Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[suggestion] specify necessary IAM roles in documentation #136

Closed
oofnikj opened this issue Jul 30, 2019 · 3 comments
Closed

[suggestion] specify necessary IAM roles in documentation #136

oofnikj opened this issue Jul 30, 2019 · 3 comments
Assignees
@parkjam4
Labels
cleanup Internal cleanup

Comments

@oofnikj
Copy link

oofnikj commented Jul 30, 2019

I had an issue where metrics weren't showing up in Monitoring and I saw the following error in the sidecar logs being printed continuously:

level=warn ts=2019-07-30T05:13:17.12753024Z caller=queue_manager.go:546 component=queue_manager msg="Unrecoverable error sending samples to remote storage" err="rpc error: code = PermissionDenied desc = Permission monitoring.timeSeries.create denied (or the resource may not exist)."

It was fixed by creating an IAM policy binding from the service account associated with the cluster to the role roles/monitoring.metricWriter.

Might be helpful to explicitly specify that this permission is required somewhere in the documentation.
@jkohen jkohen added the cleanup Internal cleanup label Jul 31, 2019
@jkohen jkohen self-assigned this Jul 31, 2019
@jkohen
Copy link
Contributor

jkohen commented Jul 31, 2019
edited
Loading

Hi, thanks for the suggestion and I'm glad to hear you've solved the issue already. It sounds like you are using the software with GKE. The GKE documentation states that this permission is required at https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster#use_least_privilege_sa

Let us know if we can help any other way.

@jkohen jkohen closed this as completed Jul 31, 2019
@philips
Copy link

philips commented Aug 3, 2019

The docs here don't see to talk about the service account which is very confusing: https://cloud.google.com/monitoring/kubernetes-engine/prometheus

@philips philips mentioned this issue Aug 3, 2019
Closed
@jkohen jkohen assigned parkjam4 and unassigned jkohen Aug 5, 2019
@hixichen
Copy link

for anyone who search and view this page:

refer: GKE workload identity

export GCP_PROJECT=my-project
export GCP_SA=gke-prometheus
export K8S_SA=prometheus
export K8S_NS=prometheus

gcloud iam service-accounts create ${GCP_SA} --display-name=${GCP_SA}

gcloud iam service-accounts add-iam-policy-binding \
  --role roles/iam.workloadIdentityUser \
  --member "serviceAccount:${GCP_PROJECT}.svc.id.goog[${K8S_NS}/${K8S_SA}]" \
  ${GCP_SA}@${GCP_PROJECT}.iam.gserviceaccount.com

gcloud projects add-iam-policy-binding ${GCP_PROJECT} \
  --member "serviceAccount:${GCP_SA}@${GCP_PROJECT}.iam.gserviceaccount.com" \
  --role roles/monitoring.metricWriter

gcloud projects add-iam-policy-binding ${GCP_PROJECT} \
  --member "serviceAccount:${GCP_SA}@${GCP_PROJECT}.iam.gserviceaccount.com" \
  --role roles/monitoring.viewer


gcloud projects add-iam-policy-binding ${GCP_PROJECT} \
  --member "serviceAccount:${GCP_SA}@${GCP_PROJECT}.iam.gserviceaccount.com" \
  --role roles/logging.logWriter


gcloud projects add-iam-policy-binding ${GCP_PROJECT} \
  --member "serviceAccount:${GCP_SA}@${GCP_PROJECT}.iam.gserviceaccount.com" \
  --role roles/stackdriver.resourceMetadata.writer


kubectl annotate serviceaccount ${K8S_SA} \
  iam.gke.io/gcp-service-account="${GCP_SA}@${GCP_PROJECT}.iam.gserviceaccount.com" \
  -n ${K8S_NS}

@priyawadhwa priyawadhwa mentioned this issue May 19, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@parkjam4 parkjam4

Labels
cleanup Internal cleanup
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@philips @jkohen @parkjam4 @hixichen @oofnikj