Google Kubernetes Engine on GCP
Fixing observability on a GKE Autopilot cluster when Policy for Disable Automatic IAM Grants for Default Service Accounts is enabled
Published: Wednesday, Aug 2, 2023 Last modified: Monday, Dec 9, 2024
On https://console.cloud.google.com/apis/dashboard if you notice errors, well then you have a problem!
After some searching I found https://cloud.google.com/stackdriver/docs/solutions/gke/troubleshooting#write_permissions
We need to roles to the service account via IAM:
- Logs Writer aka roles/logging.logWriter
- Monitoring Metric Writer aka roles/monitoring.metricWriter
- Stackdriver Resource Metadata Writer aka roles/stackdriver.resourceMetadata.writer
How do I find the default service account?
gcloud iam service-accounts list | grep "default service"
Compute Engine default service account XXXXXXXXX-compute@developer.gserviceaccount.com False
To add permissions:
- https://console.cloud.google.com/iam-admin/iam
- GRANT ACCESS
- Use the Principal XXXXXXXXX-compute@developer.gserviceaccount.com aka the Compute Engine default service account Principal
- Assign the roles/logging.logWriter, roles/monitoring.metricWriter, roles/stackdriver.resourceMetadata.writer roles
How to verify the permissions are there:
gcloud projects get-iam-policy $(gcloud config get-value project) --flatten="bindings[].members" --format='table(bindings.role)' --filter="bindings.members:XXXXXXXXXX-compute@developer.gserviceaccount.com"
ROLE
roles/logging.logWriter
roles/monitoring.metricWriter
roles/stackdriver.resourceMetadata.writer