You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository was archived by the owner on Sep 2, 2025. It is now read-only.
To configure your GCP service, follow these steps:
43
+
To configure your GCP service:
90
44
91
-
#. In a new window or tab, go to the Google Cloud Platform website, and log into your GCP account.
92
-
#. Open the GCP web console, and select a project you want to monitor.
93
-
#. From the sidebar, select :menuselection:`IAM &admin`, then :menuselection:`Service Accounts`.
94
-
#. Go to :guilabel:`Create Service Account` at the top of the screen, and complete the following fields:
45
+
#. Log into your GCP account and select the project you want to monitor in the GCP web console.
95
46
96
-
.. list-table::
97
-
:header-rows: 1
98
-
:widths: 40 60
47
+
#. From the sidebar, select :menuselection:`IAM &admin`, then :menuselection:`Service Accounts`.
99
48
100
-
* - :strong:`Field`
101
-
- :strong:`Description`
49
+
#. Go to :guilabel:`Create Service Account` at the top of the screen, complete the following fields, and select :guilabel:`CREATE`.
102
50
103
-
* - Service account name
104
-
- Enter ``Splunk``.
51
+
* **Service account name**. Enter ``Splunk``.
105
52
106
-
* - Service account ID
107
-
- This field autofills after you enter ``Splunk`` for Service account name.
53
+
* **Service account ID**. This field autofills after you enter ``Splunk`` for Service account name.
108
54
109
-
* - Service account description
110
-
- Enter the description for your service account.
55
+
* **Service account description**. Enter the description for your service account.
111
56
112
-
#. Select :guilabel:`CREATE`.
113
57
#. (Optional) Select a role to grant this Service account access to the selected project, then select :guilabel:`CONTINUE`.
58
+
114
59
#. Activate Key type :guilabel:`JSON`, and select :guilabel:`CREATE`. A new service account key JSON file is then downloaded to your computer.
115
-
#. In a new window or tab, go to :new-page:`Cloud Resource Manager API <https://console.cloud.google.com/apis/library/cloudresourcemanager.googleapis.com?pli=1>`, and activate the Cloud Resource Manager API. You need to activate this API so Splunk Infrastructure Monitoring can use it to validate permissions on the service account keys.
60
+
61
+
#. In a new window or tab, go to :new-page:`Cloud Resource Manager API <https://console.cloud.google.com/apis/library/cloudresourcemanager.googleapis.com?pli=1>`, and activate the Cloud Resource Manager API. You need to activate this API so Splunk Observability Cloud can use it to validate permissions on the service account keys.
116
62
117
63
.. _gcp-projects:
118
64
@@ -125,42 +71,47 @@ To configure your GCP service, follow these steps:
125
71
126
72
By default, all supported services are monitored, and any new services added later are also monitored. When you set integration parameters, you can choose to import metrics from a subset of the available services.
127
73
128
-
#. Log in to Splunk Observability Cloud.
129
-
#. Open the :new-page:`Google Cloud Platform guided setup <https://login.signalfx.com/#/integrations/gcp>`. Optionally, you can navigate to the guided setup on your own:
74
+
#. Log in to Splunk Observability Cloud and open the :new-page:`Google Cloud Platform guided setup <https://login.signalfx.com/#/integrations/gcp>`. Optionally, you can navigate to the guided setup on your own:
130
75
131
-
#. In the navigation menu, select :menuselection:`Data Management`.
76
+
#. In the left navigation menu, select :menuselection:`Data Management`.
132
77
133
78
#. Go to the :guilabel:`Available integrations` tab, or select :guilabel:`Add Integration` in the :guilabel:`Deployed integrations` tab.
134
79
135
80
#. In the integration filter menu, select :guilabel:`By Use Case`, and select the :guilabel:`Monitor Infrastructure` use case.
136
81
137
82
#. In the :guilabel:`Cloud Integrations` section, select the :guilabel:`Google Cloud Platform` tile to open the Google Cloud Platform guided setup.
138
83
139
-
#. Go to :guilabel:`New Integration`.
84
+
#. In the GCP guided setup enter a name for your new GCP integration, then :guilabel:`Add Project`.
140
85
141
-
#. Enter a name for the new GCP integration, then :guilabel:`Add Project`.
142
86
#. Next, select :guilabel:`Import Service Account Key`, and select one or more of the JSON key files that you downloaded from GCP in :ref:`Configure GCP <gcp-two>`.
87
+
143
88
#. Select :guilabel:`Open`. You can then see the project IDs corresponding to the service account keys you selected.
89
+
144
90
#. To import :ref:`metrics <gcp-metrics>` from only some of the available services, follow these steps:
145
91
146
92
- Go to :guilabel:`All Services` to display a list of the services you can monitor.
147
93
- Select the services you want to monitor, and then :guilabel:`Apply`.
148
94
149
-
#. Select the rate (in seconds) at which you want Splunk Observability Cloud to poll GCP for metric data, with 1 minute as the minimum unit, and 10 minutes as the maximum unit. For example, a value of 300 polls metrics once every 5 minutes.
150
-
#. Optional:
95
+
#. Select the rate (in seconds) at which you want Splunk Observability Cloud to poll GCP for metric data, with 1 minute as the minimum unit, and 10 minutes as the maximum unit. For example, a value of 300 polls metrics once every 5 minutes.
151
96
152
-
- List any additional GCP service domain names that you want to monitor, using commas to separate domain names in the :strong:`Custom Metric Type Domains` field.
153
-
154
-
- For example, to obtain Apigee metrics, add ``apigee.googleapis.com``.
155
-
- To learn about custom metric type domain syntax, see :new-page:`Custom metric type domain examples <https://dev.splunk.com/observability/docs/integrations/gcp_integration_overview#Custom-metric-type-domain-examples>` in the Splunk developer documentation.
97
+
Your GCP integration is now complete.
156
98
157
-
- If you select Compute Engine as one of the services to monitor, you can enter a comma-separated list of Compute Engine Instance metadata keys to send as properties. These metadata keys are sent as properties named ``gcp_metadata_<metadata-key>``.
99
+
.. note:: Splunk is not responsible for data availability, and it can take up to several minutes (or longer, depending on your configuration) from the time you connect until you start seeing valid data from your account.
158
100
159
-
- Select :strong:`Use quota from the project where metrics are stored` to use a quota from the project where metrics are stored. The service account provided for the project needs either the ``serviceusage.services.use`` permission, or the `Service Usage Consumer` role.
101
+
Options
102
+
++++++++
160
103
161
-
Your GCP integration is now complete.
104
+
Optionally you can:
162
105
163
-
.. note:: Splunk is not responsible for data availability, and it can take up to several minutes (or longer, depending on your configuration) from the time you connect until you start seeing valid data from your account.
106
+
* To list any additional GCP service domain names that you want to monitor, use commas to separate domain names in the :strong:`Custom Metric Type Domains` field.
107
+
108
+
- For example, to obtain Apigee metrics, add ``apigee.googleapis.com``.
109
+
110
+
- To learn about custom metric type domain syntax, see :new-page:`Custom metric type domain examples <https://dev.splunk.com/observability/docs/integrations/gcp_integration_overview#Custom-metric-type-domain-examples>` in the Splunk developer documentation.
111
+
112
+
* If you select Compute Engine as one of the services to monitor, you can enter a comma-separated list of Compute Engine Instance metadata keys to send as properties. These metadata keys are sent as properties named ``gcp_metadata_<metadata-key>``.
113
+
114
+
* Select :strong:`Use quota from the project where metrics are stored` to use a quota from the project where metrics are stored. The service account provided for the project needs either the ``serviceusage.services.use`` permission, or the `Service Usage Consumer` role.
@@ -13,10 +13,82 @@ The following pre-requisites apply:
13
13
* You must be an administrator of your Splunk Observability Cloud organization to create a GCP connection.
14
14
* Splunk Observability Cloud supports all GCP regions.
15
15
16
-
Account permissions
16
+
Authenticate your Google account
17
17
============================================
18
18
19
-
Starting in March 2024, GCP disables service account key creation by setting ``iam.disableServiceAccountKeyCreation`` to ``false`` by default. When this constraint is set, you cannot create user-managed credentials for service accounts in projects affected by the constraint. Check the restrictions on your organization's account keys before connecting to Splunk Observability Cloud.
19
+
You need your service account keys to be able to integrate your GCP services with Splunk Observability Cloud. Check the restrictions on your organization's account keys before connecting to Splunk Observability Cloud.
20
20
21
-
For more information, refer to Google's official announcement :new-page:`Introducing stronger default Org Policies for our customers <https://cloud.google.com/blog/products/identity-security/introducing-stronger-default-org-policies-for-our-customers/>`.
21
+
For more information, refer to:
22
22
23
+
* GCP's docs on :new-page:`Service account keys <https://cloud.google.com/iam/docs/service-account-creds#key-types>`
24
+
* Google's official announcement on the new permission policies at :new-page:`Introducing stronger default Org Policies for our customers <https://cloud.google.com/blog/products/identity-security/introducing-stronger-default-org-policies-for-our-customers/>`
Alternatively, you can use :new-page:`GCP's Workload Identity Federation <https://cloud.google.com/iam/docs/workload-identity-federation>` to access your Google Cloud resources and authenticate them in Splunk Observability Cloud.
30
+
31
+
.. _gcp-prereqs-role-permissions:
32
+
33
+
GCP role permissions
34
+
============================================
35
+
36
+
You can use GCP's :strong:`Viewer` role as it comes with the permissions you need for most scenarios.
37
+
38
+
Alternatively you can create a more restrictive role using the permissions in the table:
39
+
40
+
.. list-table::
41
+
:header-rows: 1
42
+
:widths: 35 45 20
43
+
44
+
* - :strong:`Permission`
45
+
- :strong:`Required?`
46
+
- :strong:`Included in GCP's Viewer role?`
47
+
48
+
* - ``compute.instances.list``
49
+
- Yes, if the Compute Engine service is activated
50
+
- Yes
51
+
52
+
* - ``compute.machineTypes.list``
53
+
- Yes, if the Compute Engine service is activated
54
+
- Yes
55
+
56
+
* - ``container.clusters.list``
57
+
- Yes, if the Kubernetes (GKE) service is activated
58
+
- Yes
59
+
60
+
* - ``container.nodes.list``
61
+
- Yes, if the Kubernetes (GKE) service is activated
62
+
- Yes
63
+
64
+
* - ``container.pods.list``
65
+
- Yes, if the Kubernetes (GKE) service is activated
66
+
- Yes
67
+
68
+
* - ``monitoring.metricDescriptors.get``
69
+
- Yes
70
+
- Yes
71
+
72
+
* - ``monitoring.metricDescriptors.list``
73
+
- Yes
74
+
- Yes
75
+
76
+
* - ``monitoring.timeSeries.list``
77
+
- Yes
78
+
- Yes
79
+
80
+
* - ``resourcemanager.projects.get``
81
+
- Yes, if you want to sync project metadata (such as labels)
82
+
- Yes
83
+
84
+
* - ``serviceusage.services.use``
85
+
- Yes, if you want to activate the use of a quota from the project where metrics are stored
86
+
- No, but included in ``roles/serviceusage.serviceUsageConsumer``
0 commit comments