gce/WARN/2021_001
GCE VM Instance Access Scope, GCE VM Attached Service Account Permissions and APIs Required for Logging.
Product: Compute Engine
Rule class: WARN - Something that is possibly wrong
Description
A GCP project should have Cloud Logging API enabled.
The service account attached to the GCE VM instances should have the logging.logWriter IAM role permission.
Also, a GCE instance should have the logging.write access scope.
Without these, Ops Agent won’t be able to collect logs from GCE VMs and display on Logs Explorer.
Remediation
Make sure that you have enabled the Cloud Logging API in your GCP project.
Make sure that you have the following role binding in the IAM policy:
- Principal: service account attached to the GCE VM instance
- Role:
roles/logging.logWriter
Make sure that the instance has one of the following access scopes:
- https://www.googleapis.com/auth/cloud-platform (default)
- https://www.googleapis.com/auth/logging.admin
- https://www.googleapis.com/auth/logging.write