Help Docs

How to create a service account for monitoring Google Cloud

Create a Service Account and enable automatic project discovery to integrate Site24x7 with Google Cloud. By following this method, you can monitor all projects visible to the service account by assigning IAM (Identity and Management) roles in the relevant scope.

How to create a Service account for GCP organization monitoring in site24x7

Create your Google Cloud service account.

  1. Go to Google Cloud Console.
  2. Navigate to IAM & Admin > Service Accounts.
  3. Click Create service account.
  4. Give the service account a unique name, then click Create and continue.
  5. Add the following roles to the service account:
    • Monitoring Viewer
    • Compute Viewer
    • Cloud Asset Viewer
    • Browser
    • Viewer
  6. Click Continue, then Done to complete creating the service account. You will require the service account email address later.

Assign roles to other scope for auto-discovery of projects.

Make sure you have the any of the appropriate permissions mentioned below to assign roles at the desired scope:

  • Project IAM Admin (or higher)
  • Folder Admin
  • Organization Admin
  1. In Google Cloud console, go to the IAM page.
  2. Select a project, folder, or organization.
  3. To grant a role to a principal that does not already have other roles on the resource, click Grant Access, then enter the email of the service account you created earlier.
  4. Assign the following roles:
    • Compute Viewer
    • Monitoring Viewer
    • Cloud Asset Viewer
    • Browser
    • Viewer
  5. Click Save.

To create a JSON key, follow the instructions given below:

  1. Go to Google cloud service account.
  2. Navigate to IAM & Admin > Service Account.
  3. Select the service account which you created in the previous step
  4. Select Key > Add Key > JSON.
  5. Upload the JSON key file in the Site24x7 Add Google Cloud Monitor page.
You can assign these roles to projects individually, or you can configure Site24x7 to monitor multiple projects by assigning these roles at the organization or folder level. Assigning roles in this way allows Site24x7 to discover automatically and monitor all projects in the given scope, including any new projects that may be added to the group in the future.

How to create a Service account for GCP project monitoring in site24x7

  1. Create your Google Cloud service account.
    1. Go to Google Cloud Console.
    2. Navigate to IAM & Admin > Service Accounts.
    3. Click Create service account.
    4. Give the service account a unique name, then click Create and continue.
    5. Add the following roles to the service account:
      • Monitoring Viewer
      • Compute Viewer
      • Cloud Asset Viewer
      • Viewer
  2. Click Continue, then Done to complete creating the service account.
  3. Create a JSON key
    1. Go to Google cloud service account
    2. Navigate IAM & Admin > Service Account
    3. Select the service account which you created on the previous step
    4. Select Key > Add Key > JSON
    5. Upload the key in Site24x7 Google Cloud's add monitor page.
Prerequisites: Enable the APIs mentioned below at each project level

For easier setup, refer our sample Terraform script which can be used to enable the required APIs at each project level.

Main.tf

provider "google" {
project = "base project id"
} module "project-services" {
source = "terraform-google-modules/project-factory/google//modules/project_services"
for_each=var.project_id_map
project_id = "${each.value.project_id}"
activate_apis = [
"compute.googleapis.com",
"cloudfunctions.googleapis.com",
"dataproc.googleapis.com",
"redis.googleapis.com",
"container.googleapis.com",
"spanner.googleapis.com",
"appengine.googleapis.com",
"pubsub.googleapis.com",
"composer.googleapis.com",
"monitoring.googleapis.com",
"compute.googleapis.com",
"dataflow.googleapis.com",
"run.googleapis.com",
"file.googleapis.com",
"cloudkms.googleapis.com",
"dns.googleapis.com",
"cloudbilling.googleapis.com",
"cloudresourcemanager.googleapis.com",
"cloudasset.googleapis.com",
"servicenetworking.googleapis.com",
"appengine.googleapis.com",
"container.googleapis.com",
"sqladmin.googleapis.com",
"cloudkms.googleapis.com"
]
}

variables.tf

variable "project_id_map" {
type = map(object({
project_id = string
}))
default = {
"Projectid_1" = {
project_id = "project_1_id"
}
"Projectid_2" = {
project_id = "project_2_id"
}
}
}
  • "compute.googleapis.com",
  • "cloudfunctions.googleapis.com",
  • "dataproc.googleapis.com",
  • "redis.googleapis.com",
  • "container.googleapis.com",
  • "spanner.googleapis.com",
  • "appengine.googleapis.com",
  • "pubsub.googleapis.com",
  • "composer.googleapis.com",
  • "monitoring.googleapis.com",
  • "compute.googleapis.com",
  • "dataflow.googleapis.com",
  • "run.googleapis.com",
  • "file.googleapis.com",
  • "cloudkms.googleapis.com",
  • "dns.googleapis.com",
  • "cloudbilling.googleapis.com",
  • "cloudresourcemanager.googleapis.com",
  • "cloudasset.googleapis.com",
  • "servicenetworking.googleapis.com",
  • "appengine.googleapis.com",
  • "container.googleapis.com",
  • "sqladmin.googleapis.com",
  • cloudkms.googleapis.com"
Most of the APIs mentioned above are enabled by default when you create your Google Cloud resources.

What's next for you:

Was this document helpful?

Shortlink has been copied!