To read the relevant data from your Google Cloud Platform (GCP) account, New Relic uses the Google Stackdriver API and also other specific services APIs. To access these APIs in your Google Cloud project, the New Relic authorized account needs to be granted a certain set of permissions; GCP uses roles to grant these permissions.
By default we highly recommend using the GCP primitive role
Project Viewer, which grants "permissions for read-only actions that do not affect your cloud infrastructure state, such as viewing (but not modifying) existing resources or data." This role is automatically managed by Google and updated when new Google Cloud services are released or modified.
Alternatively, you can create your own custom role based on the list of permissions, which specifies the minimum set of permissions required to fetch data from each GCP integration. This will allow you to have more control over the permissions set for the New Relic authorized account.
New Relic has no way of identifying problems related to custom permissions. If you choose to create a custom role, it is your responsibility to maintain it and ensure proper data is being collected.
To customize your role you need to:
- Create a Google Cloud IAM Custom Role in each one of the GCP projects you want to monitor with New Relic.
- In each custom role, add the permissions that are specifically required for the cloud services you want to monitor according to the following list.
- Assign the custom role(s) to the New Relic authorized account.
List of permissions
All integrations need the following permission:
For some GCP integrations, New Relic will also need the following permissions, mainly to collect labels and inventory attributes.
Integration Permissions Google AppEngine n/a; Google App Engine does not require additional permissions. Google BigQuery
Google Cloud Functions
Google Cloud Load Balancing n/a; Google Cloud Load Balancing does not require additional permissions. Google Cloud Pub/Sub
Google Cloud Spanner
Google Cloud SQL
Google Cloud Storage
Google Compute Engine
Google Kubernetes Engine
To be able to see the list of projects that you can link to New Relic through the UI, your New Relic authorized service account needs the following permissions:
If you do not want to grant New Relic authorized account the permissions that are needed for the linking process through the UI, you have the following options:
- Assign the
Monitoring Viewerrole initially to the authorized account to link Google Cloud projects to New Relic through the UI. After the projects are linked, assign a Google Cloud custom role to the authorized account.
- Use New Relic NerdGraph to link Google Cloud projects to New Relic. This does not involve listing the viewable projects. However, you must know the
idof the project you want to monitor. For more information, see the NerdGraph GraphiQL cloud integrations API tutorial.