4

I am using the Golang library cloud.google.com/go/logging and want to send runtime logging.

Already have a GOOGLE_APPLICATION_CREDENTIALS .json file - and am using google storage and firebase - so I know the credentials are working.

With logging, I get an error "Error 403: The caller does not have permission, forbidden"

The account in the application credentials is a service account and I have been looking at the IAM permissions. There is not an obvious permission for logging (there are other stackdriver permissions, for debug, trace etc but these don't seem to work).

So assuming I am in the right place so far - what permissions does the service account need in order to send logging data to stackdriver logging?

richp10
  • 820
  • 8
  • 20

2 Answers2

7

If we look at the API for writing entries to a log we find that the IAM permission logging.logEntries.create is required.

A more detailed article can be found at Access control guide.

This describes a variety of roles including:

  • roles/logging.logWriter
Kolban
  • 13,794
  • 3
  • 38
  • 60
  • I think you are right; my problem is finding where to select this on the web console. I found the logging admin right but nothing more granular - which is working for now. Guess I need to install the command line tool so I can set the more restricted permissions. Thanks though.. – richp10 Feb 18 '20 at 15:32
  • But Neil, how did you map from the IAM permission to various roles that include that permission? Text search in the documentation page? – Cheeso Jan 26 '22 at 22:54
  • 1
    @Cheeso - Pretty much. Knowing that I wanted the "permission" known as logging.logEntries.create, I then found the page that lists all the pre-curarted roles and looked for a role that contains the permission ... that list of roles was found here: https://cloud.google.com/logging/docs/access-control Remember that these roles are merely the Google curated roles ... you can always create your own role with whichever permissions you like (not recommended). – Kolban Jan 30 '22 at 05:20
2

According to the official documentation:

Using Stackdriver Logging library for Go requires the Cloud IAM Logs Writer role on Google Cloud. Most Google Cloud environments provide this role by default.

1.App Engine grants the Logs Writer role by default.

2.On Google Kubernetes Engine, you must add the logging.write access scope when creating the cluster:

3.When using Compute Engine VM instances, add the cloud-platform access scope to each instance.

4.To use the Stackdriver Logging library for Go outside of Google Cloud, including running the library on your own workstation, on your data center's computers, or on the VM instances of another cloud provider, you must supply your Google Cloud project ID and appropriate service account credentials directly to the Stackdriver Logging library for Go.

You can create and obtain service account credentials manually. When specifying the Role field, use the Logs Writer role. For more information on Cloud Identity and Access Management roles, go to Access control guide.

Setting Up Stackdriver Logging for Go

gcloud iam service-accounts list 
gcloud projects add-iam-policy-binding my-project-123 \
--member serviceAccount:my-sa-123@my-project-123.iam.gserviceaccount.com \
--role roles/logging.logWriter
marian.vladoi
  • 7,663
  • 1
  • 15
  • 29
  • It is scenario 4 and the permission is not set by default. As I mention to the comment below, I think you are correct on the permission but I cannot see where to do this on the web interface but found Logging Admin which is working for now - and I will install the gcloud tool later to refine as you suggest. Thanks for your help. – richp10 Feb 18 '20 at 15:33