search

Connecting to GCP

At a high-level, OneLens uses a Service Account created in your environment with the appropriate read-only IAM roles for resource visibility and cost/usage metrics. An External User is also created with similar IAM roles in your environment to enable our FinOps experts to manually analyze and identify potential savings.

circle-info

For a full list of IAM roles provisioned to the Service Account and External User, please refer to the IAM roles section.

circle-exclamation

The IAM roles created are limited in scope and grant only the permissions required for OneLens to function. No modifications are made to your infrastructure. Access is read-only and fully reversible - you may delete the individual roles or the App Registration/External User at any time to revoke access. OneLens does not collect or alter any data outside the defined access permissions.

hashtag
Architecture

Below is the architecture on our end to support ingestion and analysis of your Google Cloud data:

hashtag
Integration flow

Below is a step-by-step flow of the integration process for your Google Cloud environment:

spinner

hashtag
Components created in your environment

  • Identity:

    • Service Account

    • External user

  • Project:

    • Billing project (if opted to create new)

  • Dataset:

    • BigQuery dataset

  • Billing export

    • Detailed Usage Cost export

hashtag
IAM roles

IAM Role
Scope
Assignee
Purpose

Organization Viewer

Organization

Service Account, External user

Read organization hierarchy.

Billing Viewer

Billing account

Service Account, External user

Read billing account metadata.

BigQuery Data Viewer

Billing project

Service Account, External user

Read data from BigQuery export dataset.

BigQuery Job User

Billing project

Service Account, External user

Run queries on the billing data.

*Service Viewer roles

**Target scope

Service Account

Read metadata for services like Compute, GKE, etc.

Viewer

**Target scope

External user

Read-only access to console.

*Service Viewer roles include roles/compute.viewer, roles/container.viewer, roles/cloudsql.viewer, roles/aiplatform.viewer, etc. For a full list, please refer to the <> section.

**Target scope can be a Project, a Folder or an Organization, as per your desired setup.

hashtag
APIs enabled

For OneLens to be able to call the relevant GCP APIs for cost analysis, we enable the following on your project(s):

  • Vertex AI API (aiplatform.googleapis.com)

  • Cloud Functions API (cloudfunctions.googleapis.com)

  • Cloud SQL Admin API (sqladmin.googleapis.com)

  • Compute Engine API (compute.googleapis.com)

  • Kubernetes Engine API (container.googleapis.com)

  • Dataflow API (dataflow.googleapis.com)

  • Cloud Dataproc API (dataproc.googleapis.com)

  • Cloud Filestore API (file.googleapis.com)

  • Cloud Monitoring API (monitoring.googleapis.com)

  • Network Management API (networkmanagement.googleapis.com)

  • Recommender API (recommender.googleapis.com)

  • Google Cloud Memorystore for Redis API (redis.googleapis.com)

  • Service Usage API (serviceusage.googleapis.com)

  • Cloud Asset API (cloudasset.googleapis.com)

  • BigQuery API (bigquery.googleapis.com)

hashtag
Integration steps

OneLens supports seamless integration across all Google Cloud Platform organizational structures. You can configure the platform to monitor an entire Organization hierarchy, individual Folders or Projects.

To get started, follow the below guide to integrate your Google Cloud account with OneLens using a seamless automated setup powered by Terraform:

Automated using Terraformchevron-right

If you prefer to integrate manually using the Google Cloud console, follow the below guide:

Manualchevron-right
PreviousFrequently Asked Questions (FAQ)NextAutomated using Terraform

Last updated