服务帐户将自定义指标写入 GCP 中的 Stackdriver 的正确 IAM 角色是什么
What's the proper IAM role for a service account to write custom metrics to Stackdriver in GCP
我创建了一个服务帐户并提供了 JSON 格式的私钥 (/adc.json)。它可以通过 Client.from_service_account_json 功能正常加载到 google-cloud python 客户端。但是当我尝试调用 Monitoring API 来编写自定义指标时,它会出现如下所示的 403 错误。
In [1]: from google.cloud import monitoring
In [2]: c = monitoring.Client.from_service_account_json('/adc.json')
In [6]: resource = client.resource('gce_instance', labels={'instance_id': '1234567890123456789', 'zone': 'us-central1-f'})
In [7]: metric = client.metric(type_='custom.googleapis.com/my_metric', labels={'status': 'successful'})
In [9]: from datetime import datetime
In [10]: end_time = datetime.utcnow()
In [11]: client.write_point(metric=metric, resource=resource, value=3.14, end_time=end_time)
---------------------------------------------------------------------------
Forbidden Traceback (most recent call last)
<ipython-input-11-b030f6399aa2> in <module>()
----> 1 client.write_point(metric=metric, resource=resource, value=3.14, end_time=end_time)
/usr/local/lib/python3.5/site-packages/google/cloud/monitoring/client.py in write_point(self, metric, resource, value, end_time, start_time)
599 timeseries = self.time_series(
600 metric, resource, value, end_time, start_time)
--> 601 self.write_time_series([timeseries])
/usr/local/lib/python3.5/site-packages/google/cloud/monitoring/client.py in write_time_series(self, timeseries_list)
544 for timeseries in timeseries_list]
545 self._connection.api_request(method='POST', path=path,
--> 546 data={'timeSeries': timeseries_dict})
547
548 def write_point(self, metric, resource, value,
/usr/local/lib/python3.5/site-packages/google/cloud/_http.py in api_request(self, method, path, query_params, data, content_type, headers, api_base_url, api_version, expect_json, _target_object)
301 if not 200 <= response.status < 300:
302 raise make_exception(response, content,
--> 303 error_info=method + ' ' + url)
304
305 string_or_bytes = (six.binary_type, six.text_type)
Forbidden: 403 User is not authorized to access the project monitoring records. (POST https://monitoring.googleapis.com/v3/projects/MY-PROJECT/timeSeries/)
在 GCP 的访问控制面板中,我没有看到 Stackdriver Monitoring 的特定预定义角色范围 API。请参见下面的屏幕截图:
我已经尝试了 Project Viewer、Service Account Actor 预定义角色,但均无效。我很犹豫是否要为此服务帐户分配一个 Project Editor 角色,因为感觉它对于 Stackdriver 专用服务帐户凭证来说范围太广了。那么分配给该服务帐户的正确角色应该是什么?谢谢。
你是对的,它太宽泛了,我们正在研究更细粒度的角色,但是,截至今天,"Project Editor" 是正确的角色。
如果您 运行 在 GCE VM 上并省略私钥,Stackdriver 监控代理将默认尝试使用 VM 的默认服务帐户。只要 VM 具有 https://www.googleapis.com/auth/monitoring.write 范围,这就会起作用(现在所有 GCE VM 都应该默认打开)。有关代理需要哪些凭据的详细说明,请参阅 this page。
我创建了一个服务帐户并提供了 JSON 格式的私钥 (/adc.json)。它可以通过 Client.from_service_account_json 功能正常加载到 google-cloud python 客户端。但是当我尝试调用 Monitoring API 来编写自定义指标时,它会出现如下所示的 403 错误。
In [1]: from google.cloud import monitoring
In [2]: c = monitoring.Client.from_service_account_json('/adc.json')
In [6]: resource = client.resource('gce_instance', labels={'instance_id': '1234567890123456789', 'zone': 'us-central1-f'})
In [7]: metric = client.metric(type_='custom.googleapis.com/my_metric', labels={'status': 'successful'})
In [9]: from datetime import datetime
In [10]: end_time = datetime.utcnow()
In [11]: client.write_point(metric=metric, resource=resource, value=3.14, end_time=end_time)
---------------------------------------------------------------------------
Forbidden Traceback (most recent call last)
<ipython-input-11-b030f6399aa2> in <module>()
----> 1 client.write_point(metric=metric, resource=resource, value=3.14, end_time=end_time)
/usr/local/lib/python3.5/site-packages/google/cloud/monitoring/client.py in write_point(self, metric, resource, value, end_time, start_time)
599 timeseries = self.time_series(
600 metric, resource, value, end_time, start_time)
--> 601 self.write_time_series([timeseries])
/usr/local/lib/python3.5/site-packages/google/cloud/monitoring/client.py in write_time_series(self, timeseries_list)
544 for timeseries in timeseries_list]
545 self._connection.api_request(method='POST', path=path,
--> 546 data={'timeSeries': timeseries_dict})
547
548 def write_point(self, metric, resource, value,
/usr/local/lib/python3.5/site-packages/google/cloud/_http.py in api_request(self, method, path, query_params, data, content_type, headers, api_base_url, api_version, expect_json, _target_object)
301 if not 200 <= response.status < 300:
302 raise make_exception(response, content,
--> 303 error_info=method + ' ' + url)
304
305 string_or_bytes = (six.binary_type, six.text_type)
Forbidden: 403 User is not authorized to access the project monitoring records. (POST https://monitoring.googleapis.com/v3/projects/MY-PROJECT/timeSeries/)
在 GCP 的访问控制面板中,我没有看到 Stackdriver Monitoring 的特定预定义角色范围 API。请参见下面的屏幕截图:
我已经尝试了 Project Viewer、Service Account Actor 预定义角色,但均无效。我很犹豫是否要为此服务帐户分配一个 Project Editor 角色,因为感觉它对于 Stackdriver 专用服务帐户凭证来说范围太广了。那么分配给该服务帐户的正确角色应该是什么?谢谢。
你是对的,它太宽泛了,我们正在研究更细粒度的角色,但是,截至今天,"Project Editor" 是正确的角色。
如果您 运行 在 GCE VM 上并省略私钥,Stackdriver 监控代理将默认尝试使用 VM 的默认服务帐户。只要 VM 具有 https://www.googleapis.com/auth/monitoring.write 范围,这就会起作用(现在所有 GCE VM 都应该默认打开)。有关代理需要哪些凭据的详细说明,请参阅 this page。