To read the relevant data from your Google Cloud Platform (GCP) account, New Relic uses the Google Stackdriver API and also other specific services APIs. To access these APIs in your Google Cloud project, the New Relic authorized account needs to be granted a certain set of permissions; GCP uses roles to grant these permissions.
By default we highly recommend using the GCP primitive role
Project Viewer, which grants "permissions for read-only actions that do not affect your cloud infrastructure state, such as viewing (but not modifying) existing resources or data." This role is automatically managed by Google and updated when new Google Cloud services are released or modified.
Alternatively, you can create your own custom role based on the list of permissions, which specifies the minimum set of permissions required to fetch data from each GCP integration. This will allow you to have more control over the permissions set for the New Relic authorized account.
New Relic has no way of identifying problems related to custom permissions. If you choose to create a custom role, it is your responsibility to maintain it and ensure proper data is being collected.
To customize your role you need to:
- Create a Google Cloud IAM Custom Role in each one of the GCP projects you want to monitor with New Relic.
- In each custom role, add the permissions that are specifically required for the cloud services you want to monitor according to the following list.
- Assign the custom role(s) to the New Relic authorized account.