Prerequisites
1
GCP Organization Access
- Access to a GCP Organization account
- Organization Policy Administrator role (required for setup)
- Billing enabled on your GCP project
- Understanding of which GCP region you want to deploy to
2
Leap Application Ready
- Your application built and tested with Leap
- Preview environment validated and working
- Ready to deploy to production infrastructure
Connection Process
1
Access the Connect Cloud page
In your Leap project:
- Go to the Encore Cloud dashboard
- Select your application
- Navigate to App Settings → Integrations → Connect Cloud
- Select Google Cloud Platform (GCP)
2
Get your App's Service Account
Encore Cloud provides a unique GCP Service Account for your application:
- Find your app’s Service Account email on the Connect Cloud page
- Copy this email address - you’ll need it for the next steps
- This Service Account will be used by Encore to provision infrastructure
3
Configure Domain Restricted Sharing
Update your GCP Organization’s domain restricted sharing policy:
- Add Encore Cloud to your allowed domains list
- Follow the specific instructions provided on the Connect Cloud page
- This allows Encore’s Service Account to access your organization
Permission required: You need the Organization Policy Administrator role to modify this policy.
4
Grant Access to Encore Service Account
Provide the necessary permissions to Encore’s Service Account:
- Use the Service Account email from step 2
- Follow the detailed permission instructions on the Connect Cloud page
- Grant access to provision infrastructure in your GCP project
Required Permissions
Organization Policy Administrator Role
Organization Policy Administrator Role
Required for initial setupIf you don’t have the Organization Policy Administrator role:
- Ask your GCP Organization Administrator to grant you the role
- Alternatively, have them complete the domain restriction setup for you
- Go to the IAM & Admin page in GCP Console
- Find your user account in the members list
- Click the pencil icon to edit your account
- Add the Organization Policy Administrator role
- Click Save
Service Account Permissions
Service Account Permissions
Infrastructure provisioning permissionsThe Encore Service Account needs permissions to:
- Create and manage compute resources
- Provision managed database services
- Configure networking and security
- Set up monitoring and logging
- Manage IAM roles for your application
What Gets Deployed
When you deploy to your GCP account through Encore Cloud, the following infrastructure is automatically provisioned:Compute & Networking
Cloud-native application hosting
- Google Cloud Run or Compute Engine services
- Load balancing and auto-scaling
- VPC and firewall configuration
- SSL certificates and domain management
Data & Storage
Managed database and storage
- Cloud SQL for managed databases
- Cloud Storage for application assets
- Automated backups and maintenance
- Security and access controls
Security & Identity
Enterprise security configuration
- IAM roles and service accounts
- Security policies and firewall rules
- Encryption at rest and in transit
- Network isolation and access controls
Monitoring & Operations
Observability and management
- Cloud Monitoring integration
- Cloud Logging for centralized logs
- Integration with Encore’s monitoring
- Performance tracking and alerting
Managing Multiple GCP Accounts
Working with multiple GCP accountsIf you have access to multiple GCP accounts:
- Ensure you’re logged in with the correct account
- Verify the correct organization is selected in GCP Console
- Double-check you’re modifying policies for the right organization
- Use the account switcher in GCP Console if needed
Troubleshooting Common Issues
Cannot access/edit Domain Restricted Sharing policy
Cannot access/edit Domain Restricted Sharing policy
Missing Organization Policy Administrator roleProblem: You can’t access or modify the Domain restricted sharing policySolution:
- You need the Organization Policy Administrator role
- Ask your GCP Organization Administrator to grant you this role
- Alternatively, have them complete the setup for you
- Follow the role assignment steps in the permissions section above
Cannot grant access to Encore Service Account
Cannot grant access to Encore Service Account
Service Account access issuesProblem: Unable to grant access to the Encore Cloud service accountPossible causes and solutions:
- Domain restriction not configured: Ensure you’ve added Encore Cloud to your Domain restricted sharing policy
- Wrong GCP account: Verify you’re logged in with the correct account
- Wrong organization: Ensure the correct organization is selected in GCP Console
- Multiple accounts: If using several GCP accounts, make sure you’re working with the right one
Encore Cloud returns 'Could not find Organization ID'
Encore Cloud returns 'Could not find Organization ID'
Organization connectivity issuesProblem: Error message about missing Organization IDSolution:
- Verify you’ve completed all steps in the Connect Cloud page
- Ensure Encore Cloud has been granted access to your GCP Organization
- Check that you’re logged in with the correct GCP account
- Confirm the correct organization is selected in GCP Console
- If using multiple GCP accounts, verify you’re working with the intended one
Permission errors during deployment
Permission errors during deployment
Insufficient permissions for infrastructure provisioningProblem: Deployment fails due to missing permissionsSolution:
- Review the permission requirements in the Connect Cloud instructions
- Ensure the Encore Service Account has all necessary permissions
- Check GCP audit logs for specific permission denials
- Verify you’re working within the correct GCP project
After Connection
Once you’ve successfully connected your GCP account:1
Verify Connection
- Encore Cloud will test the connection to your GCP account
- You should see a success confirmation
- Your GCP account will appear as an available deployment target
2
Choose Deployment Region
Select which GCP region you want for your deployment:
- Consider latency to your users
- Review regional service availability
- Factor in compliance and data residency requirements
- Consider integration with existing GCP infrastructure
3
Deploy Your Application
- Click Deploy in your Leap project
- Select your GCP environment
- Monitor the deployment progress in Encore Cloud dashboard
- First deployment typically takes 10-15 minutes
Important Notes
Resource Management
Resource Management
Understanding infrastructure lifecycle
- Encore Cloud provisions infrastructure in your GCP account
- Resources are billed directly to your GCP account
- Manual approval required for resource deletion for safety
- Always approve infrastructure deletion in Encore Cloud dashboard when disconnecting
Billing and Costs
Billing and Costs
Managing GCP costs
- All infrastructure costs appear in your GCP billing
- Use GCP’s cost management tools to monitor spending
- Leverage existing GCP committed use discounts
- Set up billing alerts in your GCP account
Security and Compliance
Security and Compliance
Maintaining your security posture
- Your data remains in your GCP account at all times
- Leverage your existing GCP security policies
- Use Cloud Audit Logs for compliance tracking
- Implement your organization’s security requirements
Getting Help
If you encounter issues during the GCP connection process:Encore Support
Direct support channels
- Email: support@encore.dev
- Encore Discord community
- Detailed instructions in Connect Cloud page
GCP Documentation
Additional GCP resources
- GCP IAM Documentation
- Organization Policy Constraints
- GCP Support for account-specific issues
Next steps: After connecting your GCP account, you can deploy your application by selecting your GCP environment in the deployment options. Monitor the deployment progress through the Encore Cloud dashboard.