gce/WARN/2021_003
GCE instance service account permissions for monitoring.
Product: Compute Engine
Rule class: WARN - Something that is possibly wrong
Description
The service account used by GCE instance should have the monitoring.metricWriter permission and a GCE instance should have the monitoring.write access scope, otherwise, if you install the ops or monitoring agent, it won’t be able to send the metrics to Cloud Monitoring.
Remediation
Make sure that you have the following role binding in the IAM policy:
- Principal: service account of the GCE instance
- Role:
roles/monitoring.metricWriter
Make sure that the instance has one of the following access scopes:
- https://www.googleapis.com/auth/cloud-platform (default)
- https://www.googleapis.com/auth/monitoring
- https://www.googleapis.com/auth/monitoring.write