Skip to content
stack
Get started
Provider · Cloud

GCP — Ashlr Stack Provider

GCP: Google Cloud Platform. Service-account JSON + project ID stored in Phantom. Wire it into your project with one command via Ashlr Stack.

Cloud · API key KEY-ONLY · v0.2 adds provisioning
GCP — Google Cloud Platform. Service-account JSON + project ID stored in Phantom.
Dashboard ↗

One command

Add GCP to any Ashlr Stack project with a single command. Stack runs the auth flow, verifies the credential, and writes every secret slot into Phantom. 

stack add gcp

Or describe what you're building and let Claude pick it up via stack recommend: 

stack recommend "raw cloud infrastructure for scale"

Auth flow

Paste a long-lived API key once. Stack verifies it against the provider's API before writing to Phantom.

How-to: Download a service-account JSON key from GCP → IAM & Admin → Service Accounts and paste the full JSON.

Secret slots

stack add gcp writes these 2 secret slots into your Phantom vault:

  • GCP_SERVICE_ACCOUNT_JSON
  • GCP_PROJECT_ID

The values never leave Phantom in plaintext. Your .env file references slot names, and stack exec -- <cmd> swaps them in at process-spawn time via Phantom's local proxy.

  • AWS — S3, Lambda, RDS. IAM access keys stored in Phantom.
  • DigitalOcean — Droplets, Kubernetes, managed databases. Personal access token verified via /v2/account.
  • Hetzner — Affordable European cloud servers. API token verified via /v1/locations.

v1 notes

v1 validates JSON shape and project_id field only — live project endpoint verification requires an OAuth2 token exchange; deferred to v0.2.

FAQ

Do I need a GCP account to use it with Stack?

Yes — Stack provisions GCP on your behalf, but it authenticates as you. Paste a long-lived API key once. Stack verifies it against the provider's API before writing to Phantom. If you don't have a credential yet, create one at https://console.cloud.google.com and paste it once.

Where does Stack store my GCP credentials?

In Phantom Secrets, an E2E-encrypted local vault. Stack writes the secret slot names (GCP_SERVICE_ACCOUNT_JSON, GCP_PROJECT_ID) into .stack.toml — the actual values live only in Phantom and never touch disk in plaintext.

Can I rotate or revoke this integration later?

Yes. Run `stack remove gcp` to pull the GCP service back out (Phantom secrets deleted, MCP entry removed, .stack.toml cleaned up). Rotate the underlying GCP credentials in their dashboard — https://console.cloud.google.com — and Stack's next `doctor --fix` will pick up the new values.

Outbound