服务帐户将自定义指标写入 GCP 中的 Stackdriver 的正确 IAM 角色是什么

What's the proper IAM role for a service account to write custom metrics to Stackdriver in GCP

我创建了一个服务帐户并提供了 JSON 格式的私钥 (/adc.json)。它可以通过 Client.from_service_account_json 功能正常加载到 google-cloud python 客户端。但是当我尝试调用 Monitoring API 来编写自定义指标时,它会出现如下所示的 403 错误。

In [1]: from google.cloud import monitoring

In [2]: c = monitoring.Client.from_service_account_json('/adc.json')

In [6]: resource = client.resource('gce_instance', labels={'instance_id': '1234567890123456789', 'zone': 'us-central1-f'})

In [7]: metric = client.metric(type_='custom.googleapis.com/my_metric', labels={'status': 'successful'})

In [9]: from datetime import datetime

In [10]: end_time = datetime.utcnow()

In [11]: client.write_point(metric=metric, resource=resource, value=3.14, end_time=end_time)
---------------------------------------------------------------------------
Forbidden                                 Traceback (most recent call last)
<ipython-input-11-b030f6399aa2> in <module>()
----> 1 client.write_point(metric=metric, resource=resource, value=3.14, end_time=end_time)

/usr/local/lib/python3.5/site-packages/google/cloud/monitoring/client.py in write_point(self, metric, resource, value, end_time, start_time)
    599         timeseries = self.time_series(
    600             metric, resource, value, end_time, start_time)
--> 601         self.write_time_series([timeseries])

/usr/local/lib/python3.5/site-packages/google/cloud/monitoring/client.py in write_time_series(self, timeseries_list)
    544                            for timeseries in timeseries_list]
    545         self._connection.api_request(method='POST', path=path,
--> 546                                      data={'timeSeries': timeseries_dict})
    547 
    548     def write_point(self, metric, resource, value,

/usr/local/lib/python3.5/site-packages/google/cloud/_http.py in api_request(self, method, path, query_params, data, content_type, headers, api_base_url, api_version, expect_json, _target_object)
    301         if not 200 <= response.status < 300:
    302             raise make_exception(response, content,
--> 303                                  error_info=method + ' ' + url)
    304 
    305         string_or_bytes = (six.binary_type, six.text_type)

Forbidden: 403 User is not authorized to access the project monitoring records. (POST https://monitoring.googleapis.com/v3/projects/MY-PROJECT/timeSeries/)

在 GCP 的访问控制面板中,我没有看到 Stackdriver Monitoring 的特定预定义角色范围 API。请参见下面的屏幕截图:

我已经尝试了 Project ViewerService Account Actor 预定义角色,但均无效。我很犹豫是否要为此服务帐户分配一个 Project Editor 角色,因为感觉它对于 Stackdriver 专用服务帐户凭证来说范围太广了。那么分配给该服务帐户的正确角色应该是什么?谢谢。

你是对的,它太宽泛了,我们正在研究更细粒度的角色,但是,截至今天,"Project Editor" 是正确的角色。

如果您 运行 在 GCE VM 上并省略私钥,Stackdriver 监控代理将默认尝试使用 VM 的默认服务帐户。只要 VM 具有 https://www.googleapis.com/auth/monitoring.write 范围,这就会起作用(现在所有 GCE VM 都应该默认打开)。有关代理需要哪些凭据的详细说明,请参阅 this page