How to create a service account for monitoring Google Cloud
ManageEngine Site24x7 allows you to monitor your Google Cloud resources at two levels:
- Organization
- Project
Organization-level monitoring lets you monitor all the projects, folders, and resources under the organization. Project-level monitoring monitors only the resources under that project. This help document provides instructions on the following:
- Create a service account for organization monitoring
- Create and export the service account key
- Create a service account for project monitoring
- APIs to be enabled for monitoring
Create a service account for organization monitoring
Make sure you have any one of these permissions to assign the required roles:
- Project IAM Admin (or higher)
- Folder Admin
- Organization Administrator
- Log in to your Google Cloud console.
- Navigate to one of the projects you would like to monitor and click IAM & Admin > Service Accounts.
- Click Create service account.
- Provide an appropriate name for the service account and click Create and continue.
- Provide the following roles to the service account:
- Browser
- Viewer
- Click Continue > Done.
- Navigate to the IAM page of the Google Cloud console.
- Select a project, folder, or organization you would like to monitor.
- To provide a role, click Grant access and enter the email address of the service account you just created.
- Provide these roles:
- Browser
- Viewer
- Click Save.
If you have provided the roles at the organization level, they are cascaded down to all the projects and folders under the organization, and you need not repeat the process for those projects and folders.
Create and export the service account key
- Log in to your Google Cloud console.
- Navigate to IAM & Admin > Service Accounts.
- Select the service account you created.
- Select Keys > Add key > Create new key > JSON.
- Click Create.
The service account key will be downloaded in JSON format. Upload this JSON key file on Site24x7's Add GCP Monitor page when prompted.
Create a service account for project monitoring
- Log in to your Google Cloud console.
- Navigate to the project you would like to monitor.
- Click IAM & Admin > Service Accounts.
- Click Create service account.
- Provide an appropriate name for the service account and click Create and continue.
- Navigate to the Permissions tab.
- Provide the following roles to the service account:
- Browser
- Viewer
- Click Continue > Done.
- Navigate to the Keys tab and follow the following instructions to export the service account key.
- Select Keys > Add key > Create new key > JSON.
- Click Create.
APIs to be enabled for monitoring
- "compute.googleapis.com"
- "cloudfunctions.googleapis.com"
- "dataproc.googleapis.com"
- "redis.googleapis.com"
- "container.googleapis.com"
- "spanner.googleapis.com"
- "appengine.googleapis.com"
- "pubsub.googleapis.com"
- "composer.googleapis.com"
- "monitoring.googleapis.com"
- "compute.googleapis.com"
- "sqladmin.googleapis.com"
- "dataflow.googleapis.com"
- "run.googleapis.com"
- "file.googleapis.com"
- "cloudkms.googleapis.com"
- "dns.googleapis.com"
- "cloudbilling.googleapis.com"
- "cloudresourcemanager.googleapis.com"
- "cloudasset.googleapis.com"
- "servicenetworking.googleapis.com"
- "appengine.googleapis.com"
- "container.googleapis.com"
- "cloudkms.googleapis.com"
Ideally, these APIs are enabled by default. If you enable them manually, allow 5-10 minutes for these changes to be applied to Site24x7.
If you prefer enabling these APIs through Terraform, use our sample Terraform script in this knowledge base document.
FAQs {Click to expand}
1. Which is better: project-level monitoring or organization-level monitoring?
If there are many projects and folders under an organization, it is preferred to opt for organization-level monitoring because all the projects will be automatically discovered and added for monitoring if you provide Site24x7 with the minimal access required. If all your resources are under only one project, and you do not expect any more projects to be added in the near future, project-level monitoring is sufficient.
2. Does Site24x7 require any other permissions?
In addition to monitoring more than 20 Google Cloud resources, through Site24x7 you can also perform management actions like starting or stopping VMs. To perform management actions, you need the additional permissions listed in this knowledge base document.
3. Why can't I see Google Cloud monitors in my Site24x7 account?
The most common reasons why your Google Cloud monitors are not listed in your Site24x7 account are explained in our knowledge base document.
What's next for you:
-
On this page
- Create a service account for organization monitoring
- Create and export the service account key
- Create a service account for project monitoring
- APIs to be enabled for monitoring
- FAQs Click to expand
- 1 Which is better project-level monitoring or organization-level monitoring
- 2 Does Site24x7 require any other permissions
- 3 Why cant I see Google Cloud monitors in my Site24x7 account
- Whats next for you