Skip to main content

What is this integration?

Google Cloud Platform (GCP) provides fully managed cloud services including relational databases (Cloud SQL), NoSQL document databases (Firestore), and serverless data warehouses (BigQuery).

What Monk manages

  • Cloud SQL instances, databases, and users
  • Firestore databases with PITR and backup support
  • BigQuery datasets and table snapshots
  • Memorystore for Redis instances with export/import support
  • Cloud Storage buckets
  • Cloud Storage HMAC keys for S3-compatible access
  • Service accounts and IAM bindings
  • API enablement via Service Usage

What the Agent can do and how to use it

  • Database Creation: Provision Cloud SQL, Firestore, BigQuery, and Memorystore for Redis
  • Backup & Recovery: Automated backups, on-demand snapshots, export/import, and restore operations
  • Scaling: Modify instance tiers, storage, and enable high availability
  • Security: Configure authorized networks, SSL, and IAM permissions
  • Monitoring: Access instance status and connection information
Steps:
  1. Ensure GCP provider is added: monk cluster provider add -p gcp
  2. monk update <namespace>/<name>

Required IAM Permissions

The principal whose credentials are configured via monk cluster provider add -p gcp (a service account or user) needs IAM roles on the target project covering the entities you intend to manage.

Quick start (broad roles)

Grants enough permission to manage every entity in this package:
  • roles/editor — create/update/delete most resources
  • roles/resourcemanager.projectIamAdmin — required because roles/editor cannot modify IAM (used by gcp/service-account, gcp/project-iam-binding, gcp/resource-iam-binding)
  • roles/serviceusage.serviceUsageAdmin — enable APIs via gcp/service-usage

Least-privilege roles

Grant only the roles for the entities your stack uses: For per-entity permission lists at the API-method level, see src/gcp/README.md.

Auth

  • Uses GCP provider credentials configured via monk cluster provider add -p gcp
  • GCP credentials are automatically injected into the GCP client

Getting Started

  1. Ensure GCP provider is added:
  1. Define a Cloud SQL instance (save as gcp-stack.yaml):
  1. Create/update:

S3-Compatible Cloud Storage Access (HMAC)

Create HMAC keys to access Cloud Storage using S3-compatible clients. Make sure storage.googleapis.com is enabled via gcp/service-usage, and use a service account from gcp/service-account:
Use https://storage.googleapis.com as the S3 endpoint and the secrets gcs-hmac-access-key / gcs-hmac-secret-key as credentials.

Cloud SQL Backup & Restore Actions


Firestore Backup & Restore Actions

Note: Firestore PITR enables reading historical document versions (7 days), not database-level restore. Use export-documents for full database backups.

BigQuery Backup & Restore Actions

Time Travel: BigQuery provides built-in time travel (2-7 days) for querying historical data without creating snapshots:

Restore Behavior Summary