IAM permissions needed for Stackdriver integration?


#1

I am attempting to configure my Istio cluster (running in AWS) to send telemetry info to Google’s Stackdriver, 'cause I want to try out their UI.

I created a Service Account in a GCP project and downloaded its private key, which I put in a Kubernetes secret. I injected the secret into the mixer container, and used the filepath of that JSON file in handler via the “serviceAccountPath” key. But I see a bunch of errors in mixer’s logs saying:

error	adapters	Stackdriver logger failed with: rpc error: code = PermissionDenied desc = The caller does not have permission	{"adapter": "handler.stackdriver.istio-system"}

Does anyone know the IAM permissions that need to be added to the GCP service account to allow Mixer to send metrics? So far I haven’t been able to find anything in the docs.

Thanks in advance!


#2

Hi, the error line is from stackdriver adapter calling log API (https://github.com/istio/istio/blob/98c2fe55136b584f19499615a509143127ac7532/mixer/adapter/stackdriver/log/log.go#L107), not monitoring API. To write log entries mixer needs logWriter permission (https://cloud.google.com/logging/docs/access-control). But anyway it should not affect metrics exporting. Could you check is there any other error messages about metrics writing, which is like “Stackdriver returned …” (https://github.com/istio/istio/blob/98c2fe55136b584f19499615a509143127ac7532/mixer/adapter/stackdriver/metric/bufferedClient.go#L125)