CLARITY Docs

English

Español

English

Español

Appearance

Google Cloud setup guide

This guide walks you through creating a Service Account with read-only access for CLARITY and adding it to your instance.

Prerequisites

  • A GCP project with Owner or IAM Admin role
  • gcloud CLI installed and authenticated, or access to the GCP Console
  • A billing account linked to the project

Create a dedicated Service Account, assign roles, enable APIs, and download the key:

bash
# Set your project iD
export PROJECT_ID="your-project-id"
gcloud config set project $PROJECT_ID

# Create the service account
gcloud iam service-accounts create clarity-finops \
  --display-name="CLARITY FinOps" \
  --description="Read-only access for CLARITY cost management"

# Assign required roles
SA="serviceAccount:clarity-finops@${PROJECT_ID}.iam.gserviceaccount.com"

for ROLE in \
  roles/viewer \
  roles/bigquery.dataViewer \
  roles/bigquery.jobUser \
  roles/monitoring.viewer \
  roles/serviceusage.serviceUsageConsumer; do
  gcloud projects add-iam-policy-binding $PROJECT_ID \
    --member="$SA" --role="$ROLE" --quiet
done

# Assign optional roles (recommended — enable for services you use)
for ROLE in \
  roles/recommender.viewer \
  roles/logging.viewer \
  roles/cloudasset.viewer \
  roles/container.clusterViewer \
  roles/cloudsql.viewer \
  roles/storage.objectViewer \
  roles/cloudfunctions.viewer \
  roles/spanner.viewer \
  roles/bigtable.viewer \
  roles/run.viewer; do
  gcloud projects add-iam-policy-binding $PROJECT_ID \
    --member="$SA" --role="$ROLE" --quiet
done

Enable the required APIs:

bash
# Enable all required + optional APIs (17 total)
gcloud services enable \
  bigquery.googleapis.com \
  compute.googleapis.com \
  monitoring.googleapis.com \
  cloudresourcemanager.googleapis.com \
  serviceusage.googleapis.com \
  container.googleapis.com \
  sqladmin.googleapis.com \
  cloudfunctions.googleapis.com \
  recommender.googleapis.com \
  cloudbilling.googleapis.com \
  billingbudgets.googleapis.com \
  cloudasset.googleapis.com \
  spanner.googleapis.com \
  bigtableadmin.googleapis.com \
  run.googleapis.com \
  storage-api.googleapis.com \
  logging.googleapis.com

Create and download the Service Account key:

bash
# Create the JSON key file
gcloud iam service-accounts keys create clarity-key.json \
  --iam-account=clarity-finops@${PROJECT_ID}.iam.gserviceaccount.com

# Verify the key was created
cat clarity-key.json | python3 -c "import sys,json; d=json.load(sys.stdin); print(f'Project: {d[\"project_id\"]}\nEmail: {d[\"client_email\"]}')"

Protect Your Key File

The clarity-key.json file contains private credentials. Store it securely, do not commit it to version control, and delete it from your local machine after adding it to CLARITY.

Option 2: GCP console

Step 1: create a service account

  1. Go to IAM & Admin > Service Accounts in the GCP Console
  2. Click Create Service Account
  3. Enter:
    • Name: clarity-finops
    • Description: Read-only access for CLARITY cost management
  4. Click Create and Continue

Step 2: assign roles

On the Grant this service account access to project step, add the following roles:

  1. Click Add Another Role for each:
    • Viewer (Basic) — resource discovery across all services
    • BigQuery Data Viewer — billing export queries
    • BigQuery Job User — executes billing queries
    • Monitoring Viewer — CPU/memory/disk metrics
    • Service Usage Consumer — pre-flight API validation
  2. Optionally add (for full feature coverage):
    • Recommender Viewer — optimization recommendations
    • Logs Viewer — audit log correlation
    • Cloud Asset Viewer — universal resource discovery
    • Cloud Spanner Viewer — if using Spanner
    • Cloud Bigtable Viewer — if using Bigtable
    • Cloud Run Viewer — if using Cloud Run
  3. Click Continue, then Done

Billing Account Viewer must be assigned separately at the billing account level (not the project). See Billing Account Access below.

Step 3: create a key

  1. Click on the newly created clarity-finops service account
  2. Go to the Keys tab
  3. Click Add Key > Create new key
  4. Select JSON format
  5. Click Create — the key file downloads automatically

Step 4: enable APIs

  1. Go to APIs & Services > Library
  2. Search for and enable each API listed in the Required APIs section below

Required roles

RolePurposeRequired
roles/viewerResource discovery — Compute Engine, Cloud SQL, GKE, Cloud Storage, Cloud Functions, and all other servicesYes
roles/bigquery.dataViewerBilling export queries — reads cost data from BigQuery billing export tablesYes
roles/bigquery.jobUserRuns BigQuery queries — required to execute billing export queriesYes
roles/billing.viewerBilling account access — billing account metadata, pricing catalog, and budget informationYes
roles/monitoring.viewerPerformance metrics — CPU, memory, network, and disk utilization from Cloud MonitoringYes
roles/serviceusage.serviceUsageConsumerPre-flight validation — checks which APIs are enabled at credential setupYes
roles/recommender.viewerGCP recommendations — right-sizing, idle resource, and commitment recommendationsOptional
roles/logging.viewerAudit logs — Cloud Audit Log activity for event correlationOptional
roles/cloudasset.viewerUniversal resource discovery — cross-service inventory via Cloud Asset APIOptional
roles/container.clusterViewerGKE cluster and workload details (if using roles/viewer, already covered)Optional
roles/cloudsql.viewerCloud SQL instance details (if using roles/viewer, already covered)Optional
roles/storage.objectViewerGCS bucket and object listingOptional
roles/cloudfunctions.viewerCloud Functions inventoryOptional
roles/spanner.viewerCloud Spanner instances and databasesOptional
roles/bigtable.viewerCloud Bigtable clusters and instancesOptional
roles/run.viewerCloud Run services and revisionsOptional

Why roles/viewer?

roles/viewer is a broad GCP basic role that grants read access across all services in the project. CLARITY uses this to discover all resources that may generate costs — GCE instances, Cloud SQL databases, GKE clusters, Cloud Storage buckets, Cloud Functions, VPC networks, firewall rules, and more. This ensures complete visibility into idle, oversized, and underutilized resources.

Required APIs

CLARITY needs the following APIs enabled in your project. The pre-flight validation checks all of these when you add credentials.

Required (sync will fail without these)

APIServicePurpose
bigquery.googleapis.comBigQueryBilling export data queries
compute.googleapis.comCompute EngineVM instance discovery and metrics
monitoring.googleapis.comCloud MonitoringCPU, memory, network utilization
cloudresourcemanager.googleapis.comCloud Resource ManagerProject metadata and IAM
serviceusage.googleapis.comService UsagePre-flight validation — checks which APIs are enabled

Optional (features degrade gracefully without these)

APIServicePurpose
container.googleapis.comKubernetes EngineGKE cluster and workload discovery
sqladmin.googleapis.comCloud SQL AdminCloud SQL instance discovery
cloudfunctions.googleapis.comCloud FunctionsServerless function discovery
recommender.googleapis.comRecommenderRight-sizing and idle resource recommendations
cloudbilling.googleapis.comCloud BillingBilling account details and pricing catalog
billingbudgets.googleapis.comCloud Billing BudgetBudget monitoring and alerts
cloudasset.googleapis.comCloud AssetCross-service resource inventory
spanner.googleapis.comCloud SpannerSpanner instance and database discovery
bigtableadmin.googleapis.comCloud Bigtable AdminBigtable cluster and instance discovery
run.googleapis.comCloud Run AdminCloud Run service and revision discovery
storage-api.googleapis.comCloud Storage JSON APIGCS bucket and object discovery
logging.googleapis.comCloud LoggingAudit log activity and event correlation

Bigtable API Naming

bigtableadmin.googleapis.com (Cloud Bigtable Admin API) is NOT the same as bigtabletableadmin.googleapis.com (Cloud Bigtable Table Admin API). CLARITY uses the Admin API for instance and cluster discovery. Enabling the wrong one will cause Bigtable resources to not appear.

Total: 5 required + 12 optional = 17 APIs. CLARITY validates all 17 at credential setup.

Enable all at once via CLI:

bash
gcloud services enable \
  bigquery.googleapis.com \
  compute.googleapis.com \
  monitoring.googleapis.com \
  cloudresourcemanager.googleapis.com \
  serviceusage.googleapis.com \
  container.googleapis.com \
  sqladmin.googleapis.com \
  cloudfunctions.googleapis.com \
  recommender.googleapis.com \
  cloudbilling.googleapis.com \
  billingbudgets.googleapis.com \
  cloudasset.googleapis.com \
  spanner.googleapis.com \
  bigtableadmin.googleapis.com \
  run.googleapis.com \
  storage-api.googleapis.com \
  logging.googleapis.com

BigQuery billing export

GCP billing data is accessed through BigQuery billing export. This must be configured manually by a Billing Account Administrator.

Setting up billing export

  1. Go to the GCP Console > Billing > Billing export
  2. Select the Standard usage cost tab
  3. Click Edit Settings
  4. Choose the project where the export dataset should live (use the same project as your CLARITY service account)
  5. Create a new dataset or select an existing one (e.g., billing_export)
  6. Click Save

What to expect

  • Billing export data backfills approximately 24-48 hours after initial configuration
  • New cost records appear daily, typically with a 1-day delay
  • The export contains resource-level cost data broken down by service, SKU, project, and region

Auto-Discovery

CLARITY automatically discovers your BigQuery billing export dataset and table name during the pre-flight validation. You do not need to configure the dataset name manually — CLARITY scans all datasets in the project for billing export tables.

Billing Account Admin Required

Enabling billing export requires the Billing Account Administrator role at the billing account level (not the project level). If your service account or user does not have this role, ask your billing admin to enable the export. The CLARITY service account itself does not need this role — it only needs roles/bigquery.dataViewer to read the exported data.

Adding to CLARITY

  1. Log in to CLARITY and navigate to Provider Setup
  2. Click Add Account and select GCP
  3. Enter the following:
    • Project ID — your GCP project ID
    • Service Account Emailclarity-finops@YOUR_PROJECT_ID.iam.gserviceaccount.com
    • Service Account Key — upload the JSON key file or paste its contents
  4. Click Save

CLARITY runs a pre-flight validation that automatically:

  • Authenticates with the service account credentials
  • Checks all required and optional APIs for enablement status
  • Scans for BigQuery billing export configuration
  • Reports any missing permissions or disabled APIs before starting the sync

Pre-flight Validation

If any required APIs are disabled, CLARITY will flag them immediately with specific instructions on what to enable. You can fix the issues and re-validate without re-entering credentials.

Verification

After the initial sync completes (typically 2-5 minutes), verify that data is flowing:

  • Dashboard — Cost breakdown by GCP service (Compute Engine, Cloud SQL, GKE, Cloud Storage, etc.)
  • Resources — Your GCE instances, Cloud SQL databases, GKE clusters, and other resources with cost attribution
  • Insights — Optimization recommendations from the Recommender API and utilization-based analysis
  • Forecast — Cost projections based on your BigQuery billing export history

If resources appear but costs show as zero, check that:

  1. BigQuery billing export is enabled and has had time to backfill (24-48 hours)
  2. The roles/bigquery.dataViewer role is assigned to the service account
  3. The billing export dataset is in the same project as the service account

Cleanup

To remove CLARITY access from your GCP project:

bash
export PROJECT_ID="your-project-id"

# Remove IAM role bindings
for ROLE in \
  roles/viewer roles/bigquery.dataViewer roles/bigquery.jobUser \
  roles/billing.viewer roles/monitoring.viewer \
  roles/serviceusage.serviceUsageConsumer roles/recommender.viewer \
  roles/logging.viewer roles/cloudasset.viewer \
  roles/container.clusterViewer roles/cloudsql.viewer \
  roles/storage.objectViewer roles/cloudfunctions.viewer \
  roles/spanner.viewer roles/bigtable.viewer roles/run.viewer; do
  gcloud projects remove-iam-policy-binding $PROJECT_ID \
    --member="serviceAccount:clarity-finops@${PROJECT_ID}.iam.gserviceaccount.com" \
    --role="$ROLE" 2>/dev/null
done

# Delete all keys for the service account
gcloud iam service-accounts keys list \
  --iam-account=clarity-finops@${PROJECT_ID}.iam.gserviceaccount.com \
  --format="value(name)" | while read KEY_ID; do
  gcloud iam service-accounts keys delete $KEY_ID \
    --iam-account=clarity-finops@${PROJECT_ID}.iam.gserviceaccount.com --quiet
done

# Delete the service account
gcloud iam service-accounts delete \
  clarity-finops@${PROJECT_ID}.iam.gserviceaccount.com --quiet

Multi-Cloud FinOps Platform

© 2026 CloudBitz. All rights reserved.