Skip to main content
Nuphos never stores a service account key. To connect, you create a connector service account in your project and let Nuphos impersonate it, minting short-lived access tokens that expire after about an hour. The agent can then inspect and operate your Google Cloud resources: GKE, Compute Engine, Cloud Run, VPCs, firewalls, IAM, and more.
Connecting a project requires the Administrator role on your team. See the IAM trust model for the security design behind this flow.

What you’ll set up

In your GCP project you:
  1. Enable the Cloud Resource Manager and IAM APIs.
  2. Create a connector service account (nuphos-connector).
  3. Grant it permission to manage your project.
  4. Grant the Nuphos platform service account permission to impersonate it.
Then you enter the connector’s email and your project ID into Nuphos. There are two ways to do this. In Integrations → Connect → GCP, choose the guided path. Nuphos opens an agent session that runs gcloud on your machine and performs the steps below, pausing for your approval, then prints the project ID and connector email for you to paste in.

Option B — Manual setup with gcloud

Run these commands yourself, replacing PROJECT_ID with your project:
1

Enable the required APIs

gcloud services enable \
  cloudresourcemanager.googleapis.com \
  iam.googleapis.com \
  --project=PROJECT_ID
2

Create the connector service account

gcloud iam service-accounts create nuphos-connector --project=PROJECT_ID
3

Let the connector manage your project

gcloud projects add-iam-policy-binding PROJECT_ID \
  --member="serviceAccount:nuphos-connector@PROJECT_ID.iam.gserviceaccount.com" \
  --role="roles/iam.infrastructureAdmin"
roles/iam.infrastructureAdmin lets the connector discover and manage infrastructure (and enable additional APIs on demand). Scope it down later if your team requires tighter permissions.
4

Let Nuphos impersonate the connector

Grant the Nuphos platform service account the Service Account Token Creator role on the connector — this is what allows impersonation:
gcloud iam service-accounts add-iam-policy-binding \
  nuphos-connector@PROJECT_ID.iam.gserviceaccount.com \
  --member="serviceAccount:zeabur-byos-connector@zeabur-system.iam.gserviceaccount.com" \
  --role="roles/iam.serviceAccountTokenCreator" \
  --project=PROJECT_ID
zeabur-byos-connector@zeabur-system.iam.gserviceaccount.com is the Nuphos platform identity. It is not a secret — it appears in every customer’s policy. Use it exactly as shown.
5

Enter the details into Nuphos

In the GCP binding dialog, enter:
  • Service account email: nuphos-connector@PROJECT_ID.iam.gserviceaccount.com
  • Project ID: PROJECT_ID

How credentials work

Value
Trust mechanismImpersonation of your nuphos-connector service account
Impersonating principalzeabur-byos-connector@zeabur-system.iam.gserviceaccount.com
Credential lifetime~1 hour per session, minted on demand
What’s storedOnly the service account email and project ID — never a key
Unlike AWS, GCP connections are not verified at bind time. If the impersonation grant or project ID is wrong, the connection saves but fails the first time the agent uses it. Double-check the grant in step 4.
The agent only receives these credentials for a session when you’ve explicitly selected this project, and only if you pass the project’s member allow-list. See Access control.