What is this integration?
Google Cloud Platform (GCP) provides fully managed cloud services including relational databases (Cloud SQL), NoSQL document databases (Firestore), and serverless data warehouses (BigQuery).What Monk manages
- Cloud SQL instances, databases, and users
- Firestore databases with PITR and backup support
- BigQuery datasets and table snapshots
- Memorystore for Redis instances with export/import support
- Cloud Storage buckets
- Cloud Storage HMAC keys for S3-compatible access
- Service accounts and IAM bindings
- API enablement via Service Usage
What the Agent can do and how to use it
- Database Creation: Provision Cloud SQL, Firestore, BigQuery, and Memorystore for Redis
- Backup & Recovery: Automated backups, on-demand snapshots, export/import, and restore operations
- Scaling: Modify instance tiers, storage, and enable high availability
- Security: Configure authorized networks, SSL, and IAM permissions
- Monitoring: Access instance status and connection information
- Ensure GCP provider is added:
monk cluster provider add -p gcp - monk update <namespace>/<name>
Required IAM Permissions
The principal whose credentials are configured viamonk cluster provider add -p gcp (a service account or user) needs IAM roles on the target project covering the entities you intend to manage.
Quick start (broad roles)
Grants enough permission to manage every entity in this package:roles/editor— create/update/delete most resourcesroles/resourcemanager.projectIamAdmin— required becauseroles/editorcannot modify IAM (used bygcp/service-account,gcp/project-iam-binding,gcp/resource-iam-binding)roles/serviceusage.serviceUsageAdmin— enable APIs viagcp/service-usage
Least-privilege roles
Grant only the roles for the entities your stack uses:
For per-entity permission lists at the API-method level, see
src/gcp/README.md.
Auth
- Uses GCP provider credentials configured via
monk cluster provider add -p gcp - GCP credentials are automatically injected into the GCP client
Getting Started
- Ensure GCP provider is added:
- Define a Cloud SQL instance (save as gcp-stack.yaml):
- Create/update:
S3-Compatible Cloud Storage Access (HMAC)
Create HMAC keys to access Cloud Storage using S3-compatible clients. Make surestorage.googleapis.com is enabled via gcp/service-usage, and
use a service account from gcp/service-account:
https://storage.googleapis.com as the S3 endpoint and the secrets
gcs-hmac-access-key / gcs-hmac-secret-key as credentials.
Cloud SQL Backup & Restore Actions
Firestore Backup & Restore Actions
export-documents for full database backups.

