gce/WARN/2021_003
GCE VM Instance Access Scope, GCE VM Attached Service Account Permissions and APIs Required for Monitoring.
Product: Compute Engine
Rule class: WARN - Something that is possibly wrong
Description
A GCP project should have Cloud Monitoring API enabled.
The service account attached to the GCE VM instances should have the monitoring.metricWriter IAM role permission.
Also, a GCE instance should have the monitoring.write access scope.
Without these, Ops Agent won’t be able to collect metrics from GCE VMs and display on Metrics Explorer.
Remediation
Make sure that you have enabled the Cloud Monitoring API in your GCP project.
Make sure that you have the following role binding in the IAM policy:
- Principal: service account attached to the GCE VM instance
- Role:
roles/monitoring.metricWriter
Make sure that the GCE VM instance has one of the following access scopes:
- https://www.googleapis.com/auth/cloud-platform (default)
- https://www.googleapis.com/auth/monitoring
- https://www.googleapis.com/auth/monitoring.write