GCP Connections

GCP connections enable Firetiger to access Google Cloud Platform resources using service account authentication. This provides scoped access to GCP APIs through a service account key.

Recommended: Create and manage connections via the web UI at https://ui.{deployment}.firetigerapi.com/settings/connections

Setup Overview

Setting up a GCP connection involves two steps:

  1. Create a Service Account - Create a GCP service account with appropriate permissions
  2. Create Connection - Upload the service account key JSON to Firetiger

Step 1: Create a Service Account

Google Cloud Console

  1. Go to IAM & Admin > Service Accounts
  2. Click Create Service Account
  3. Enter a name (e.g., firetiger-reader) and description
  4. Grant the Viewer role (or more restrictive custom role)
  5. Click Done
  6. Click the service account, go to Keys > Add Key > Create New Key
  7. Select JSON and click Create
  8. Save the downloaded key file securely

gcloud CLI 

# Create the service account
gcloud iam service-accounts create firetiger-reader \
  --display-name="Firetiger Reader"

# Grant Viewer role on the project
gcloud projects add-iam-policy-binding YOUR_PROJECT_ID \
  --member="serviceAccount:firetiger-reader@YOUR_PROJECT_ID.iam.gserviceaccount.com" \
  --role="roles/viewer"

# Create and download a key
gcloud iam service-accounts keys create key.json \
  --iam-account="firetiger-reader@YOUR_PROJECT_ID.iam.gserviceaccount.com"

Step 2: Create the Connection

  1. In the Firetiger UI, click New Connection and select GCP
  2. Enter your Project ID
  3. Select the Region where your resources are located
  4. Paste the contents of your service account key JSON file
  5. Click Create Connection

Connection Fields

Field Required Description
display_name Yes Human-readable name (e.g., “Production GCP”)
description Yes Description of what this connection accesses
project_id Yes Default GCP project ID for API calls
region Yes Default GCP region (e.g., us-central1)
service_account_key Yes Service account key in JSON format (write-only)

Supported Regions

Region Location
us-central1 Iowa
us-east1 South Carolina
us-east4 Northern Virginia
us-west1 Oregon
us-west2 Los Angeles
europe-west1 Belgium
europe-west2 London
europe-west3 Frankfurt
asia-east1 Taiwan
asia-southeast1 Singapore
asia-northeast1 Tokyo
australia-southeast1 Sydney

Service Account Key

The service account key is a JSON file that looks like:

{
  "type": "service_account",
  "project_id": "your-project-id",
  "private_key_id": "key-id",
  "private_key": "-----BEGIN PRIVATE KEY-----\n...\n-----END PRIVATE KEY-----\n",
  "client_email": "firetiger-reader@your-project-id.iam.gserviceaccount.com",
  "client_id": "123456789",
  "auth_uri": "https://accounts.google.com/o/oauth2/auth",
  "token_uri": "https://oauth2.googleapis.com/token",
  "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
  "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/...",
  "universe_domain": "googleapis.com"
}

The type field must be "service_account". The private key is stored securely and is never returned after creation.

Verification

After creating the connection, Firetiger automatically verifies it by:

  1. Creating credentials from the service account key
  2. Calling the Cloud Resource Manager API to get project info
  3. Confirming the service account has access to the specified project

If verification fails, check:

  • The service account key JSON is valid and complete
  • The service account has not been deleted or disabled
  • The project ID matches the service account’s project (or the account has cross-project access)
  • The service account has sufficient IAM permissions

Security

Key Management

  • Service account keys are stored encrypted and never returned after creation
  • Rotate keys periodically using gcloud iam service-accounts keys create
  • Delete old keys after rotation: gcloud iam service-accounts keys delete KEY_ID

Least Privilege

Grant only the minimum IAM roles needed:

  • Viewer (roles/viewer) - Read-only access to all resources (broad)
  • Custom roles - Create a custom role with only the specific permissions needed

Key Rotation

To rotate a service account key:

  1. Create a new key for the service account
  2. Update the Firetiger connection with the new key
  3. Verify the connection works
  4. Delete the old key from GCP

Troubleshooting

“Permission denied” errors

  • Verify the service account has the correct IAM roles
  • Check that the project ID in the connection matches the target project
  • Ensure the service account hasn’t been disabled

“Invalid key” errors

  • Confirm the JSON is complete and properly formatted
  • Check that type is "service_account"
  • Verify the key hasn’t been deleted in GCP

Connection verification fails

  • Ensure the service account has at least resourcemanager.projects.get permission
  • The Viewer role includes this permission

Best Practices

  • Use descriptive names - Include environment and purpose (e.g., “Production BigQuery Access”)
  • Document access scope - Describe which GCP resources and APIs are accessible
  • Follow least privilege - Grant only the IAM roles needed for the specific use case
  • Rotate keys regularly - Create new keys and delete old ones periodically
  • Use dedicated service accounts - Create a separate service account for Firetiger rather than reusing existing ones
This site uses Just the Docs, a documentation theme for Jekyll.