Skip to content

GoogleCloud (GCP) Client Authorization Configuration

The script market supports collecting cloud resources/cloud monitoring metrics through GCP service accounts and reporting them to Guance. Users can complete the authorization by configuring service accounts.

1. Prerequisites

Ensure the following APIs are enabled for each project to be monitored:

2. Create a Service Account

To collect GCP resources through the Dataflux Func script market, you need to create a GCP service account on the GCP platform to be collected.

Open your Google Cloud console, navigate to IAM & Admin/Service accounts.

Click Create service account, enter Service account name, and click Create and continue.

Grant the service account access to the project:

  • Monitoring Viewer
  • Compute Viewer
  • Cloud Asset Viewer
  • Browser

create-service-account

Click Done. The service account you created now has all permissions to collect resources under the current project. If you want to use this service account to collect resources from all projects under the entire organization, you can select the organization and grant the service account access permissions in IAM & Admin/IAM (same permissions as above).

3. Create a Service Account Key (Optional)

If your service account allows key creation (disable the organization policy restriction: iam.disableServiceAccountKeyCreation):

  1. Click the service account you just created.
  2. Select the Keys tab, click Add Key-Create new key, choose the key type as JSON, and export the key for backup.

If your service account does not allow key creation, refer to the next section Service Account Impersonation.

4. Service Account Impersonation (Optional)

Service Account Impersonation allows an external GCP service account to impersonate the service account created on your GCP platform. Here we define two service accounts:

  • Sovereign Service Account: The service account created above (this service account has actual permissions and cannot create keys).
  • External Service Account: A service account from another GCP organization (can create keys).

Authorize the external service account:

  1. Click the service account created above (sovereign service account).
  2. Select the menu Principals with access, click Grant access:
  3. Add principals: Enter the email of the external service account.
  4. Assign roles: Select Service Account Token Creator.

service-account-auth

Now, the external delegated account can impersonate the service account of the platform to be collected and perform collection tasks.

Next, create a key for the external delegated service account and keep it for backup.

5. Script Market Collector Configuration

After creating the private key for the service account, you can log in to the Dataflux Func platform to complete the collector configuration.

Upload the Key to Dataflux Func File Management

  1. Enable the file management module: On the Manage page, click Experimental Features/Enable File Management, refresh the page, and the file management will appear under Experimental Features.

file-manage-enable

  1. Click File Management to upload the private key file.

private-to-file-manage

Copy the full name of the private key file (including .json). You can also place it in another directory and copy the path, e.g., /a/b/keyfile.json.

Install/Deploy the Collector

Install the Collector

Search for the GCP service to be collected in the official script market and click Install.

Deploy the Collector

A configuration input box will pop up.

service-account-input

Input box description:

  • GCP Service Account File Name: The path to the service account key configuration file (the key path in file storage).
  • GCP Service Account Email: The service account email.
  • GCP Service Account Private Key: The private key of the service account.
  • Target Principal: When using service account impersonation, specify the email of the account to be impersonated.
  • Your Account Name: Define a name for the service account.

Fill in the input boxes according to the key file storage method.

GCP Service Account File Name, GCP Service Account Email, GCP Service Account Private Key:

  1. When using File Storage to store the key file (recommended):

  2. GCP Service Account File Name: Enter the key file path in file management.

  3. GCP Service Account Email: Ignore.

  4. GCP Service Account Private Key: Ignore.

  5. If not using file storage, you can also directly copy the private_key and client_email from the private key file:

  6. GCP Service Account Email: Enter the client_email value.

  7. GCP Service Account Private Key: Enter the private_key value.

  8. GCP Service Account File Name: Ignore.

  9. Configure the environment variable GOOGLE_SERVICE_ACCOUNT_INFO on the Dataflux Func platform, and copy the key file data into it (save as json type):

  10. GCP Service Account File Name: Ignore.

  11. GCP Service Account Email: Ignore.
  12. GCP Service Account Private Key: Ignore.
Tip

The environment variable can only store one service account key and is globally effective.

private-to-env

Fill in the input boxes according to whether the service account is a delegated service account.

Target Principal: Specify the email of the account to be impersonated. Ignore if not needed.

Common Issues:

  1. Collector error: name 'service_account' is not defined. Your Dataflux Func does not have google-auth==2.38.0 installed (default configuration for new versions of Dataflux Func GSE). You can manually install it using PIP Tool or upgrade the Dataflux Func service.

Appendix:

Feedback

Is this page helpful? ×