Does GOOGLE_CREDENTIALS take a file path or the key content?

The key content. The documented pattern is export GOOGLE_CREDENTIALS=$(cat /path/to/key.json), which places the JSON document itself in the variable. Alternatively, the --auth flag can reference the key by file path using the credentialsfilepath setting.

What IAM role does the service account need?

The role implied by your queries. roles/viewer at project scope covers read-only inventory and audit queries; mutations such as INSERT and DELETE require the corresponding editor or service-specific admin roles.

Why do Google queries require a project (and often zone) in the WHERE clause?

Google Cloud APIs are scoped by project, and zonal services by zone. These are required parameters of the API call. For google.compute.instances, the aggregated_list method requires only project, while list requires project and zone - run SHOW METHODS IN google.compute.instances to see both.

How to authenticate StackQL to Google Cloud

StackQL authenticates to Google Cloud with a service account key, supplied as JSON content in the GOOGLE_CREDENTIALS environment variable.

Steps

Create a service account and grant it a role on the target project (roles/viewer suffices for read-only querying), then create and download a JSON key:

gcloud iam service-accounts keys create stackql-key.json \
  --iam-account=stackql-sa@my-project.iam.gserviceaccount.com

Export the key content:

export GOOGLE_CREDENTIALS=$(cat ./stackql-key.json)

An alternative is passing the key by path with the --auth flag, which is useful for server and MCP deployments:

stackql shell \
  --auth='{"google": {"type": "service_account", "credentialsfilepath": "/path/to/stackql-key.json"}}'

Pull the Google provider (first use only):

REGISTRY PULL google;

Verify with a query:

SELECT name, status, machineType
FROM google.compute.instances
WHERE project = 'my-project';

This uses the aggregated_list access method, which requires only project and returns instances across all zones. The zonal list method requires both project and zone; SHOW METHODS IN google.compute.instances shows each method's required parameters.

Where the credentials apply

The same variable (or --auth object) works across stackql shell, stackql exec, stackql srv, and stackql mcp. For Claude Desktop and similar MCP clients, set GOOGLE_CREDENTIALS in the env block of the server configuration. In CI, source the key from the platform's secret store - never commit it.

How to authenticate StackQL to AWS - the AWS equivalent
How to authenticate StackQL to Azure - the Azure equivalent
How to use StackQL with AI agents - credentials in MCP deployments
What is SQL for APIs? - why required parameters surface in WHERE clauses
Common StackQL errors - including authentication failures

Steps​

Where the credentials apply​

Related concepts​

Steps

Where the credentials apply

Related concepts