gce/WARN/2021_001
GCE instance service account permissions for logging.
Product: Compute Engine
Rule class: WARN - Something that is possibly wrong
Description
The service account used by GCE instance should have the logging.logWriter permission and a GCE instance should have the logging.write access scope, otherwise, if you install the logging agent, it won’t be able to send the logs to Cloud Logging.
Remediation
Make sure that you have the following role binding in the IAM policy:
- Principal: service account of the GCE instance
- Role:
roles/logging.logWriter
Make sure that the instance has one of the following access scopes:
- https://www.googleapis.com/auth/cloud-platform (default)
- https://www.googleapis.com/auth/logging.admin
- https://www.googleapis.com/auth/logging.write