Integrations and custom roles

To read the relevant data from your Google Cloud Platform (GCP) account, New Relic uses the Google Stackdriver API and also other specific services APIs. To access these APIs in your Google Cloud project, the New Relic authorized account needs to be granted a certain set of permissions; GCP uses roles to grant these permissions.

By default we highly recommend using the GCP primitive role Project Viewer, which grants “permissions for read-only actions that do not affect your cloud infrastructure state, such as viewing (but not modifying) existing resources or data.” This role is automatically managed by Google and updated when new Google Cloud services are released or modified.

Please refer to Understanding Roles on Google Cloud documentation for more details.

Optional role

Alternatively, you can create your own custom role based on the list of permissions, which specifies the minimum set of permissions required to fetch data from each GCP integration. This will allow you to have more control over the permissions set for the New Relic authorized account.

New Relic has no way of identifying problems related to custom permissions. If you choose to create a custom role, it is your responsibility to maintain it and ensure proper data is being collected.

To customize your role you need to:

  1. Create a Google Cloud IAM Custom Role in each one of the GCP projects you want to monitor with New Relic.
  2. In each custom role, add the permissions that are specifically required for the cloud services you want to monitor according to the following list.
  3. Assign the custom role(s) to the New Relic authorized account.

All integrations need the following permission:

  • monitoring.timeSeries.list

For some GCP integrations, New Relic will also need the following permissions, mainly to collect labels and inventory attributes:

Integration Permissions
Google BigQuery
  • bigquery.datasets.get
  • bigquery.tables.get
  • bigquery.tables.list
Google Cloud Functions
  • cloudfunctions.locations.list
Google Cloud Pub/Sub
  • pubsub.subscriptions.get
  • pubsub.subscriptions.list
  • pubsub.topics.get
  • pubsub.topics.list
Google Cloud Spanner
  • spanner.instances.list
  • spanner.databases.list
  • spanner.databases.getDdl
Google Cloud SQL
  • cloudsql.instances.list
Google Cloud Storage
  • storage.buckets.list
Google Compute Engine
  • compute.instances.list
  • compute.disks.get
  • compute.disks.list
Google Kubernetes Engine
  • container.clusters.list
Google AppEngine and Google Cloud Load Balancing do not require additional permissions.

To be able to see the list of projects that you can link to New Relic Infrastructure through the UI, your New Relic authorized service account needs the following permissions:

  • resourcemanager.projects.get
  • monitoring.monitoredResourceDescriptors.list

If you don’t want to grant New Relic authorized account the permissions that are needed for the linking process through the UI, you have the following options:

  • Assign the Project Viewer or Monitoring Viewer role initially to the authorized account to link Google Cloud projects to New Relic through the UI. After the projects are linked, assign a Google Cloud custom role to the authorized account.
  • Use the New Relic GraphQL API to link Google Cloud projects to New Relic, which doesn’t involve listing the viewable projects. This requires that you know the id of the project you want to monitor.

For more help

Recommendations for learning more: