Performance Protection : To prevent rate limits and quota exhaustion from repeating project-by-project IAM scans, this resolved set is cached in-memory with a thread-safe, 10-minute time-to-live (TTL).
IAP-Enforced Row-Level Security : We serve the React dashboard and agent chat through an Identity-Aware Proxy (IAP). When a user requests data, the BFF extracts their email from the x-goog-authenticated-user-email header. It resolves their allowed projects list and sets it in a local context variable.
To prevent prompt injections or the agent from hallucinating data about projects the user shouldn’t see, we intercept all BigQuery billing queries and wrap them in a subquery that filters based on only the allowed projects. This means that even if the agent is querying the whole dataset, the database engine itself enforces strict row-level filtering based on the logged-in user’s identity. If the user only has access to one project, that’s all the agent can query.
Cloud Asset Inventory (CAI)
I’m using CAI for:
-
Zombie Detection : I built custom CAI queries to instantly scan for unattached disks and idle external IPs.
-
Detective Mode : When we detect a cost spike, the agent uses CAI history to audit the exact configuration changes that occurred on that resource over the last 35 days. For example, detecting that an engineer upscaled a Cloud Run instance memory limit.
BigQuery Tool Calls From Our Agents
I want to be able to query my billing data — stored in BigQuery — using natural language prompts. I’m achieving this in two different ways, depending on where I’m coming from.
- In my development workspace, I’m using the Google remote managed BigQuery MCP server (https://bigquery.googleapis.com/mcp).
- In our FinSavant ADK agent itself, I’m using ADK’s native
BigQueryToolset directly. In doing so, we simplify authentication, reduce runtime latency when making BQ calls, reduce dependency on an external service, and align with ADK best practices.
Developer Knowledge MCP
To make FinSavant’s advice more than just generic feedback, we need to ground its recommendations in official Google Cloud engineering standards. That’s where the Developer Knowledge MCP comes in.
This MCP server provides a direct gateway to Google’s official developer documentation, product guides, API reference material, and the Cloud Architecture Framework. Instead of relying on the LLM’s static training data, the agent can query this knowledge base in real time to retrieve authoritative, up-to-date information.
In FinSavant, we use the Developer Knowledge MCP to:
-
Determine the Best Course of Action : When the agent discovers a cost anomaly, it doesn’t just throw alerts. It queries the MCP to formulate an appropriate, structured response grounded in official documentation.
-
Verify Architectural Best Practices : It checks current Google Cloud design patterns, ensuring the agent doesn’t recommend legacy or non-optimal resource structures.
-
Provide Actionable Remediation : If an idle persistent disk is flagged, the agent uses the MCP to outline the exact recommended steps to snapshot and clean up the asset safely, linking the user directly to the relevant documentation.
-
Eliminate Hallucinations : By grounding the agent in real-time documentation, we ensure any CLI commands or configuration snippets it presents are correct and match the latest GCP standards.
Let’s See It In Action!
In this short video I demonstrate a number of FinSavant features, including:
- Using starter chips to kick off an initial converation, e.g. looking for cost spikes over the last 30 days
- Seeing the various tools and MCP servers called in real time
- Seeing recommendations based on the findings
- Watching tiles and graph widgets being created in real time using A2UI
- Asking follow-up questions about particular projects
- Looking for other cost anomalies
[フレーム]
Cool, right?
What’s Next?
In the next part of this series, we’ll get our hands dirty with Part 2: Building the Agentic Solution: Development with Google Antigravity, ADK, Agents CLI, MCP & Skills.
I’ll show you how to setup your development environment, how to boostrap ADK agents, and the code behind FinSavant.
Stay tuned!
Before You Go
-
Please share this with anyone that you think will be interested. It might help them, and it really helps me!
- Please give me 50 claps! (Just hold down the clap button.)
- Feel free to leave a comment 💬.
-
Follow and subscribe, so you don’t miss my content.
Useful Links and References
Project Code & Demo
Gemini Enterprise Agent Platform & ADK
Google Cloud Services & APIs
GCP Billing & FinOps
Articles & Resources
Portfolio