Skip to main content
InfraAudit connects to Google Cloud using a service account JSON key. Once connected, it discovers Compute Engine instances, Cloud Storage buckets, BigQuery datasets, and GKE clusters, and ingests billing data from your BigQuery billing export.

Prerequisites

Before connecting, make sure you have:
  • A GCP project with the resources you want to monitor
  • The gcloud CLI installed and authenticated, or access to the GCP console
  • Permission to create service accounts and assign IAM roles in the project

Create the service account

Run the following commands to create a service account with the minimum required roles and download a JSON key: 
# Create the service account
gcloud iam service-accounts create infraudit-reader \
  --display-name="InfraAudit Reader" \
  --project=your-project-id

# Grant the Viewer role for resource discovery
gcloud projects add-iam-policy-binding your-project-id \
  --member="serviceAccount:infraudit-reader@your-project-id.iam.gserviceaccount.com" \
  --role="roles/viewer"

# Grant BigQuery Data Viewer for billing export access
gcloud projects add-iam-policy-binding your-project-id \
  --member="serviceAccount:infraudit-reader@your-project-id.iam.gserviceaccount.com" \
  --role="roles/bigquery.dataViewer"

# Download the key file
gcloud iam service-accounts keys create infraudit-key.json \
  --iam-account="infraudit-reader@your-project-id.iam.gserviceaccount.com"

Required IAM roles

RolePurpose
roles/viewerRead access to Compute Engine, Cloud Storage, GKE, and other resource types
roles/bigquery.dataViewerRead access to billing export tables in BigQuery
The roles/viewer role grants broad read access across all GCP services in the project. If you prefer a narrower scope, you can replace it with a custom role that includes only the specific APIs InfraAudit needs for resource discovery.

Set up billing export (optional)

To ingest cost data, you need to enable BigQuery billing export in GCP first. Without this step, InfraAudit discovers resources but shows no billing data for GCP.
1

Open billing export settings

In the GCP console, go to Billing → Billing export.
2

Enable BigQuery export

Under BigQuery export, enable Standard usage cost export.
3

Choose or create a dataset

Choose an existing BigQuery dataset or create a new one (for example, billing_export) to receive the export data.
4

Note the project ID and dataset name

You’ll enter these when connecting InfraAudit.
BigQuery billing export has a 1-to-2 day lag from GCP. Data for day D typically appears in BigQuery by the end of day D+2.

Connect your GCP project

1

Open the connection dialog

In the sidebar, click Cloud Providers → Connect GCP.
2

Enter your credentials

  • Paste the full contents of infraudit-key.json into the Service Account JSON field.
  • Enter the Project ID.
  • (Optional) Enter the Billing BigQuery dataset name if you configured billing export.
3

Connect

Click Connect. InfraAudit validates the service account and starts the initial resource sync.

What gets synced

Resource typeInternal type name
Compute Engine instancesgcp_compute_instance
Cloud Storage bucketsgcp_storage_bucket
BigQuery datasetsgcp_bigquery_dataset
GKE clustersgcp_gke_cluster
Billing data is synced daily from your BigQuery billing export table.

Security notes

  • The service account JSON key is encrypted at rest using AES-GCM.
  • InfraAudit never writes to your GCP project. All API calls are read-only.
  • After downloading infraudit-key.json, delete the local file once you’ve entered the credentials in InfraAudit.
Service account JSON keys are long-lived credentials. Treat the key file as a secret, don’t commit it to source control, and rotate it periodically via IAM → Service accounts → Manage keys.