SECTION 04 / PROVIDERS

Connect GCP

Connect GCP billing and cost data securely to Costframe. This integration connects via BigQuery billing exports and Workload Identity Federation (WIF).

Documented Limitations & Setup

GCP integrations utilize secure read-only handshakes. Cost ingestion operates via BigQuery billing exports to guarantee highly accurate cost history aggregates without impacting resource API scopes.

1. BigQuery Billing Export (Required)

To analyze Google Cloud costs, Costframe requires query access to a Google Cloud Billing export saved inside BigQuery.

  1. In the Google Cloud Console, navigate to the Billing Console.
  2. Open Billing export BigQuery export.
  3. Enable exports and configure a dedicated BigQuery dataset inside your chosen administrative project.
  4. Note the full dataset path, dataset name, and billing project ID.

2. Configure Authentication

Workload Identity Federation (Preferred)

WIF provides keyless, credential-free authorization. Google Cloud trusts Costframe’s central OIDC identity provider directly to query the BigQuery billing export dataset on-demand.

Service Account Keys (Fallback)

If WIF is unavailable in your environment, a restricted IAM Service Account with BigQuery User permissions may be configured. This requires explicit confirmation from your security administrators.

Workload Identity Setup in Google Cloud Console

Configure the workload identity pool and OIDC provider as illustrated in the GCP Console setup form:

Google Cloud Console Workload Identity Federation provider creation form setup
Representative configuration view

Alternative: Provision via gcloud CLI

Run the following gcloud command sequence inside your active project shell environment:

gcloud iam workload-identity-pools create "costframe-pool" \
  --location="global" \
  --display-name="Costframe Pool"

gcloud iam workload-identity-pools providers create-oidc "costframe-provider" \
  --workload-identity-pool="costframe-pool" \
  --location="global" \
  --issuer-uri="https://auth.costframe.co" \
  --attribute-mapping="google.subject=assertion.sub" \
  --display-name="Costframe OIDC Provider"

Revocation

Remove Costframe’s access easily by deleting the Workload Identity Pool trust mapping, disabling the Service Account, or removing BigQuery dataset query roles in your Google Cloud Console.