
Recommendations: Refreshed weekly
Committed Use Discounts: Monitored continuously

Security and Privacy

Data Protection

Service account keys stored encrypted
All API calls use OAuth 2.0
No access to application data or code
Only billing and resource metadata collected

Minimal Permissions

Read-only access to billing and resource data
No write permissions granted
No access to instance content or data
Regular permission audits

Compliance

SOC 2 Type II certified infrastructure
GDPR and CCPA compliant data handling
ISO 27001 security standards
Regular third-party security assessments

Monitoring Features

Cost Analysis

Project-level cost breakdown
Service-wise spending analysis
Resource utilization trends
Budget tracking and alerts

Optimization Recommendations

Rightsizing recommendations for Compute Engine instances
Committed Use Discount opportunities
Idle resource identification
Storage optimization suggestions

Advanced Analytics

Cost forecasting based on usage trends
Anomaly detection for unusual spending
Resource efficiency scoring
Carbon footprint analysis

Troubleshooting

Common Issues

Authentication Failed

Verify service account key is valid JSON
Check that required APIs are enabled
Ensure service account has necessary roles

Missing Billing Data

Verify billing account access permissions
Check if Cloud Billing API is enabled
Ensure service account is linked to billing account

Incomplete Resource Data

Verify APIs are enabled for all monitored services
Check service account permissions for each project
Ensure monitoring API access is granted

Permission Denied Errors

Review IAM roles and permissions
Check organization-level policies
Verify service account is not disabled

Diagnostic Commands

# Test service account access
gcloud auth activate-service-account --key-file=service-account-key.json

# List accessible projects
gcloud projects list

# Test billing API access
gcloud billing accounts list

# Check enabled APIs
gcloud services list --enabled

Best Practices

Project Organization

Use consistent labeling across resources
Set up proper billing budgets
Enable detailed monitoring
Implement resource tagging strategies

Cost Management Setup

Configure billing alerts
Set up budget notifications
Enable committed use discount monitoring
Regular cost review schedules

Security Hygiene

Rotate service account keys regularly
Monitor service account usage
Use least-privilege access principles
Regular permission audits

Advanced Configuration

Custom Dashboards

Set up project-specific views
Configure team-based cost allocation
Create custom alert policies
Build executive summary reports

Integration Options

Slack notifications for cost alerts
Email reports for regular summaries
API access for custom integrations
Webhook support for real-time updates

Next Steps

After successfully connecting your GCP projects:

Explore the Dashboard - Review your multi-project cost overview
Configure Alerts - Set up notifications for budget thresholds
Review Recommendations - Start with high-impact optimization opportunities
Set Up Automation - Enable auto-scaling and scheduling where appropriate
Schedule Reviews - Regular optimization sessions with your team