Integrations and custom roles

To read the relevant data from your Google Cloud Platform (GCP) account, New Relic uses the Google Stackdriver API and also other specific services APIs. To access these APIs in your Google Cloud project, the New Relic authorized account needs to be granted a certain set of permissions; GCP uses roles to grant these permissions.

By default we highly recommend using the GCP primitive role Project Viewer, which grants "permissions for read-only actions that do not affect your cloud infrastructure state, such as viewing (but not modifying) existing resources or data." This role is automatically managed by Google and updated when new Google Cloud services are released or modified.

Optional role

Alternatively, you can create your own custom role based on the list of permissions, which specifies the minimum set of permissions required to fetch data from each GCP integration. This will allow you to have more control over the permissions set for the New Relic authorized account.

New Relic has no way of identifying problems related to custom permissions. If you choose to create a custom role, it is your responsibility to maintain it and ensure proper data is being collected.

To customize your role you need to:

  1. Create a Google Cloud IAM Custom Role in each one of the GCP projects you want to monitor with New Relic.
  2. In each custom role, add the permissions that are specifically required for the cloud services you want to monitor according to the following list.
  3. Assign the custom role(s) to the New Relic authorized account.

All integrations need the following permission:

  • monitoring.timeSeries.list

For some GCP integrations, New Relic will also need the following permissions, mainly to collect labels and inventory attributes.

Integration Permissions
Google AppEngine n/a; Google App Engine does not require additional permissions.
Google BigQuery
  • bigquery.datasets.get
  • bigquery.tables.get
  • bigquery.tables.list
Google Cloud Functions

cloudfunctions.locations.list

Google Cloud Load Balancing n/a; Google Cloud Load Balancing does not require additional permissions.
Google Cloud Pub/Sub
  • pubsub.subscriptions.get
  • pubsub.subscriptions.list
  • pubsub.topics.get
  • pubsub.topics.list
Google Cloud Spanner
  • spanner.instances.list
  • spanner.databases.list
  • spanner.databases.getDdl
Google Cloud SQL

cloudsql.instances.list

Google Cloud Storage

storage.buckets.list

Google Compute Engine
  • compute.instances.list
  • compute.disks.get
  • compute.disks.list
Google Kubernetes Engine

container.clusters.list

To be able to see the list of projects that you can link to New Relic Infrastructure through the UI, your New Relic authorized service account needs the following permissions:

  • resourcemanager.projects.get
  • monitoring.monitoredResourceDescriptors.list

If you do not want to grant New Relic authorized account the permissions that are needed for the linking process through the UI, you have the following options:

  • Assign the Project Viewer or Monitoring Viewer role initially to the authorized account to link Google Cloud projects to New Relic through the UI. After the projects are linked, assign a Google Cloud custom role to the authorized account.
  • Use New Relic NerdGraph to link Google Cloud projects to New Relic. This does not involve listing the viewable projects. However, you must know the id of the project you want to monitor. For more information, see the NerdGraph GraphiQL cloud integrations API tutorial.

For more help

Recommendations for learning more: