Setup Guide
NOT CONNECTED
Diagnostics
Live checks against your GCP project
GCP_SERVICE_ACCOUNT_JSON secret
Service account email
GCP_PROJECT_ID
OAuth token mintable
Recommender API reachable
Billing export configured
GCP_BILLING_DATASET / GCP_BILLING_TABLE not set
Billing export table reachable
1
Create a Service Account
Create a read-only service account in the GCP project you want to analyze.
gcloud (recommended)
gcloud iam service-accounts create strato-ops-reader \ --display-name="STRATO-OPS reader" \ --project=PROJECT_ID
Or in the Console: IAM & Admin → Service Accounts → Create service account.
2
Grant IAM Roles
Bind read-only roles to the service account. STRATO-OPS never writes back to GCP.
One-shot gcloud
SA=strato-ops-reader@PROJECT_ID.iam.gserviceaccount.com
for ROLE in \
roles/bigquery.dataViewer \
roles/bigquery.jobUser \
roles/billing.viewer \
roles/monitoring.viewer \
roles/logging.viewer \
roles/recommender.viewer \
roles/compute.viewer \
roles/cloudsql.viewer \
roles/aiplatform.viewer; do
gcloud projects add-iam-policy-binding PROJECT_ID \
--member="serviceAccount:$SA" --role="$ROLE"
done| Role | Used for |
|---|---|
| roles/bigquery.dataViewer | Read billing export rows |
| roles/bigquery.jobUser | Run SELECT queries |
| roles/billing.viewer | Read billing account metadata |
| roles/monitoring.viewer | CPU & utilization metrics |
| roles/logging.viewer | Log sinks + ingest volume |
| roles/recommender.viewer | Rightsizing / idle / CUD recommendations |
| roles/compute.viewer | List VMs, disks, networks |
| roles/cloudsql.viewer | List Cloud SQL instances |
| roles/aiplatform.viewer | Vertex AI endpoints |
3
Enable the required APIs
Enable each Google Cloud API STRATO-OPS calls.
Enable all in one command
gcloud services enable \ bigquery.googleapis.com \ cloudbilling.googleapis.com \ monitoring.googleapis.com \ logging.googleapis.com \ recommender.googleapis.com \ compute.googleapis.com \ sqladmin.googleapis.com \ aiplatform.googleapis.com \ --project=PROJECT_ID
4
Enable BigQuery billing export
Spend data (MTD, daily, services, AI tokens) comes from Standard usage cost export.
- Console → Billing → select the billing account paying for your project.
- Left menu → Billing export → tab Standard usage cost.
- Click Edit settings → choose Project + Dataset (create one named
billing_exportif needed) → Save. - Find the auto-created table name:Table format:
bq ls --project_id=PROJECT_ID billing_export
gcp_billing_export_v1_XXXXXX(X = your billing account ID with dashes replaced by underscores).
⚠ No backfill: BigQuery only contains rows from the moment you enable the export. First rows usually appear within 24h — spend panels show "awaiting data" until then. Compute / Cloud SQL / Recommendations panels work immediately.
GCP docs 5
Create a JSON key
Create + download a JSON key for the service account.
gcloud
gcloud iam service-accounts keys create strato-ops-key.json \ --iam-account=strato-ops-reader@PROJECT_ID.iam.gserviceaccount.com
Console: Service Accounts → click your SA → Keys → Add Key → Create new key → JSON.
🔒 The key is a long-lived credential. Never commit it. Rotate every 90 days. STRATO-OPS stores it server-side only (never exposed to the browser).
6
Paste secrets into Lovable
Open Project Settings → Secrets, and paste these four values:
GCP_SERVICE_ACCOUNT_JSONEntire contents of strato-ops-key.jsonGCP_PROJECT_IDe.g. my-prod-projectGCP_BILLING_DATASETe.g. billing_exportGCP_BILLING_TABLEe.g. gcp_billing_export_v1_01ABCD_234567_89EFGHAfter saving, click Re-run diagnostics above. All four checks should turn green (billing may take 24h after step 4).
What runs against GCP
So you can audit the IAM blast radius
- BigQuery jobs.query — read-only SELECT against the billing export table (caps queries at 10 GB scanned).
- compute.aggregatedList — list VMs across all zones.
- sqladmin.instances.list — list Cloud SQL instances.
- monitoring.timeSeries.list — CPU utilization + log ingest bytes.
- logging.sinks.list — log sink names + destinations.
- recommender.recommendations.list — rightsizing / idle / CUD suggestions.