GCP authentication, permissions and supported regions 🔗
Prerequisites 🔗
You must be an administrator of your Splunk Observability Cloud organization to create a GCP connection.
Authenticate your Google account 🔗
Authenticate using Workload Identity Federation (recommended) 🔗
Use Workload Identity Federation (WIF) to authenticate your GCP account in Splunk Observability Cloud. It’s safer, and with WIF you won’t have to export and rotate service account keys.
To set up Workload Identity Federation to authenticate Splunk Observability Cloud to access your GCP Cloud Monitoring data take these steps:
Follow the instructions in the Workload Identity Federation Setup Utils GitHub repo.
Run the Workload Identity Federation Setup Script or use the Terraform Setup Module .
To learn more refer to GCP’s Workload Identity Federation documentation.
Authenticate using Service Account Keys 🔗
Alternatively you can use your service account keys to integrate your GCP services with Splunk Observability Cloud. Before you proceed read Google’s official announcement on GCP permission policies at Introducing stronger default Org Policies for our customers .
To authenticate using your service account keys go to the GCP console and follow these steps:
From the sidebar, select , then .
Go to Create Service Account at the top of the screen, complete the following fields, and select CREATE.
Service account name. Enter
Splunk.Service account ID. This field autofills after you enter
Splunkfor Service account name.Service account description. Enter the description for your service account.
Select a role to grant this Service account access to the selected project, then select CONTINUE.
Activate Key type JSON, and select CREATE. A new service account key JSON file is then downloaded to your computer. You will need this key to authenticate in the Import Service Account Key step in Splunk Observability Cloud.
In a new window or tab, go to Cloud Resource Manager API , and activate the Cloud Resource Manager API. You need to activate this API so Splunk Observability Cloud can use it to validate permissions on the service account keys.
For more information, refer to GCP’s docs on Service account keys .
GCP role permissions 🔗
You can use GCP’s Viewer role as it comes with the permissions you need for most scenarios.
Alternatively you can create a more restrictive role using the permissions in the table:
Permission |
Required? |
Included in GCP’s Viewer role? |
|---|---|---|
|
Yes, if the Compute Engine service is activated |
Yes |
|
Yes, if the Compute Engine service is activated |
Yes |
|
Yes, if the Kubernetes (GKE) service is activated |
Yes |
|
Yes, if the Kubernetes (GKE) service is activated |
Yes |
|
Yes, if the Kubernetes (GKE) service is activated |
Yes |
|
Yes |
Yes |
|
Yes |
Yes |
|
Yes |
Yes |
|
Yes, if you want to sync project metadata (such as labels) |
Yes |
|
Yes, if you either want to activate the use of a quota from the project where metrics are stored or sync cloud sql metadata |
No, but included in |
|
Yes, if the Spanner service is activated |
Yes |
|
Yes, if the Spanner service is activated |
Yes |
|
Yes, if the cloud sql service is activated |
Yes |
|
Yes, if the cloud sql service is activated |
Yes |
|
Yes, if the pub/sub service is activated |
Yes |
|
Yes, if the pub/sub service is activated |
Yes |
|
Yes, if the cloud run service is activated |
Yes |
|
Yes, if the cloud run service is activated |
Yes |
|
Yes, if the cloud run service is activated |
Yes |
|
Yes, if the cloud functions service is activated |
Yes |
Supported regions 🔗
Splunk Observability Cloud supports all GCP regions.