Cloud Monitoring uses Workspaces to organize monitoring information.
This page describes all of the following:
- Conceptual information on Workspaces.
- Permissions needed to create and modify a Workspace.
- Billing implications when using Workspaces.
What is a Workspace?
A Workspace is a tool for monitoring resources contained in one or more Google Cloud projects or AWS accounts. Each Workspace can have between 1 and 100 monitored projects, including Google Cloud projects and AWS accounts. You can have as many Workspaces as you wish, but Google Cloud projects and AWS accounts can't be monitored by more than one Workspace.
A Workspace accesses metric data from its monitored projects, but the metric data and log entries remain in the individual projects.
Every Workspace has a host project. The Google Cloud project that is used to create the Workspace, is the Workspace's host project. The Workspace name matches the name of the host project. The following diagram shows Workspace A monitoring only its host project, A:
The host project stores all of the configuration content for dashboards, alerting policies, uptime checks, notification channels, and group definitions that you configure.
To create a Workspace for Google Cloud project, you must have one of the roles listed in Required permissions.
After you have a Workspace, you can add more Google Cloud projects and AWS accounts to it using the instructions under Adding monitored projects.
If you plan to monitor more than just your host project, then the best practice is to use a new, empty Google Cloud project to host the Workspace and then to add the projects and AWS accounts you want to monitor to your Workspace. This strategy lets you choose a useful name for your host project and Workspace, and it gives you a little more flexibility in moving monitored projects between Workspaces. The following diagram shows Workspace W monitoring Google Cloud projects A and B and AWS account D:
AWS Connector projects
In the preceding diagram, a Google Cloud project that connects your
monitored AWS account to the Workspace. Monitoring creates this
AWS connector project when you add an AWS account to a Workspace. The
connector project has a name beginning with
AWS Link, and it has the same
parent organization as the Workspace.
To find the name and details about your AWS connector projects, in the
Monitoring menu of the Cloud Console, select Settings.
The billing account associated with the AWS connector project is used for Cloud Monitoring and Cloud Logging charges for the AWS account. For more information, see Billing.
In the Cloud Console, AWS connector projects appear as regular Google Cloud projects. Don't use connector projects for any other purpose, and don't delete them while your Workspace is still connected to your AWS account.
This section identifies the Cloud Identity and Access Management (Cloud IAM) roles required to create a Workspace and to add a Google Cloud project to a Workspace.
Create Workspace permissions
To create a Workspace for an existing Google Cloud project you must have one of the following Cloud IAM roles on that project:
- Project Owner
- Monitoring Editor
- Monitoring Admin
- Stackdriver Accounts Editor
To create a Workspace for an existing AWS account, you need the permission to create a Google Cloud host project and the permission to add the AWS account to the Workspace.
Add to Workspace permissions
To add a Google Cloud project to an existing Workspace, your Cloud IAM roles for the Workspace's host project and for the project being added must be one of the roles listed in Create Workspace permissions.
To add an AWS account to an existing Workspace, your Cloud IAM role for the Workspace's host project must be one of the roles listed in Create Workspace permissions. Because the addition of an AWS account to a Workspace creates an AWS connector project, you might need additional permissions:
If the host project isn't in an organization or a folder, you don't need any additional permissions.
If the host project is in an organization but not a folder, you need permission to create a Google Cloud project at the organization level.
If the host project is in a folder, you currently can't add the AWS account to the Workspace.
What are my permissions?
To determine your role for a project, do the following:
Open the Cloud Console and select the Google Cloud project:
To view your role, click IAM & admin. Your role is on the same line as your username.
To determine your organization-level permissions, contact your organization's administrator.
There is no charge for creating a Workspace.
Charges for logging and metric data ingested by the monitored projects are associated with that projects' billing account. For AWS accounts, this means the billing accounts of the AWS connector projects:
For Google Cloud projects, if you have VM instances that contain software that sends monitoring data or logs to Cloud Monitoring APIs, then you are charged for that data. This software includes the Monitoring agents, Logging agents, and third party libraries like Prometheus that you might install. You continue to accrue charges while that software is running.
When you add an AWS account to a Workspace, monitoring and logging data is sent by Cloud Monitoring agents, Cloud Logging agents, or other software to the AWS connector project, whose billing account receives any charges.
For more information about pricing and free allotments, see Cloud Monitoring pricing.
To stop all Cloud Monitoring charges for metrics usage, do one of the following:
- Disable the Monitoring APIs
- Stop Cloud Monitoring agents, Cloud Logging agents, and other software modules from sending metrics or logs to your Google Cloud project, or to the AWS connector projects.
Removing a project from its Workspace doesn't affect Cloud Monitoring charges for logs and metrics usage.
To disable the collection of Monitoring data in your Google Cloud project, do the following:
From the Cloud Console, select the Google Cloud project or the AWS connector project, and then go to APIs & Services:
Select Stackdriver Monitoring API.
Click Disable API