The current section on adding a Service Account to promtail doesn't explain where Promtail is looking for credentials. It briefly mentions a link to a gcp config but that section has no mention of adding a GCP Service Account from the scrape job.
Current section
# ServiceAccount for Promtail
We need a service account with the following permissions:
pubsub.subscriber
This enables Promtail to read log entries from the pubsub subscription created before.
You can find an example for Promtail scrape config for gcplog [here](https://grafana.com/docs/loki/latest/send-data/promtail/scraping/#gcp-log-scraping)
If you are scraping logs from multiple GCP projects, then this serviceaccount should have above permissions in all the projects you are tyring to scrape.
It would be great to also write a section on how to add the service account, should we modify the existing ServiceAccount with an annotation for GCP? Or can we add it directly in the scrape config?
Is it perhaps this that should be added?
bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
The current section on adding a Service Account to promtail doesn't explain where Promtail is looking for credentials. It briefly mentions a link to a gcp config but that section has no mention of adding a GCP Service Account from the scrape job.
Current section
It would be great to also write a section on how to add the service account, should we modify the existing ServiceAccount with an annotation for GCP? Or can we add it directly in the scrape config?
Is it perhaps this that should be added?
bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token