Search code examples
google-cloud-platformgoogle-cloud-iamgoogle-cloud-monitoring

IAM Permission Denied - Google Cloud Create metric

Currently I am trying to create a custom metric to be tracked in the Google Cloud Monitoring dashboard.

Although the admin of the system has given me Monitoring Editor, Monitoring Writer, and Monitoring Admin roles, this error is still occurring.

permission based error

Which permission settings do I need to create a custom / log based metric?

I have tried creating a metric on the Google Cloud Monitoring dashboard with the following roles: Monitoring Editor, Monitoring Writer, and Monitoring Admin. Even with these roles in my IAM permission settings, the red alert error still shows up when creating a metric.

Solution

  • It's confusing.

    Although Log-based metrics produce Cloud Monitoring metrics, they are functionality of the Cloud Logging API (and so they require Logging-specific roles/permissions).

    Here's the list of permissions: https://cloud.google.com/iam/docs/permissions-reference

    Search it (!) for logging.logMetrics.create and you'll get:

    • Owner (roles/owner)
    • Editor (roles/editor)
    • App Engine flexible environment Service Agent (roles/appengineflex.serviceAgent)
    • Cloud Composer API Service Agent (roles/composer.serviceAgent)
    • Cloud Dataflow Service Agent (roles/dataflow.serviceAgent)
    • Logging Admin (roles/logging.admin)
    • Logs Configuration Writer (roles/logging.configWriter)
    • Serverless VPC Access Service Agent (roles/vpcaccess.serviceAgent)

    Get roles/logging.admin or roles/logging.confgWriter bound to your identity and try again.