Skip to content
Mengi Cloud Mengi Cloud Docs

GCP BYOC Setup

This guide walks you through connecting your own Google Cloud Platform project to Mengi Cloud as a BYOC (“Bring Your Own Cloud”) credential. When you use BYOC, Mengi provisions and manages a Kubernetes cluster (Google GKE) inside your own GCP project, billed directly by Google. Mengi only charges a management fee instead of the full infrastructure cost.

You will:

  1. Create a dedicated project (or pick an existing one) in the GCP console.
  2. Create a service account (a non-human identity for Mengi).
  3. Grant it the IAM roles Mengi needs, scoped to that project.
  4. Generate and download a service account JSON key.
  5. Store the credential in Mengi Cloud and create a cluster.

You can do this entirely in the Google Cloud console; equivalent gcloud commands are included for convenience.

What Mengi creates in your project

When you provision a BYOC cluster, Mengi creates the following in your chosen project:

ResourceGCP product
A VPC network and subnetVPC
A Cloud Router and Cloud NATCloud NAT
A GKE managed Kubernetes clusterGKE
A node pool (with optional autoscaling)GKE / Compute Engine

The cluster’s nodes, load balancers and persistent disks are created and billed in your project. You can delete everything at any time from the Mengi dashboard (which cleanly tears down the infrastructure) or from the GCP console.

Required IAM roles

The service account Mengi uses needs the following roles, granted on the single project you dedicate to Mengi:

RoleWhy it’s needed
roles/container.adminCreate and manage the GKE cluster and node pools
roles/compute.adminCreate the VPC, subnet, Cloud Router and Cloud NAT
roles/iam.serviceAccountUserAttach the node service account to GKE nodes
roles/storage.adminAccess container images and cluster artifacts

Least privilege: Because the roles are granted at the project level, this key can only touch resources in the project you dedicate to Mengi — not the rest of your organization. You do not need to grant any organization-level roles for BYOC.

Prerequisites

  • A GCP project with billing enabled (GKE clusters incur Google charges in your project).
  • The Kubernetes Engine API and Compute Engine API enabled on the project (the console will offer to enable them; or run gcloud services enable container.googleapis.com compute.googleapis.com).
  • Permission to create service accounts and grant IAM roles (Owner or IAM Admin).

Part 1 — GCP console setup

1. Pick or create a project

A dedicated project keeps Mengi’s resources isolated and makes the key easy to scope and revoke.

  1. In the GCP console, open the project picker and New Project.
  2. Name it e.g. mengi-byoc and create it.
  3. Copy the Project ID (e.g. mengi-byoc-481921) — it is embedded in the service account key you download later.

2. Create a service account

  1. Go to IAM & AdminService AccountsCreate service account.
  2. Name it e.g. mengi-provisioner, with a description like “Mengi Cloud BYOC provisioner”.
  3. Click Create and continue, then Done.

The create-service-account wizard has an optional “Grant this service account access to project” step, but it’s easy to miss — clicking Create and continue often drops you straight back to the Service Accounts list with no roles attached. Don’t rely on it; grant the roles explicitly in Step 3.

3. Grant the four IAM roles

  1. Go to IAM & AdminIAMGrant access.

  2. Under New principals, paste the service account’s email: mengi-provisioner@mengi-byoc.iam.gserviceaccount.com.

  3. Under Assign roles, add each of the four roles below (use + Add another role for each):

    • Kubernetes Engine Admin (roles/container.admin)
    • Compute Admin (roles/compute.admin)
    • Service Account User (roles/iam.serviceAccountUser)
    • Storage Admin (roles/storage.admin)

  4. Click Save. The service account now appears in the IAM list with the four roles.

    gcloud equivalent (creates the SA and grants the roles)
    Terminal window
    PROJECT_ID=mengi-byoc
    SA_EMAIL=mengi-provisioner@${PROJECT_ID}.iam.gserviceaccount.com
    

    gcloud iam service-accounts create mengi-provisioner \
      --display-name="Mengi Cloud Provisioner" \
      --project=$PROJECT_ID
    

    for ROLE in roles/container.admin roles/compute.admin \
                roles/iam.serviceAccountUser roles/storage.admin; do
      gcloud projects add-iam-policy-binding $PROJECT_ID \
        --member="serviceAccount:$SA_EMAIL" --role="$ROLE"
    done

4. Generate a JSON key

  1. Open the mengi-provisioner service account → Keys tab.

  2. Click Add keyCreate new keyJSONCreate.

  3. A .json key file downloads automatically. Open it in a text editor — you will paste the entire JSON contents into Mengi.

    gcloud equivalent
    Terminal window
    gcloud iam service-accounts keys create ./mengi-byoc-key.json \
      --iam-account=mengi-provisioner@mengi-byoc.iam.gserviceaccount.com

Part 2 — Store the credential in Mengi Cloud

  1. Sign in to the Mengi Cloud dashboard and open Cloud Credentials from the left-hand menu.
  2. Click Add Credential.
  3. Fill in the form:
    • Credential Name — any label, e.g. gcp-byoc.
    • Cloud Provider — select Google Cloud Platform.
    • Service Account JSON — paste the full contents of the JSON key file (the whole { "type": "service_account", ... } object). The project ID is read from inside the JSON, so there is no separate field.
  4. Click Add Credential.

The credential is stored encrypted and starts in Pending Validation. Mengi validates it by signing in as the service account and reading the project; once that succeeds the status turns to Ready. If it shows Invalid, re-check that you pasted the complete JSON and that all four roles are granted on the project named inside it.

Part 3 — Create a BYOC cluster

  1. Start a new cluster/deployment in the Mengi dashboard.
  2. Choose GCP as the provider and select a region (e.g. us-central1, us-east1, europe-west1, europe-west3, asia-southeast1).
  3. Enable Use my own cloud account (BYOC) and select the gcp-byoc credential.
  4. Pick a cluster typeDedicated (1 node) or Dedicated HA (3 nodes, with SLA) — and create the cluster.

Mengi provisions the VPC, Cloud NAT, GKE control plane and node pool in your project. The cluster moves through pending → provisioning → running. Deleting it from Mengi tears the infrastructure back down in your project.

BYOC is not available on the Development type — those are virtual clusters on Mengi’s own shared host infrastructure. Use Dedicated or Dedicated HA.

Rotating the key

  1. In the GCP console, create a new JSON key for the mengi-provisioner service account (Part 1, Step 4).
  2. In Mengi, edit the gcp-byoc credential, paste the new JSON, then re-validate.
  3. Once the new key is Ready, delete the old key from the service account’s Keys tab.

Revoking access

To cut Mengi off entirely, delete the service account key (or the whole mengi-provisioner service account) in the GCP console. Delete any running BYOC clusters from the Mengi dashboard first so the infrastructure is cleaned up — once the key is gone, Mengi can no longer tear those resources down for you.

Security notes

  • A service account JSON key is a long-lived credential — store it securely and never commit it to version control.
  • Keep the roles scoped to a single dedicated project so the key can never touch the rest of your organization.
  • Mengi stores BYOC credentials encrypted, not in plaintext.
  • Rotate the key periodically.