# Setup BYOC with GCP

**BYOC** is one of our setup options, which install our platform's infrastructure in a cloud environment owned by your organization, allowing you to delegate its entire setup, update, and maintenance to groundcover.

To install groundcover BYOC, sign up to [groundcover Console](https://console.groundcover.com/) and start the installation process.

<figure><img src="/files/LPY4hF5IDhvZAF4KTcyb" alt=""><figcaption></figcaption></figure>

## Installation steps <a href="#installation-steps" id="installation-steps"></a>

BYOC requires to create an isolated account within your GCP organization, that will be managed by groundcover's control plane and will establish, configure, and maintain the infrastructure and workloads within the account. These include GCP VPC, GCS, GKE, and LB services.

Once created, provide the service account and project ID. groundcover will validate proper permissions and the deployment will start. The deployment process will take about 30 minutes and afterwards you can go to your app workspace and connect your production environment to be monitored by groundcover.

### Setting up a service account

Follow the below steps to create a service account:

1. **Create a service account with project owner access**

To manage resources in your environment, you need a dedicated service account with project owner permissions:

* Go to **IAM & Admin > Service Accounts** in the GCP Console.
* Click **Create service account**.
* Name your service account and service account ID groundcover-managed or any other meaningful name.
* Click **Create and continue**.
* In the "**Permissions**" section, select **Role > Owner**.
* Click **Continue** and **Done**.<br>

2. **Allow the service account to create access tokens**

Next, you need to allow the service account to generate access tokens for project admin tasks:

* Click on the newly created service account from the list.
* Go to the "**Principals with access**" tab.
* Click "**Grant Access**".
* Under **Add principals**, add the following service account: <controlplane@groundcover-managed-prod.iam.gserviceaccount.com>.
* Under **Assign roles**, choose **Service Account Token Creator**.
* Press **Save**.

3. **Enable the Service Usage API**

Now, you need to enable the **Service Usage API** for the project:

* Use the search bar in the GCP Console to find "**Service Usage API**".
* Click on it, then hit "**Enable**".

4. **Disable service account key creation constraint**

Certain groundcover workloads require service accounts with HMAC keys, which means a rule needs to be added in the new GCP Project to disable this policy.

* Start by selecting the relevant project from the project picker, then browse to **IAM & Admin > Organization policies** and search for the "Disable service account key creation" constraint.
* Choose the highlighted constraint and click on **Manage policy**.
* Click on **Add a rule** and set **Enforcement** to **Off**.
* Save it by clicking on **Set policy**.

### groundcover GCP organization details <a href="#groundcover-gcp-organization-details" id="groundcover-gcp-organization-details"></a>

If your organization enforces Service Control Policies (SCPs) or organization policies that restrict access by organization or customer, you may need to allow-list groundcover's GCP identifiers so the managed service account can operate against your project:

* **Organization ID**: `979668464296`
* **Customer ID**: `C019vy3qc`

Use these values when configuring policy exceptions (e.g. `constraints/iam.allowedPolicyMemberDomains`, `resourcemanager.allowedExportDestinations`, or any SCP/org policy that filters by org or customer).

### Troubleshooting <a href="#troubleshooting" id="troubleshooting"></a>

There are 2 types of potential problems you may encounter in the installation process:

1. **Validation issues** - before kicking off the installation process, groundcover will verify that the provided service account has the correct permissions. In case of validation issues, please expand the relevant section and address the validation issue. After the issue is fixed, click on Validate again to ensure all the permissions were granted properly.
2. **Deployment issues** - once the installation process has started, we may encounter issues while attempting to install one or more components. These issues will appear in the backends main screen.

If any of the above issues persist, [reach out to our team](https://www.groundcover.com/join-slack).

### Add monitoring to your environment <a href="#add-monitoring-to-your-environment" id="add-monitoring-to-your-environment"></a>

Once groundcover backend is deployed, the final step is to add data sources to monitor your environment, such as deploying our sensors to monitor your clusters or add cloud providers. To do so, go to the [data sources page](https://app.groundcover.com/data-sources) and select the relevant data sources for your needs.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.groundcover.com/architecture/byoc/setup-byoc-with-gcp.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.