Skip to main content
The Google Cloud provider syncs resources from GCP into Ctrlplane’s inventory—GKE clusters, VMs, Cloud SQL, Cloud Run, and more.

Prerequisites

  • ctrlc CLI installed
  • Google Cloud credentials (application default credentials or service account)
  • Ctrlplane API key

Supported Resources

CommandResource TypeCtrlplane Kind
google-cloud gkeGKE ClustersGCP/GKE
google-cloud vmsCompute Engine VMsGCP/VM
google-cloud cloudsqlCloud SQL InstancesGCP/CloudSQL
google-cloud cloudrunCloud Run ServicesGCP/CloudRun
google-cloud bucketsStorage BucketsGCP/Bucket
google-cloud bigtableBigtable InstancesGCP/Bigtable
google-cloud redisMemorystore RedisGCP/Redis
google-cloud secretsSecret ManagerGCP/Secret
google-cloud networksVPC NetworksGCP/VPC
google-cloud projectsGCP ProjectsGCP/Project

Authentication

Configure GCP credentials: 
# Application Default Credentials (recommended for local development)
gcloud auth application-default login

# Service Account key file
export GOOGLE_APPLICATION_CREDENTIALS="/path/to/service-account.json"

# Workload Identity (when running in GKE)
# Credentials are automatically retrieved

GKE Clusters

Sync Google Kubernetes Engine clusters: 
# Sync from a specific project
ctrlc sync google-cloud gke --project my-project

# Continuous sync
ctrlc sync google-cloud gke --project my-project --interval 5m

Resource Metadata

identifier: projects/my-project/locations/us-central1/clusters/prod-cluster
name: prod-cluster
kind: GCP/GKE
metadata:
  project: my-project
  region: us-central1
  environment: production  # from GCP label
  team: platform           # from GCP label
config:
  endpoint: https://XXX.XXX.XXX.XXX
  version: "1.28.3-gke.1286000"

Compute Engine VMs

Sync virtual machine instances: 
# Sync from a project
ctrlc sync google-cloud vms --project my-project

# Continuous sync
ctrlc sync google-cloud vms --project my-project --interval 5m

Resource Metadata

identifier: projects/my-project/zones/us-central1-a/instances/web-server-1
name: web-server-1
kind: GCP/VM
metadata:
  project: my-project
  zone: us-central1-a
  machine_type: e2-medium
  environment: production  # from GCP label
config:
  internal_ip: 10.128.0.2
  external_ip: 34.123.45.67

Cloud SQL Instances

Sync Cloud SQL database instances: 
# Sync from a project
ctrlc sync google-cloud cloudsql --project my-project

# Continuous sync
ctrlc sync google-cloud cloudsql --project my-project --interval 10m

Resource Metadata

identifier: projects/my-project/instances/prod-db
name: prod-db
kind: GCP/CloudSQL
metadata:
  project: my-project
  region: us-central1
  database_version: POSTGRES_15
  tier: db-custom-4-16384
  environment: production  # from GCP label
config:
  connection_name: my-project:us-central1:prod-db
  ip_address: 10.0.0.5

Cloud Run Services

Sync Cloud Run services: 
# Sync from a project
ctrlc sync google-cloud cloudrun --project my-project

# Continuous sync
ctrlc sync google-cloud cloudrun --project my-project --interval 5m

Resource Metadata

identifier: projects/my-project/locations/us-central1/services/api-service
name: api-service
kind: GCP/CloudRun
metadata:
  project: my-project
  region: us-central1
  environment: production  # from GCP label
config:
  url: https://api-service-xxxxx-uc.a.run.app

Running in GCP

Cloud Run Job

apiVersion: run.googleapis.com/v1
kind: Job
metadata:
  name: ctrlplane-sync
spec:
  template:
    spec:
      containers:
        - image: ghcr.io/ctrlplanedev/cli:latest
          command:
            - ctrlc
            - sync
            - google-cloud
            - gke
            - --project
            - my-project
          env:
            - name: CTRLPLANE_API_KEY
              valueFrom:
                secretKeyRef:
                  name: ctrlplane-credentials
                  key: api-key
            - name: CTRLPLANE_WORKSPACE
              value: your-workspace-id

GKE Deployment with Workload Identity

apiVersion: apps/v1
kind: Deployment
metadata:
  name: ctrlplane-gcp-sync
spec:
  replicas: 1
  selector:
    matchLabels:
      app: ctrlplane-gcp-sync
  template:
    metadata:
      labels:
        app: ctrlplane-gcp-sync
    spec:
      serviceAccountName: ctrlplane-sync
      containers:
        - name: sync
          image: ghcr.io/ctrlplanedev/cli:latest
          command:
            - ctrlc
            - sync
            - google-cloud
            - gke
            - --project
            - my-project
            - --interval
            - "5m"
          env:
            - name: CTRLPLANE_API_KEY
              valueFrom:
                secretKeyRef:
                  name: ctrlplane-credentials
                  key: api-key
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: ctrlplane-sync
  annotations:
    iam.gke.io/gcp-service-account: ctrlplane-sync@my-project.iam.gserviceaccount.com

IAM Permissions

The sync service account needs read permissions: 
# Create service account
gcloud iam service-accounts create ctrlplane-sync

# Grant permissions
gcloud projects add-iam-policy-binding my-project \
  --member="serviceAccount:ctrlplane-sync@my-project.iam.gserviceaccount.com" \
  --role="roles/container.viewer"

gcloud projects add-iam-policy-binding my-project \
  --member="serviceAccount:ctrlplane-sync@my-project.iam.gserviceaccount.com" \
  --role="roles/compute.viewer"

gcloud projects add-iam-policy-binding my-project \
  --member="serviceAccount:ctrlplane-sync@my-project.iam.gserviceaccount.com" \
  --role="roles/cloudsql.viewer"

Environment Targeting

Target GCP resources in environments: 
# All production GKE clusters
type: Environment
name: Production GKE
resourceSelector: |
  resource.kind == "GCP/GKE" &&
  resource.metadata["environment"] == "production"

# US Central resources
type: Environment
name: US Central
resourceSelector: |
  resource.metadata["region"].startsWith("us-central")

# All Cloud Run services
type: Environment
name: Cloud Run Production
resourceSelector: |
  resource.kind == "GCP/CloudRun" &&
  resource.metadata["environment"] == "production"

Best Practices

Label Your Resources

Ensure GCP resources have meaningful labels: 
gcloud compute instances add-labels web-server-1 \
  --labels=environment=production,team=platform,tier=critical

Sync Multiple Projects

Run sync for each project: 
# Production project
ctrlc sync google-cloud gke --project prod-project --interval 5m &

# Staging project
ctrlc sync google-cloud gke --project staging-project --interval 5m &

Sync Multiple Resource Types

Run separate sync processes: 
# GKE clusters
ctrlc sync google-cloud gke --project my-project --interval 5m &

# Cloud SQL (less frequent)
ctrlc sync google-cloud cloudsql --project my-project --interval 15m &

# Cloud Run
ctrlc sync google-cloud cloudrun --project my-project --interval 5m &

Next Steps

AWS

Sync AWS resources

Azure

Sync Azure resources

Selectors

Learn selector syntax

Environments

Create dynamic environments