search

grafana / loki

Like Prometheus, but for logs.
https://grafana.com/loki
GNU Affero General Public License v3.0
23.4k stars 3.39k forks source link

Docs feedback: /docs/sources/send-data/promtail/cloud/gcp/_index.md #10756

Open mackattack3k opened 11 months ago

mackattack3k commented 11 months ago

The current section on adding a Service Account to promtail doesn't explain where Promtail is looking for credentials. It briefly mentions a link to a gcp config but that section has no mention of adding a GCP Service Account from the scrape job.

Current section

# ServiceAccount for Promtail
We need a service account with the following permissions:

pubsub.subscriber
This enables Promtail to read log entries from the pubsub subscription created before.

You can find an example for Promtail scrape config for gcplog [here](https://grafana.com/docs/loki/latest/send-data/promtail/scraping/#gcp-log-scraping)

If you are scraping logs from multiple GCP projects, then this serviceaccount should have above permissions in all the projects you are tyring to scrape.

It would be great to also write a section on how to add the service account, should we modify the existing ServiceAccount with an annotation for GCP? Or can we add it directly in the scrape config?

Is it perhaps this that should be added? bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token

huozhirui commented 10 months ago

I have also encountered this problem. How do you configure accounts with permissions to Prommail?