Skip to content

GoogleCloud (GCP) Client Authorization Configuration

The script market supports collecting cloud resources/cloud monitoring metrics through GCP service accounts and reporting them to Guance. Users can complete the authorization by configuring the service account.

1. Prerequisites

Ensure the following APIs are enabled for each project to be monitored:

2. Create a Service Account

To collect GCP resources through the Dataflux Func script market, you need to create a GCP service account on the GCP platform to be collected.

Open your Google Cloud console, navigate to IAM & Admin/Service accounts.

Click Create service account, enter the Service account name, and click Create and continue.

Grant the service account access to the project:

  • Monitoring Viewer
  • Compute Viewer
  • Cloud Asset Viewer
  • Browser

create-service-account

Click Done. Now the service account you created has all the permissions to collect resources under the current project. If you want to use this service account to collect resources from all projects under the entire organization, you can select the organization and grant the service account access permissions (same as above) in IAM & Admin/IAM.

3. Create a Service Account Key (Optional)

If your service account allows key creation (disable the organization policy restriction: iam.disableServiceAccountKeyCreation)

  1. Click the service account you just created.
  2. Select the Keys tab, click Add Key-Create new key, choose the key type as JSON, and export the key for backup.

If your service account does not allow key creation, refer to the next item Service Account Impersonation.

4. Service Account Impersonation (Optional)

Service account impersonation allows an external GCP service account to impersonate the service account created on your GCP platform. Here we define two service accounts:

  • Sovereign service account: The service account created above (this service account has actual permissions and cannot create keys).
  • External service account: A service account from another GCP organization (can create keys).

Authorize the external service account:

  1. Click the service account created above (sovereign service account).
  2. Select the menu Principals with access, click Grant access:
  3. Add principals enter the external service account email,
  4. Assign roles select Service Account Token Creator.

service-account-auth

Now, the external delegated account can impersonate the service account of the platform to be collected and perform the collection work.

Next, create a key for the external delegated service account and keep it for backup.

5. Script Market Collector Configuration

We have created the private key of the service account. Next, you can log in to the Dataflux Func platform to complete the collector configuration.

Upload the Key to Dataflux Func File Management

  1. Enable the file management module: On the "Management" page, click "Experimental Features" "Enable File Management", refresh the page, and the file management will appear under "Experimental Features".

file-manage-enable

  1. Click "File Management" to upload the private key file.

private-to-file-manage

Copy the full name of the private key file (including .json). You can also place it in another directory and copy the path, e.g., /a/b/keyfile.json.

Install/Deploy the Collector

Install the Collector

Search for the GCP service to be collected in the official script market and click install.

Deploy the Collector

A configuration input box will pop up.

service-account-input

Input box introduction:

  • GCP Service Account File Name: The address of the service account key configuration file (the key address in file storage).
  • GCP Service Account Email: The service account email.
  • GCP Service Account Private Key: The service account private key.
  • Target Principal: When using service account impersonation, specify the email of the account to be impersonated.
  • Your Account Name: Define a name for the service account.

Please fill in the input boxes according to the key file storage method.

GCP Service Account File Name, GCP Service Account Email, GCP Service Account Private Key.

  1. When using "File Storage" to store the key file (recommended):

  2. GCP Service Account File Name: Enter the key file address in file management.

  3. GCP Service Account Email: Ignore.

  4. GCP Service Account Private Key: Ignore.

  5. If not using file storage, you can also directly copy the private_key and client_email from the private key file:

  6. GCP Service Account Email: Enter the client_email value.

  7. GCP Service Account Private Key: Enter the private_key value.

  8. GCP Service Account File Name: Ignore.

  9. Configure the environment variable GOOGLE_SERVICE_ACCOUNT_INFO on the Dataflux Func platform and copy the key file data into it (save it as json type):

  10. GCP Service Account File Name: Ignore.

  11. GCP Service Account Email: Ignore.
  12. GCP Service Account Private Key: Ignore.
Tip

The environment variable storing the service account key can only save one and is globally effective.

private-to-env

Please fill in the input box according to whether the service account is a delegated service account.

Target Principal: Specify the email of the account to be impersonated, ignore if not needed.

Common Issues:

  1. Collector error: name 'service_account' is not defined, your Dataflux Func does not have google-auth==2.38.0 installed (Dataflux Func GSE new versions are configured by default). You can copy it to the PIP tool for manual installation or upgrade the Dataflux Func service.

Appendix:

Feedback

Is this page helpful? ×