Google Cloud Platform

Google Cloud Platform (GCP) is a comprehensive suite of cloud computing services offered by Google. It provides infrastructure and platform services for computing, data storage, data analytics, machine learning, and more. This connector focuses on BigQuery (data warehouse), IAM (security and access control), VPC Networking, Cloud Monitoring & Logging, and Resource Management.

Authentication Types

GCP supports 3 authentication methods:

• OAuth - Create your own Google Cloud OAuth app. Every user connects with their Google account.

  • Pros: Secure, per-user tracking, production-ready, granular permission control
  • Cons: Requires Google Cloud Console setup, each user needs to authenticate
  • Best for: Multi-user environments, user-specific operations, production deployments

• Service Account (Server App) - Use a GCP service account for server-to-server authentication with JWT.

  • Pros: No user interaction needed, perfect for automated workflows, consistent identity
  • Cons: More complex setup, requires managing JSON key files securely
  • Best for: Automated scripts, CI/CD pipelines, backend services, scheduled tasks

• API Key - Simple token-based authentication (limited scope).

  • Pros: Simplest setup, no OAuth flow required
  • Cons: Limited to certain APIs, less secure, no refresh mechanism
  • Best for: Development, testing, public APIs with restricted access

General Settings

Before using the connector, configure:

• GCP Project ID - The default project ID to use for API calls (e.g., my-project-123). Individual tools can override this if needed.

You can find your project ID in the Google Cloud Console in the project selector at the top of the page.

Setting up OAuth

To use GCP with OAuth, you need to create an OAuth 2.0 client in the Google Cloud Console.

1. Enable Required APIs

1. Go to https://console.cloud.google.com/

2. Select your project or create a new one

3. Go to APIs & Services → Library

4. Enable the APIs you'll need:

   • BigQuery API
   • Cloud Resource Manager API
   • Compute Engine API
   • Cloud Monitoring API
   • Cloud Logging API
   • Identity and Access Management (IAM) API
   • Cloud Billing API

2. Configure OAuth Consent Screen

1. Go to APIs & Services → OAuth consent screen

2. Choose External (for users outside your organization) or Internal (for Google Workspace users only)

3. Click Create

4. Fill in the required information:

   • App name: e.g., "Webrix GCP Integration"
   • User support email: Your email
   • Developer contact information: Your email

5. Click Save and Continue

6. On the Scopes page, click Add or Remove Scopes

7. Add the following scopes:

   • https://www.googleapis.com/auth/cloud-platform (Full access to GCP services)
   • https://www.googleapis.com/auth/bigquery (BigQuery access)
   • https://www.googleapis.com/auth/compute (Compute Engine access)
   • https://www.googleapis.com/auth/monitoring (Cloud Monitoring)
   • https://www.googleapis.com/auth/logging.read (Cloud Logging read)

8. Click Update and then Save and Continue

9. Review the summary and click Back to Dashboard

3. Create OAuth Client ID

1. Go to APIs & Services → Credentials

2. Click Create Credentials → OAuth client ID

3. Select Web application as the application type

4. Give it a name (e.g., "Webrix GCP Connector")

5. Under Authorized redirect URIs, click Add URI

6. Paste the Redirect URI from Webrix

   tip

   You can find the Redirect URI in Webrix when configuring the GCP connector under the OAuth settings.

7. Click Create

8. Copy the Client ID and Client Secret from the dialog

4. Configure in Webrix

1. In Webrix, go to Integrations → New → Built-in

2. Select Google Cloud Platform and click Use

3. Enter your GCP Project ID in General Settings

4. Under Authentication Type, select OAuth

5. Paste your Client ID and Client Secret

6. Select the scopes you configured (select cloud-platform for full access)

7. Click Save Changes

5. Test the Connection

1. After saving, click Connect to test the OAuth flow

2. You'll be redirected to Google to authorize the app

3. Select your Google account and click Allow

4. You'll be redirected back to Webrix with a successful connection

Setting up Service Account (Server App)

Service accounts are ideal for server-to-server interactions without user involvement.

1. Create a Service Account

1. Go to https://console.cloud.google.com/

2. Select your project

3. Go to IAM & Admin → Service Accounts

4. Click Create Service Account

5. Enter a name (e.g., "webrix-gcp-connector") and description

6. Click Create and Continue

7. Grant the service account appropriate roles:

   • BigQuery Admin - Full access to BigQuery
   • Compute Viewer - Read-only access to Compute resources
   • Monitoring Viewer - Read Cloud Monitoring data
   • Logging Admin - Read and write logs
   • Project Viewer - View project metadata

   Or use Editor or Owner for broader access

8. Click Continue and then Done

2. Create and Download JSON Key

1. In the service accounts list, click on the service account you just created

2. Go to the Keys tab

3. Click Add Key → Create new key

4. Select JSON as the key type

5. Click Create

6. Save the downloaded JSON key file securely

   warning

   This key file contains sensitive credentials. Store it securely and never commit it to version control.

3. Configure in Webrix

1. In Webrix, go to Integrations → New → Built-in

2. Select Google Cloud Platform and click Use

3. Enter your GCP Project ID in General Settings

4. Under Authentication Type, select Server App

5. Upload or paste the contents of the JSON key file

6. Select the scopes needed (typically cloud-platform for full access)

7. (Optional) If you need to impersonate a user, enter their email in the Subject field

8. Click Save Changes

4. Service Account Impersonation (Optional)

If you need the service account to act on behalf of a specific user (domain-wide delegation):

1. Note the Client ID from your service account (found in the JSON key or service account details)

2. Go to Google Workspace Admin Console

3. Navigate to Security → API controls → Domain-wide delegation

4. Click Add new

5. Enter the service account's Client ID

6. Add the required OAuth scopes (same as those in OAuth setup)

7. Click Authorize

8. In Webrix, set the Subject field to the email of the user to impersonate

Setting up API Key

API Key authentication is the simplest but most limited option.

1. Create an API Key

1. Go to https://console.cloud.google.com/

2. Select your project

3. Go to APIs & Services → Credentials

4. Click Create Credentials → API key

5. Copy the API key

6. (Recommended) Click Restrict Key to limit usage:

   • Set API restrictions to only the APIs you need
   • Set application restrictions (IP addresses, HTTP referrers, etc.)

2. Configure in Webrix

1. In Webrix, go to Integrations → New → Built-in

2. Select Google Cloud Platform and click Use

3. Enter your GCP Project ID in General Settings

4. Under Authentication Type, select API Key

5. Paste your API key in the Token field

6. Click Save Changes

warning

API Key authentication has limited scope and doesn't work with all GCP APIs. OAuth or Service Account authentication is recommended for most use cases.

Common Use Cases

Analyzing Data with BigQuery

List datasets, explore tables, and run SQL queries:

1. Use "List BigQuery Datasets" to discover available datasets
2. Use "List BigQuery Tables" to see tables in a dataset
3. Use "Get BigQuery Table" to inspect the schema
4. Use "Run BigQuery Query" to execute SQL and get results
5. For long-running queries, use "Get BigQuery Job" to check status

Auditing IAM Permissions

Review who has access to your GCP resources:

1. Use "List IAM Roles" to see available roles
2. Use "Get IAM Policy" for a project or resource to see current permissions
3. Use "Test IAM Permissions" to verify specific permissions
4. Use "Set IAM Policy" to grant or revoke access (careful - this replaces the entire policy)

Monitoring Infrastructure

Query metrics and logs for your GCP resources:

1. Use "List Monitoring Metrics" to discover available metrics
2. Use "Query Monitoring Time Series" to get CPU, memory, network metrics
3. Use "Read Log Entries" to search application and system logs
4. Use "List Log Buckets" to understand log retention

Managing Network Configuration

Inspect VPC networks and firewall rules:

1. Use "List VPC Networks" to see all networks in your project
2. Use "Get VPC Network" for detailed network configuration
3. Use "List VPC Subnets" to see subnet allocations
4. Use "List Firewall Rules" to audit network security
5. Use "Get Firewall Rule" for detailed firewall configuration

Troubleshooting

Redirect URI Mismatch Error

If you see "redirect_uri_mismatch" during OAuth authorization.

Cause: The redirect URL configured in Google Cloud Console doesn't match the one being used during the OAuth flow.

Solution:

1. Copy the exact Redirect URI from Webrix
2. Go to Google Cloud Console → APIs & Services → Credentials
3. Click on your OAuth client ID
4. Under Authorized redirect URIs, ensure the URI matches exactly (including https:// and any trailing slashes)
5. Click Save
6. Try connecting again in Webrix

Insufficient Permissions Error

API requests fail with 403 Forbidden or "Permission denied" errors.

Cause: The authenticated user or service account doesn't have the required IAM permissions.

Solution:

1. Check the error message for the specific permission needed (e.g., bigquery.tables.get)
2. Go to Google Cloud Console → IAM & Admin → IAM
3. Find the user or service account
4. Add the appropriate role (e.g., BigQuery Data Viewer, Compute Viewer)
5. Wait a few minutes for permissions to propagate
6. Retry the operation

Service Account Key Errors

Service account authentication fails with "invalid_grant" or key errors.

Cause: The JSON key file is malformed, the service account was deleted, or the key expired.

Solution:

1. Verify the JSON key file is valid and complete
2. Check that the service account still exists in Google Cloud Console
3. Create a new key if the old one was deleted or compromised
4. Ensure the service account has the required IAM roles
5. For domain-wide delegation, verify the Client ID is authorized in Google Workspace Admin

API Not Enabled Error

API requests fail with "API [name] has not been used" or 403 errors.

Cause: The required API is not enabled in your GCP project.

Solution:

1. Go to Google Cloud Console → APIs & Services → Library
2. Search for the API mentioned in the error (e.g., "BigQuery API")
3. Click Enable
4. Wait a minute for the API to be fully enabled
5. Retry the operation

Rate Limiting

API requests fail with 429 (Too Many Requests) errors.

Cause: GCP enforces rate limits to protect API stability. Limits vary by API and quota tier.

Solution:

1. Implement exponential backoff retry logic
2. Reduce the frequency of API calls
3. Use pagination wisely (don't request too many results at once)
4. Check your quota in Google Cloud Console → IAM & Admin → Quotas
5. Request quota increases if needed

Project Not Found

API requests fail with "Project not found" or 404 errors.

Cause: The project ID is incorrect, the project was deleted, or you don't have access.

Solution:

1. Verify the project ID in Webrix settings matches your GCP project
2. Check that the project exists in Google Cloud Console
3. Ensure your user or service account has access to the project
4. For service accounts, verify it was created in the correct project

Token Refresh Failures

OAuth tokens fail to refresh, requiring users to re-authenticate frequently.

Cause: Refresh token was revoked, app authorization was removed, or there's a configuration issue.

Solution:

1. Check that access_type: offline is set in OAuth configuration (already included)
2. Verify the OAuth consent screen is published (not in testing mode)
3. For testing mode, add all users as test users
4. Users may need to disconnect and reconnect the integration
5. Check that the client secret hasn't changed in Google Cloud Console