Skip to main content

GCP Deployment

Deploy the FailZero agent on Google Cloud Platform using Compute Engine or GKE.

Compute Engine

1. Create Service Account

2. Grant IAM Permissions

The agent needs permissions to execute failover operations:
Grant only the permissions needed for your DR plan. These are examples for common failover operations.

3. Create VM Instance

Replace fzat_your_token with your actual agent token. For production, use Secret Manager instead of metadata.
Store sensitive values in Secret Manager:
Update startup script to fetch from Secret Manager:

GKE (Kubernetes)

1. Create Kubernetes Secret

2. Deploy Agent

Use Workload Identity for secure credential management:

IAM Permissions

Minimum Required

Resource TypeRolePurpose
Cloud SQLroles/cloudsql.adminPromote replicas
Cloud DNSroles/dns.adminUpdate DNS records

Optional (Based on DR Plan)

Resource TypeRolePurpose
Compute Engineroles/compute.instanceAdmin.v1Scale instance groups
Secret Managerroles/secretmanager.secretAccessorRead secrets
Cloud Storageroles/storage.adminBackup operations
Pub/Subroles/pubsub.publisherNotifications

Verify Deployment

Compute Engine

GKE

Expected output:

Troubleshooting

Permission denied errors:
  • Verify IAM roles are assigned to the service account
  • Check the service account is attached to the VM/pod
  • Ensure Workload Identity is configured correctly (GKE)
Cannot reach API:
  • Check firewall rules allow outbound HTTPS (port 443)
  • Verify VPC allows egress to api.failzero.io
Agent not registering:
  • Confirm token is correct and not expired
  • Check logs for specific error messages

Next Steps

Example Plans

GCP-specific DR configurations

CLI Reference

Deploy and manage plans