Configuring google-cloud-dotnet for a desktop application

[manxjason]

With the below configuration I receive 'StatusCode=PermissionDenied, Detail="The caller does not have permission"'.

The service account related to the CredentialFile has the 'Logs Writer Role' assigned.

The configuration:

GoogleStackdriverTarget googleTarget = new GoogleStackdriverTarget { ProjectId = "the-project-id", Name = "this can be anything", CredentialFile = Path.Combine(@"C:\Users\Jason\Downloads\the-generated-filename.json"), ResourceType = "logging_log" };

Is the ResourceType correct for Stackdriver Logging? With the .json file containing sensitive information, deploying this as part of a desktop application doesn't make sense. What is the practice to secure this?

Cheers

[jskeet]

Using Stackdriver Logging for a desktop application is somewhat unusual - fundamentally you'd have to provide some credentials that have permission to write the logs, whether they're service account credentials or not.

I don't know much about the ResourceType part, but if you don't set it manually, it will be auto-detected to "global" in this case. I wonder whether setting it manually is what's causing the credential problem.

[jskeet]

(Assigned to Chris as he knows more about NLog, as far as I'm aware.)

[manxjason]

Thanks Jon, yes I appreciate desktop usage may not be the regular usage - we're 'trying' to centralize all of our estate to a single provider.

Not setting the ResourceType results in the same credential problem.

[jskeet]

Hmm. I would probably first try to run the same code with a service account with complete privileges on a test project. It may be that the roles required aren't obvious. Chris may well know more, and @amanda-tarafa may also have more information. (This is the area within this repo where I know least.)

[manxjason]

@jskeet Your suggestion to use a new service account with full logging privileges (Logging > Logging Admin) has worked, which is interesting as the description for each of the other Logging related roles shouldn't affect general log writing.

[chrisdunelm]

I'm also confused as to why just using the "Log Writers" role didn't work. Having just read the docs it does appear that this should be sufficient.

[manxjason]

To perform the test I created a new test service account with a single role, 'Logging Admin'. I just tried using that same test account but reducing permissions to 'Log Writer', and it continued working.

So, it looks to me like the issue is actually related to either inherited permissions (or lack of) or the fact that the original user account has more than 1 role assigned to it (Stackdriver Debugger Agent and Monitoring Metric Writer).

I'll continue to investigate the culprit, but it's outside of this issue.

My only remaining question within this issue is surrounding the security of the .json file. Ideally I'd prefer to specify those details in code rather than shipping a separate file. Any thoughts on using Stackdriver within a desktop application?

[jskeet]

Ideally I'd prefer to specify those details in code rather than shipping a separate file.

Well you could use an embedded resource, but that's really no more secure. Fundamentally, if the user machine is performing a call directly to Stackdriver, it has to have suitable credentials for that. If you don't want users to have those credentials, but if they have some other credentials for your application, you could implement some sort of logging proxy where they call a logging API that you create server-side (which could look just like Stackdriver) and then you pass that on to Stackdriver.

Another alternative would be to have a service which returned oauth tokens just for Stackdriver logging - the application could call that to get the token, and then use it for further calls. But that's not very different from just providing the auth credentials for a limited-access user anyway, really.

[manxjason]

Appreciate the help/guidance