> ## Documentation Index
> Fetch the complete documentation index at: https://docs.incident.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Google Cloud

> Connect Google Cloud once to give investigations your logs, metrics, traces, and the workloads behind them.

Google Cloud is a provider: connect it once with a service account, and investigations can reach the projects behind it. From there they query your logs, metrics, and traces, and inspect the Kubernetes clusters running on GKE, all through a single set of credentials.

## What it provides

Connecting Google Cloud lets investigations discover and query the data sources behind your projects:

| Data source                                                                          | Capability    |
| ------------------------------------------------------------------------------------ | ------------- |
| [Google Cloud Logging](/investigations/connect/telemetry/google-cloud-logging)       | Logs          |
| [Google Cloud Monitoring](/investigations/connect/telemetry/google-cloud-monitoring) | Metrics       |
| [Google Cloud Trace](/investigations/connect/telemetry/google-cloud-trace)           | Traces        |
| [Kubernetes](/investigations/connect/telemetry/kubernetes)                           | Cluster state |

Each has its own page covering what it supports and how it's enabled.

## Setup

**What you'll need:**

* A Google Cloud service account key in JSON.
* The IAM permissions below, granted to that service account.

We recommend a read-only service account: investigations only ever read from Google Cloud, never write. Grant the permissions through read-only roles rather than broad editor or owner roles.

### Permissions

Grant the service account this permission on each project you want investigations to reach:

* `logging.logEntries.list`: read Cloud Logging entries.

To let the service account discover your projects automatically, also grant:

* `cloudresourcemanager.projects.list`: list the projects the account can reach.

These permissions help investigations find and identify the workloads in a project, so they know what's worth querying:

* `container.clusters.list`: discover GKE clusters.
* `logging.buckets.list`: read each log bucket's retention window.

Without project discovery, you can still connect a single project by supplying its ID directly (see below).

### Connect Google Cloud

1. From the [Investigations settings](https://app.incident.io/~/investigations), add a telemetry data source and choose **Google Cloud**.
2. Paste your service account JSON key. If the account can't list projects across your organization, enter a single project ID instead and we'll connect just that project.
3. Test the connection. We check the key is valid and confirm the account holds the permissions it needs.

### Enabling projects

Once connected, investigations discover every project the service account can reach. Each project arrives **disabled by default**, so you opt in deliberately rather than exposing every project at once. Review the list and enable the ones your team runs production workloads in.

Enabling a project turns on its Cloud Logging access and surfaces the GKE clusters running inside it, which you then enable individually.

## Related

<CardGroup cols={2}>
  <Card title="Google Cloud Logging" icon="database" href="/investigations/connect/telemetry/google-cloud-logging">
    Querying your project logs during an incident.
  </Card>

  <Card title="How telemetry works" icon="magnifying-glass" href="/investigations/connect/telemetry/how-it-works">
    Routing, query planning, guidance, and memory.
  </Card>
</CardGroup>
