GCP Project Onboarding
This guide explains exactly what happens when you connect a GCP project to SmartSRE, including the permissions granted and the security architecture.
How SmartSRE Connects to Your GCP
SmartSRE uses service account impersonation to access your GCP resources. This approach:
- ✅ Requires no JSON key downloads
- ✅ Uses short-lived tokens (1 hour max)
- ✅ Provides full audit trail in GCP Cloud Audit Logs
- ✅ Can be revoked instantly by removing IAM bindings
Connection Architecture
The Onboarding Script
When you connect a project, SmartSRE generates a shell script customized for your tenant. Here's what it does:
1. Enable Required APIs
gcloud services enable \
cloudresourcemanager.googleapis.com \
iam.googleapis.com \
monitoring.googleapis.com \
logging.googleapis.com \
bigquery.googleapis.com \
run.googleapis.com \
container.googleapis.com \
sqladmin.googleapis.com \
storage.googleapis.com \
pubsub.googleapis.com \
secretmanager.googleapis.com
2. Create Service Account
gcloud iam service-accounts create smartsre-agent \
--display-name="SmartSRE Agent" \
--description="Service account for SmartSRE remediation platform"
3. Grant IAM Roles
The script grants minimal roles for scanning and remediation:
| Role | Purpose |
|---|---|
roles/viewer | Read access to resource metadata |
roles/monitoring.viewer | Access to metrics for performance analysis |
roles/logging.viewer | Access to logs for error detection |
roles/bigquery.resourceViewer | BigQuery metadata for cost/performance analysis |
roles/run.viewer | Cloud Run service configuration |
roles/container.clusterViewer | GKE cluster and node pool information |
roles/cloudsql.viewer | Cloud SQL instance configuration |
roles/storage.objectViewer | GCS bucket and object metadata |
For SmartSRE to apply fixes (not just scan), additional roles like roles/run.admin, roles/bigquery.admin, etc. are needed. These are granted during a separate "Enable Remediation" step.
4. Configure Impersonation
gcloud iam service-accounts add-iam-policy-binding \
smartsre-agent@YOUR_PROJECT.iam.gserviceaccount.com \
--member="serviceAccount:SMARTSRE_PLATFORM_SA" \
--role="roles/iam.serviceAccountTokenCreator"
This allows the SmartSRE platform to impersonate your project's service account without needing any stored credentials.
Post-Connection Verification
After running the script, SmartSRE verifies the connection by:
- Attempting to impersonate the service account
- Listing resources in the project (e.g., Cloud Run services, BigQuery datasets)
- Confirming required APIs are enabled
If verification fails, SmartSRE provides specific error messages and remediation steps.
Security Best Practices
Least Privilege
- SmartSRE only requests the minimum roles needed for current functionality
- Remediation roles are granted separately and can be scoped per-service.
Audit Everything
All SmartSRE actions are logged in:
- SmartSRE Audit Trail — In-app audit log per tenant
- GCP Cloud Audit Logs — All API calls appear as the
smartsre-agentservice account
Revocation
To revoke SmartSRE access:
# Remove impersonation permission
gcloud iam service-accounts remove-iam-policy-binding \
smartsre-agent@YOUR_PROJECT.iam.gserviceaccount.com \
--member="serviceAccount:SMARTSRE_PLATFORM_SA" \
--role="roles/iam.serviceAccountTokenCreator"
# Optionally delete the service account entirely
gcloud iam service-accounts delete smartsre-agent@YOUR_PROJECT.iam.gserviceaccount.com
Troubleshooting
"Permission Denied" During Script Execution
You need Owner or Editor role on the project to run the onboarding script.
"API Not Enabled" Errors
Ensure you have billing enabled on the project—some APIs require an active billing account.
Connection Verification Fails
- Confirm the script completed without errors
- Wait 30-60 seconds for IAM propagation
- Re-run verification from the SmartSRE UI
- Check that the SmartSRE platform service account is correctly specified
Next Steps
- Key Concepts — Understand Scopes, Findings, and ChangeSets
- Running Scans — Configure and execute scans
- Risk Guardrails — Control what SmartSRE can do