# Connecting to GCP

At a high-level, OneLens uses a **Service Account** created in your environment with the appropriate **read-only IAM roles** for resource visibility and cost/usage metrics. An **External User** is also created with similar IAM roles in your environment to enable our FinOps experts to manually analyze and identify potential savings.

{% hint style="info" %}
For a full list of IAM roles provisioned to the Service Account and External User, please refer to the [IAM roles](https://docs.onelens.cloud/integrations/cloud-and-cost-sources/frequently-asked-questions-faq#what-specific-permissions-does-onelens-require) section.
{% endhint %}

{% hint style="warning" %}
The IAM roles created are limited in scope and grant only the permissions required for OneLens to function. No modifications are made to your infrastructure. Access is **read-only** and fully **reversible** - you may delete the individual roles or the App Registration/External User at any time to revoke access. OneLens does not collect or alter any data outside the defined access permissions.
{% endhint %}

### Architecture

Below is the architecture on our end to support ingestion and analysis of your Google Cloud data:

<figure><img src="https://3963693991-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FiyNGpqVYfmDF6qt7Lzar%2Fuploads%2FwRqg779eq5nqtmgMaiX3%2FOneLens%20Multicloud%20Architecture%20for%20GCP%20Customers%20-%20after%20frontend%20migration.png?alt=media&#x26;token=5ba11e29-c10d-4d77-b911-dcc979be5dda" alt=""><figcaption></figcaption></figure>

### Integration flow

Below is a step-by-step flow of the integration process for your Google Cloud environment:

{% columns %}
{% column %}

{% endcolumn %}

{% column %}
{% @mermaid/diagram content="flowchart TD
A\["1. Select/Create Project & Service Account<br/><i>(Validates existing or creates new)</i>"]
\--> B\["2. Create BigQuery Dataset<br/><i>('billing\_export' for cost data)</i>"]
\--> C\["3. Enable APIs & Link Billing<br/><i>(On Billing & Target Projects)</i>"]
\--> D\["4. Assign IAM Roles<br/><i>(BigQuery, Viewer, & Billing roles)</i>"]
\--> E\["5. Configure Daily Cost Exports<br/><i>(Manual Step in Console)</i>"]

" fullWidth="false" %}

{% endcolumn %}

{% column %}

{% endcolumn %}
{% endcolumns %}

### Components created in your environment

* **Identity:**
  * Service Account
  * External user
* **Project:**
  * Billing project *(if opted to create new)*
* **Dataset:**
  * BigQuery dataset
* **Billing export**
  * Detailed Usage Cost export

### IAM roles

| IAM Role                        | Scope            | Assignee                       | Purpose                                            |
| ------------------------------- | ---------------- | ------------------------------ | -------------------------------------------------- |
| Organization Viewer             | Organization     | Service Account, External user | Read organization hierarchy.                       |
| Billing Viewer                  | Billing account  | Service Account, External user | Read billing account metadata.                     |
| BigQuery Data Viewer            | Billing project  | Service Account, External user | Read data from BigQuery export dataset.            |
| BigQuery Job User               | Billing project  | Service Account, External user | Run queries on the billing data.                   |
| **\***&#x53;ervice Viewer roles | \*\*Target scope | Service Account                | Read metadata for services like Compute, GKE, etc. |
| Viewer                          | \*\*Target scope | External user                  | Read-only access to console.                       |

**\****Service Viewer roles include* *`roles/compute.viewer`, `roles/container.viewer`, `roles/cloudsql.viewer`, `roles/aiplatform.viewer`, etc. For a full list, please refer to the <> section.*

*\*\*Target scope can be a Project, a Folder or an Organization, as per your desired setup.*

### APIs enabled

For OneLens to be able to call the relevant GCP APIs for cost analysis, we enable the following on your project(s):

* `Vertex AI API` *(aiplatform.googleapis.com)*
* `Cloud Functions API` *(cloudfunctions.googleapis.com)*
* `Cloud SQL Admin API` *(sqladmin.googleapis.com)*
* `Compute Engine API` *(compute.googleapis.com)*
* `Kubernetes Engine API` *(container.googleapis.com)*
* `Dataflow API` *(dataflow\.googleapis.com)*
* `Cloud Dataproc API` *(dataproc.googleapis.com)*
* `Cloud Filestore API` *(file.googleapis.com)*
* `Cloud Monitoring API` *(monitoring.googleapis.com)*
* `Network Management API` *(networkmanagement.googleapis.com)*
* `Recommender API` *(recommender.googleapis.com)*
* `Google Cloud Memorystore for Redis API` *(redis.googleapis.com)*
* `Service Usage API` *(serviceusage.googleapis.com)*
* `Cloud Asset API` *(cloudasset.googleapis.com)*
* `BigQuery API` *(bigquery.googleapis.com)*

### Integration steps

OneLens supports seamless integration across all Google Cloud Platform organizational structures. You can configure the platform to monitor an entire Organization hierarchy, individual Folders or Projects.

To get started, follow the below guide to integrate your Google Cloud account with OneLens using a seamless automated setup powered by Terraform:

{% content-ref url="connecting-to-gcp/automated-using-terraform" %}
[automated-using-terraform](https://docs.onelens.cloud/integrations/cloud-and-cost-sources/connecting-to-gcp/automated-using-terraform)
{% endcontent-ref %}

If you prefer to integrate manually using the Google Cloud console, follow the below guide:

{% content-ref url="connecting-to-gcp/manual" %}
[manual](https://docs.onelens.cloud/integrations/cloud-and-cost-sources/connecting-to-gcp/manual)
{% endcontent-ref %}