GCP Cloud Provider
The GCP (Google Cloud Platform) cloud provider is a production-ready implementation that enables Zenoo Hub to run on Google Cloud infrastructure. It provides seamless integration with core GCP services including Cloud Firestore for storage, Secret Manager for configuration and secrets management, and Cloud Monitoring for metrics publishing. The GCP provider is designed to be highly scalable, secure, and cost-effective, leveraging Google Cloud’s global infrastructure and managed services. It supports Application Default Credentials (ADC) for authentication, making it easy to deploy on GCE, GKE, or Cloud Run without managing service account keys.Supported GCP Services
| Service | Purpose | Implementation Module |
|---|---|---|
| Cloud Firestore (Native Mode) | Component storage, API key lookups, sharable tokens | gcp-stores |
| Secret Manager | Component configuration, API key secrets | gcp-secrets |
| Cloud Monitoring | Metrics publishing with batching | gcp-metrics |
| IAM | Authentication and authorization | All modules |
Prerequisites
Before using the GCP cloud provider, ensure you have:- GCP Project with billing enabled
- gcloud CLI installed and authenticated (
gcloud auth login) - Required APIs enabled (see Quick Start below)
- Service Account with appropriate IAM roles (see IAM Permissions)
- Spring Boot 3.x application (Hub requires Spring Boot 3.3.11 or later)
- Java 21 runtime
Quick Start
Get started with the GCP provider in under 10 minutes.1. Add Dependency
Add the GCP Spring Boot starter to yourbuild.gradle:
2. Enable Required APIs
Enable the necessary GCP APIs for your project:3. Configure Application
Create or updateapplication.yml with minimal GCP configuration:
4. Start Application
- Connect to Firestore and create necessary collections
- Initialize Secret Manager for configuration storage
- Start publishing metrics to Cloud Monitoring
Cloud Firestore Storage
The GCP provider uses Cloud Firestore in Native Mode for storing components, API key mappings, and sharable tokens. Firestore provides real-time synchronization, automatic scaling, and strong consistency guarantees.Important: Native Mode Required
Critical: The Hub requires Firestore in Native Mode, not Datastore Mode. If you’re creating a new Firestore database, ensure you select Native Mode. The two modes are not compatible and cannot be changed after creation.Collections Schema
The GCP provider automatically creates and manages three Firestore collections:Components Collection ({prefix}-components)
Stores component definitions with versioning support.
Document ID Pattern: {componentName}_{revision}
Fields:
componentName(string) - Component identifierrevision(number) - Version number (1, 2, 3, …)definition(string) - Component DSL definition (Groovy code)metadata(map) - Component metadatadependencies(array) - List of dependency component namesconnectors(array) - List of connector namescreatedAt(timestamp) - Creation timestampupdatedAt(timestamp) - Last update timestamp
{componentName}_LATEST that points to the current active revision. This enables efficient retrieval of the latest version without querying all revisions.
Example Documents:
API Keys Collection ({prefix}-api-keys)
Maps component names to their corresponding Secret Manager secret names for API key lookups.
Document ID: {componentName}
Fields:
component(string) - Component namesecretName(string) - Secret Manager secret namebidirectional(boolean) - Supports reverse lookup
Sharables Collection ({prefix}-sharables)
Stores temporary sharable tokens with automatic TTL-based cleanup.
Document ID: {token-uuid}
Fields:
token(string) - Token identifierpayload(string) - Base64-encoded payloadexpiresAt(timestamp) - Expiration timestampexpired(boolean) - Expiration flagreusable(boolean) - Whether token can be used multiple timesttl(duration) - Time-to-live (triggers automatic deletion)
ttl field, eliminating the need for manual cleanup.
Example Document:
Features
- Atomic LATEST Pointer Updates - Uses Firestore transactions to ensure consistency
- Component Versioning - Complete revision history for all components
- Bidirectional API Key Lookup - Fast component-to-secret and secret-to-component mapping
- Automatic TTL Cleanup - Firestore deletes expired sharables automatically
- Composite Indexes - Auto-created indexes for efficient queries (if enabled)
- Strong Consistency - Firestore provides strong consistency for all reads
- Real-time Updates - Native support for real-time listeners (not used by default)
Configuration
Configure Firestore behavior with these properties:prefix- All collection names are prefixed with this value (e.g.,zenoo-hub-components)createIndexes- Set totruefor automatic composite index creation; set tofalsefor manual managementttlEnabled- Must betruefor automatic sharable cleanupretryStrategy- Configures exponential backoff for transient errors
Secret Manager
Google Cloud Secret Manager provides secure, centralized storage for component configuration and API keys. The GCP provider uses Secret Manager for all sensitive data, leveraging automatic encryption at rest and fine-grained IAM access control.Component Configuration Secrets
Component configuration is stored as versioned secrets in Secret Manager. Naming Convention:- Version-labeled Secrets - Stores semantic version labels (
version-1.0.0) on Secret resource - Automatic Version Management - New versions created automatically on updates
- Caching - Caffeine-based cache reduces Secret Manager API calls
- Batch Operations - Supports bulk secret loading on startup
- Storing version labels (
version-{semantic}) on the Secret resource metadata - Mapping semantic versions to Secret Manager version numbers
- Managing version limits automatically (deletes oldest versions when limit reached)
API Key Secrets
API keys are stored as JSON-encoded secrets. Naming Convention:- Bidirectional lookup via Firestore API Keys collection
- JSON serialization/deserialization
- Automatic caching with configurable TTL
- Permission metadata support
Configuration
Configure Secret Manager behavior:cacheSize- Increase for applications with many configuration keyscacheExpiry- Balance between freshness and API costsversionsLimit- Old versions are automatically deleted when limit is reachedforceDelete: false- Recommended for production (enables 30-day recovery window)requestTimeout- 2s recommended to handle Secret Manager eventual consistency
Configuration Reference
Complete reference for all GCP provider configuration properties.Core GCP Configuration
| Property | Type | Default | Required | Description |
|---|---|---|---|---|
hub.cloud.provider.type | string | - | Yes | Must be gcp to enable GCP provider |
hub.gcp.projectId | string | - | Yes | GCP project ID |
hub.gcp.credentialsLocation | path | ADC | No | Path to service account key JSON file |
hub.gcp.enabled | boolean | true | No | Enable/disable GCP provider |
Firestore Configuration
| Property | Type | Default | Required | Description |
|---|---|---|---|---|
hub.gcp.firestore.database | string | "(default)" | No | Firestore database name |
hub.gcp.firestore.prefix | string | "zenoo-hub" | No | Collection name prefix |
hub.gcp.firestore.createIndexes | boolean | true | No | Auto-create composite indexes |
hub.gcp.firestore.ttlEnabled | boolean | true | No | Enable TTL for sharables |
hub.gcp.firestore.ttlField | string | "ttl" | No | TTL field name |
hub.gcp.firestore.retryStrategy.requestTimeout | duration | 500ms | No | Per-request timeout |
hub.gcp.firestore.retryStrategy.maxRetries | integer | 10 | No | Max retry attempts |
hub.gcp.firestore.retryStrategy.backoff | duration | 100ms | No | Exponential backoff base |
Secret Manager Configuration
| Property | Type | Default | Required | Description |
|---|---|---|---|---|
hub.gcp.secrets.prefix | string | "zenoo-hub" | No | Secret name prefix |
hub.gcp.secrets.cacheSize | integer | 128 | No | Caffeine cache max entries |
hub.gcp.secrets.cacheExpiry | duration | 30m | No | Cache TTL |
hub.gcp.secrets.versionsLimit | integer | 18 | No | Max versions per secret |
hub.gcp.secrets.forceDelete | boolean | true | No | Immediate delete (vs 30-day recovery) |
hub.gcp.secrets.retryStrategy.requestTimeout | duration | 2s | No | Per-request timeout |
hub.gcp.secrets.retryStrategy.maxRetries | integer | 5 | No | Max retry attempts |
hub.gcp.secrets.retryStrategy.backoff | duration | 200ms | No | Exponential backoff base |
Cloud Monitoring Configuration
| Property | Type | Default | Required | Description |
|---|---|---|---|---|
hub.gcp.metrics.enabled | boolean | true | No | Enable metrics publishing |
hub.gcp.metrics.prefix | string | "hub" | No | Metric name prefix |
hub.gcp.metrics.batchSize | integer | 200 | No | Max time series per batch (GCP limit: 200) |
Complete Configuration Examples
Minimal Development Configuration
Production Configuration
High Performance Configuration
Multi-Environment Configuration
IAM Permissions
The GCP provider requires specific IAM permissions to access Firestore, Secret Manager, and Cloud Monitoring. This section details the minimum required permissions and recommended IAM roles.Required Permissions
Firestore Access
Secret Manager Access
Cloud Monitoring
Predefined Roles (Minimum Required)
The simplest approach is to use Google’s predefined IAM roles:Custom Role (Least Privilege Approach)
For production environments, create a custom role with minimal permissions:hub.gcp.firestore.createIndexes=true, add datastore.indexes.create permission.
Service Account Setup
Create Service Account
Grant Permissions
Authentication Options
Option 1: Application Default Credentials (Recommended for GCP) When running on GCP infrastructure (GCE, GKE, Cloud Run), attach the service account to the compute resource:credentialsLocation configuration needed - ADC automatically detects the attached service account.
Option 2: Service Account Key File (For non-GCP deployments)
application.yml:
- Store keys securely (e.g., Google Cloud Secret Manager, Kubernetes secrets)
- Rotate keys regularly (every 90 days recommended)
- Never commit keys to source control
Authentication Methods
The GCP provider supports three authentication methods, in order of preference:1. Application Default Credentials (Recommended)
Application Default Credentials (ADC) is Google’s recommended authentication mechanism. It automatically discovers credentials from the environment in this order:GOOGLE_APPLICATION_CREDENTIALSenvironment variable (points to key file)- User credentials from
gcloud auth application-default login - Service account attached to GCE VM, GKE pod, or Cloud Run instance
- Default service account from Compute Engine metadata service
hub.gcp.credentialsLocation
Local Development:
- No credential files to manage
- Automatic credential refresh
- Follows Google Cloud best practices
- Works seamlessly on GCP infrastructure
2. Service Account Key File
Explicitly specify a service account key file path. Configuration:- Running Hub outside GCP (on-premises, other clouds)
- Testing with specific service account
- Development environments without gcloud CLI
- Manual key management and rotation required
- Security risk if key is compromised
- Must securely distribute keys to all instances
3. GCE/GKE Metadata Service (Automatic)
When running on Google Cloud compute resources with an attached service account, ADC automatically uses the metadata service. Configuration: None required Requirements:- Service account attached to compute resource
- Compute resource has
cloud-platformscope (or specific scopes)
Performance Tuning
Optimize GCP provider performance for your workload.Firestore Optimization
Batch Operations: The GCP provider uses batch operations for bulk component updates. Firestore supports up to 500 operations per batch. Composite Indexes: Enable automatic index creation for complex queries:firestore.indexes.json.
Retry Strategy:
Tune retry behavior for your latency requirements:
Secret Manager Optimization
Cache Configuration: Reduce Secret Manager API calls by tuning the cache:Cloud Monitoring Optimization
Batch Size: Configure batch size based on metric volume:Security Best Practices
Secure your GCP provider deployment.Service Account Security
1. Use Least Privilege IAM Roles Create custom roles with minimum required permissions (see IAM Permissions). 2. Rotate Service Account Keys If using key files, rotate every 90 days:Secret Management Security
1. Enable 30-Day Recovery for Production- Database passwords: Every 90 days
- API keys: Every 180 days
- Encryption keys: Yearly
Network Security
1. VPC Service Controls Restrict Firestore access to specific VPC networks:Firestore Security
1. Database-Level IAM Grant permissions at database level, not collection level:- Review service account permissions quarterly
- Audit Firestore security rules (if using)
- Check for unused service accounts
Monitoring and Metrics
The GCP provider publishes metrics to Cloud Monitoring for observability.Cloud Monitoring Integration
TheGcpMetricPublisher automatically publishes application metrics to Cloud Monitoring with:
- Custom dimensions:
componentName,operation,status - Batch publishing: Up to 200 time series per request
- Level-based filtering: INFO, ERROR, TRACE
Key Metrics to Monitor
Application Metrics
Published by Hub to Cloud Monitoring:GCP Service Metrics
Native GCP service metrics available in Cloud Monitoring: Firestore:Setting Up Alerts
Create alert policies for critical metrics:High Firestore Latency Alert
Low Cache Hit Rate Alert
Secret Manager Error Rate Alert
Dashboards
Create custom dashboards in Cloud Monitoring Console:- Navigate to Monitoring > Dashboards
- Click Create Dashboard
- Add charts for key metrics:
- Firestore read/write operations
- Secret Manager access count
- Cache hit rate
- Application latency
Troubleshooting
Common issues and solutions when using the GCP provider.Authentication Issues
Problem: PermissionDeniedException
Problem: Application Default Credentials Not Found
Firestore Issues
Problem: Cloud Firestore API Not Enabled
Problem: ComponentNotFoundException
- Check collection prefix matches configuration:
- Verify component was stored successfully (check application logs for write errors)
- Check Firestore Console for data:
- List collections programmatically:
Problem: Firestore in Datastore Mode
- Create a new GCP project
- Enable Firestore in Native Mode
- Migrate data from old project (if needed)
Secret Manager Issues
Problem: Secret Not Found
- List existing secrets:
- Verify prefix configuration matches Secret Manager naming:
- Create missing secret:
Problem: High Cache Miss Rate
Symptoms:- High Secret Manager API usage
- Increased latency
hub.cache.miss.ratemetric > 20%
Performance Issues
Problem: High Firestore Latency
Symptoms:- Slow component loads
firestore.googleapis.com/api/request_latencies> 500ms
- Check index status:
- Enable automatic index creation:
- Or create indexes manually via Firebase Console or
firestore.indexes.json
Problem: Secret Manager Rate Limiting
Symptoms:- Increase cache TTL to reduce API calls:
- Preload secrets at startup:
- Request quota increase (if legitimately needed):
Network Issues
Problem: Connection Timeouts to GCP APIs
Symptoms:- Test connectivity:
- Check VPC firewall rules:
- Verify Private Google Access (if using private IPs):
- Check GCP Status Dashboard:
- Increase request timeouts (temporary workaround):
Testing
Test your GCP provider integration locally and in CI/CD.Local Testing with Firestore Emulator
Use the Firestore emulator for local development and testing without incurring costs or needing network access. 1. Start Firestore Emulator:application-test.yml:
- No GCP credentials needed
- Fast local testing
- No costs
- Isolated test environment
- Emulator doesn’t support all Firestore features (e.g., TTL)
- No Secret Manager or Cloud Monitoring emulators
Integration Testing with Real GCP
For comprehensive integration testing, use a dedicated test GCP project. 1. Create Test Project:CI/CD Integration
GitHub Actions Example:Cost Optimization
Optimize GCP costs for your Hub deployment.Firestore Costs
Firestore charges for:- Document reads - $0.06 per 100,000 documents
- Document writes - $0.18 per 100,000 documents
- Document deletes - $0.02 per 100,000 documents
- Storage - $0.18 per GB/month
- Network egress - Varies by region
- Enable TTL for Sharables:
- Use LATEST Pointers:
- Minimize Write Operations:
- Only update components when actually changed
- Batch multiple updates together
- Storage Cleanup:
- Regional Selection:
us-central1 vs asia-northeast1).
Secret Manager Costs
Secret Manager charges for:- Active secret versions - $0.06 per secret version per month
- Access operations - $0.03 per 10,000 access operations
- Version Limits:
- Cache Aggressively:
- Force Delete in Development:
- Preload at Startup:
Cloud Monitoring Costs
Cloud Monitoring charges for:- Ingestion - $0.2580 per MB for custom metrics (first 150 MB/month free)
- API calls - First 1 million free, then $0.01 per 1,000 calls
- Disable in Non-Production:
- Batch Metrics:
- Selective Metrics:
Multi-Region Considerations
Cost vs Availability Tradeoff:- Single Region: Lowest cost, sufficient for most use cases
- Multi-Region (Automatic): Higher cost, better availability and latency
Migration
Migrate to GCP provider from other storage backends.From AWS to GCP
Strategy: Dual-write pattern for zero-downtime migration. Phase 1: Dual Write- Enable both AWS and GCP providers simultaneously
- Write to both backends
- Read from AWS (existing)
- Verify data consistency between AWS and GCP
- Run parallel production traffic (10% to GCP)
- Monitor for errors
- Switch reads to GCP
- Continue dual writes for rollback capability
- Monitor for 24-48 hours
- Disable AWS writes
- Remove AWS provider dependency
- Archive AWS data
From Local Provider to GCP
Strategy: Export and import data. 1. Export from Local Provider:- Local provider has no persistence - export during runtime
- Sharable tokens are temporary - may not need migration
- Test import in dev environment first
See Also
- Cloud Provider Architecture - Technical design and module structure
- Configuration Reference - Complete property reference
- GCP Managed Kafka Setup - Kafka configuration for GCP
- Implementing Providers - Build custom cloud providers
- Local Provider - In-memory provider for development
- AWS Provider - AWS DynamoDB and Secrets Manager provider