This document describes a script that enables each project in an organization or folder for service health events processing. It grants the Identity and Access Management (IAM) principal specified the Service Health Viewer role, which lets you view events and enable the Service Health API.
Before you begin
Ensure that you have the following permissions:
- Permission to list projects under the parent:
resourcemanager.projects.list
. - Permission to add IAM
(Service Health Viewer role) for the specified IAM
principal:
resourcemanager.projects.setIamPolicy
. - Permission to enable Google Cloud services:
serviceusage.services.enable.
To check for roles you can use to run the script:
- Go to the Predefined roles section of the IAM basic and predefined roles reference page.
- Search for the desired permission. The roles that have the permission appear.
Run the script
The script accepts the following parameters:
PARENT_ID
: ID of the parent to projects. The ID can be for an organization or a folder. All projects under the parent will have Personalized Service Health enabled.(optional)
IAM_PRINCIPAL
: An identifier for the principal, or member, which will be granted the Service Health Viewer role. It usually has the following form:PRINCIPAL_TYPE:ID
. Example:user:my-user@example.com
.For the full list of supported values, see the Grant a single role section of the Manage access to projects, folders, and organizations page.
To run the script:
- Decide on the API VERSION:
v1
orv1beta
. Paste the following script to a file:
#!/bin/bash PARENT_ID="$1" PRINCIPAL="$2" FAILED_PROJECTS=() for project in $(gcloud projects list --filter="parent.id: ${PARENT_ID}" --format="value(projectId)") do echo "Enabling PSH API for project $project" gcloud services enable servicehealth.googleapis.com --project="${project}" echo "Finished enabling PSH API for project $project" if [[ -n "$PRINCIPAL" ]]; then echo "Adding $PRINCIPAL as service health viewer to project $project" gcloud projects add-iam-policy-binding "${project}" --member "${PRINCIPAL}" --role roles/servicehealth.viewer echo "Finished adding $PRINCIPAL as service health viewer to project $project" sleep 5 else echo "PRINCIPAL not provided, will not grant service health viewer role. Please provide a PRINCIPAL value in order to view events." fi echo "Attempt to list events from Personalized Service Health for project $project" RESPONSE="$(curl -w "%{http_code}" -H "Authorization: Bearer $(gcloud auth print-access-token)" -H "Content-Type: application/json" https://servicehealth.googleapis.com/API VERSION/projects/"${project}"/locations/global/events)" HTTP_CODE=$(tail -n1 <<< "$RESPONSE") if [[ "$HTTP_CODE" -ne 200 ]] ; then echo "Failed to list events for project $project" echo "Response: $RESPONSE" FAILED_PROJECTS+=($project) else echo "Successfully listed events for project $project" fi done if [[ "${#FAILED_PROJECTS[@]}" -ne 0 ]]; then echo "Listing projects that failed to activate" for project in "${FAILED_PROJECTS[@]}" do echo "$project" done fi
Run the script. The following examples assume the script is in a file named
activateProjects.sh
:To activate all projects in organization ID
1111111111
and grant useruser:test-user@gmail.com
the role ofroles/servicehealth.viewer
, run:bash activateProjects.sh 1111111111 "user:test-user@gmail.com"
To activate all projects in organization ID
1111111111
and grant service accountserviceAccount:test-proj1@example.domain.com
the role ofroles/servicehealth.viewer
, run:bash activateProjects.sh 1111111111 "serviceAccount:test-proj1@example.domain.com"
Personalized Service Health will take up to 24 hours to start processing service health events.