Docs » Connect to your cloud service provider » Connect to Google Cloud Platform » GCP authentication, permissions and supported regions

GCP authentication, permissions and supported regions 🔗

Prerequisites 🔗

You must be an administrator of your Splunk Observability Cloud organization to create a GCP connection.

Authenticate your Google account 🔗

You need your service account keys to be able to integrate your GCP services with Splunk Observability Cloud. Check the restrictions on your organization’s account keys before connecting to Splunk Observability Cloud.

For more information, refer to:

Authenticate using Workload Identity Federation 🔗

Alternatively, if you’re connecting to Splunk Observability Cloud using the API you can use GCP’s Workload Identity Federation (WIF) to access your Google Cloud resources and authenticate them. It’s safer, and with WIF you won’t have to export and rotate service account keys.

See how to authenticate with WIF in the Splunk Observability Cloud developer documentation at Integrate GCP .

GCP role permissions 🔗

You can use GCP’s Viewer role as it comes with the permissions you need for most scenarios.

Alternatively you can create a more restrictive role using the permissions in the table:

Permission

Required?

Included in GCP’s Viewer role?

compute.instances.list

Yes, if the Compute Engine service is activated

Yes

compute.machineTypes.list

Yes, if the Compute Engine service is activated

Yes

container.clusters.list

Yes, if the Kubernetes (GKE) service is activated

Yes

container.nodes.list

Yes, if the Kubernetes (GKE) service is activated

Yes

container.pods.list

Yes, if the Kubernetes (GKE) service is activated

Yes

monitoring.metricDescriptors.get

Yes

Yes

monitoring.metricDescriptors.list

Yes

Yes

monitoring.timeSeries.list

Yes

Yes

resourcemanager.projects.get

Yes, if you want to sync project metadata (such as labels)

Yes

serviceusage.services.use

Yes, if you either want to activate the use of a quota from the project where metrics are stored or sync cloud sql metadata

No, but included in roles/serviceusage.serviceUsageConsumer

spanner.instances.list

Yes, if the Spanner service is activated

Yes

storage.buckets.list

Yes, if the Spanner service is activated

Yes

cloudsql.databases.list

Yes, if the cloud sql service is activated

Yes

cloudsql.instances.list

Yes, if the cloud sql service is activated

Yes

pubsub.topics.list

Yes, if the pub/sub service is activated

Yes

pubsub.subscriptions.list

Yes, if the pub/sub service is activated

Yes

run.jobs.list

Yes, if the cloud run service is activated

Yes

run.revisions.list

Yes, if the cloud run service is activated

Yes

cloudasset.assets.searchAllResources

Yes, if the cloud run service is activated

Yes

cloudfunctions.functions.list

Yes, if the cloud functions service is activated

Yes

Supported regions 🔗

Splunk Observability Cloud supports all GCP regions.

This page was last updated on Nov 14, 2024.