This guide explains how to install private-key service account credentials on a VM instance to authorize the Ops Agent. Before installing the agent, check that your VM instance has the credentials that the agent needs. The agent must have permission to send information to Logging. Permission is given by using service account credentials that are stored on your VM instance and serve as Application Default Credentials for the agent.
Before you begin
You can check your authorization scopes on Compute Engine using the following command:
curl --silent --connect-timeout 1 -f -H "Metadata-Flavor: Google" http://169.254.169.254/computeMetadata/v1/instance/service-accounts/default/scopes
Look for one or more of the following authorization scopes in the output:
https://www.googleapis.com/auth/logging.write
https://www.googleapis.com/auth/logging.admin
https://www.googleapis.com/auth/monitoring.write
https://www.googleapis.com/auth/monitoring.admin
https://www.googleapis.com/auth/cloud-platform
Adding credentials
Authorization refers to the process of determining what permissions an authenticated client has for a set of resources.
Authorizing the Ops Agent on a VM instance involves the following steps:
Creating a service account with the required privileges and private-key credentials in the Google Cloud project associated with your VM instance.
Copying the private-key credentials to your VM instance, where they serve as Application Default Credentials for software running on your instance.
Creating a service account
Authentication refers to the process of determining a client's identity. For authentication, we recommend using a service account: a Google account that is associated with your Google Cloud project, as opposed to a specific user. You can use service accounts for authentication regardless of where your code runs: on Compute Engine, App Engine, or on-premise. Read Authentication overview for more information.
To create a service account, complete the Creating a service account procedures with the following information:
Select the Google Cloud project in which to create the service account.
For Compute Engine instances, choose the project in which you created the instance.
In the Role drop-down menu, select the following roles:
Monitoring > Monitoring Metric Writer.
Logging > Logs Writer.
When creating the key, select JSON as the Key type.
For your convenience, you can create the variable CREDS
to point to the
credentials file on your workstation. For example:
CREDS="~/Downloads/[PROJECT-NAME]-[KEY-ID].json"
The rest of these procedures refer to that variable.
Copying the private key to your instance
After creating the service account, you must copy the private-key file to one of the following locations on your VM instance so that the agent can recognize the credentials. You can use any file-copy tool you wish.
Linux only:
/etc/google/auth/application_default_credentials.json
Windows only:
C:\ProgramData\Google\Auth\application_default_credentials.json
For both Linux and Windows: Any location you store in the variable,
GOOGLE_APPLICATION_CREDENTIALS
. The variable must be visible to the agent's process.
The following file-copy instructions assume that you have a Linux environment on
both your workstation and your instance. If you are using a different
environment, consult the documentation from your cloud provider for how to copy
the private-key file. In the previous step, Creating a service account,
your private-key credentials should have been stored on your workstation at a
location you saved in the variable CREDS
:
Compute Engine
On your workstation, use the gcloud command-line
tool. You can find [YOUR-INSTANCE-NAME]
and [YOUR-INSTANCE-ZONE]
in the
Google Cloud Console in the VM Instances
page:
REMOTE_USER="$USER"
INSTANCE="[YOUR-INSTANCE-NAME]"
ZONE="[YOUR-INSTANCE-ZONE]"
gcloud compute scp "$CREDS" "$REMOTE_USER@$INSTANCE:~/temp.json" --zone "$ZONE"
On your Compute Engine instance, run these commands:
GOOGLE_APPLICATION_CREDENTIALS="/etc/google/auth/application_default_credentials.json"
sudo mkdir -p /etc/google/auth
sudo mv "$HOME/temp.json" "$GOOGLE_APPLICATION_CREDENTIALS"
sudo chown root:root "$GOOGLE_APPLICATION_CREDENTIALS"
sudo chmod 0400 "$GOOGLE_APPLICATION_CREDENTIALS"
Authorizing the Ops Agent
Linux
Edit the following configuration file, or create the file if it doesn't exist:
/etc/systemd/system.conf
Add the following to the file:
DefaultEnvironment="GOOGLE_APPLICATION_CREDENTIALS=path_to_credentials_file"
Reload the environment variables:
sudo systemctl daemon-reload
Restart the agent by running the following command on your VM instance:
sudo service google-cloud-ops-agent restart
Windows
Run the following commands to set the
GOOGLE_APPLCIATION_CREDENTIALS
environment variable for the Ops Agent to use.setx GOOGLE_APPLICATION_CREDEINTALS path_to_credentials_file}
Next steps
Your VM instance now has the credentials that the agent needs.
If you have not yet installed the agent, go to the agent installation page and install the agent. See Installing the agent for instructions.
If you have already installed the agent, restart it to use the new credentials. See Restarting the agent for instructions.
If you would like to double-check the credentials, see Verifying private-key credentials.