gce/WARN/2021_003

GCE instance service account permissions for monitoring.

Product: Compute Engine
Rule class: WARN - Something that is possibly wrong

Description

The service account used by GCE instance should have the monitoring.metricWriter permission and a GCE instance should have the monitoring.write access scope, otherwise, if you install the ops or monitoring agent, it won’t be able to send the metrics to Cloud Monitoring.

Remediation

Make sure that you have the following role binding in the IAM policy:

Principal: service account of the GCE instance
Role: roles/monitoring.metricWriter

Make sure that the instance has one of the following access scopes:

https://www.googleapis.com/auth/cloud-platform (default)
https://www.googleapis.com/auth/monitoring
https://www.googleapis.com/auth/monitoring.write

Further information

Monitoring access control