GCP
Give your agent access to Google Cloud services — Cloud Storage, BigQuery, Pub/Sub, and more. The Pai sidecar exchanges the service account key for a short-lived OAuth2 token and refreshes it automatically.
Get credentials
- Go to IAM & Admin → Service Accounts in the GCP Console
- Create or select a service account with the required IAM roles
- Go to Keys → Add Key → Create new key → JSON
- Download the JSON key file
Setup
# 1. Store the service account key
pai add secret gcp-sa-key --from-literal key.json="$(cat service-account.json)"
# 2. Create the provider
pai apply -f - <<EOF
apiVersion: pai.io/v1
kind: Provider
metadata:
name: gcs-reader
spec:
type: gcp
auth:
type: gcp-service-account
secretRef: gcp-sa-key
config:
project: my-gcp-project
services: [storage]
policy:
allow:
- storage.objects.get
- storage.objects.list
deny:
- storage.objects.delete
- storage.objects.create
EOF
Attach to an agent
spec:
providers:
- gcs-reader
Config fields
| Field | Description |
|---|---|
config.project | GCP project ID |
config.services | Restrict to specific APIs (e.g. [storage, bigquery]). Omit to allow all |
Supported actions
Actions use GCP's IAM permission format service.resource.action:
| Service | Example actions |
|---|---|
| Cloud Storage | storage.objects.get, storage.objects.list, storage.objects.create, storage.objects.delete |
| BigQuery | bigquery.jobs.create, bigquery.tables.getData, bigquery.datasets.get |
| Pub/Sub | pubsub.topics.publish, pubsub.subscriptions.consume |
| Secret Manager | secretmanager.versions.access |