Restrict IAM service account to a particular Google Stackdriver Log

I'm planning to have several instances of my application in GKE and am thinking about using Google Stackdriver for audit logging. However, from what I can see in the Access Control docs (https://cloud.google.com/logging/docs/access-control) the logWriter role applies to an entire project. I obviously only want to allow each instance to be able to write to its own log. Is this possible?

My plan is to send logs from Stackdriver to BigQuery. A possibility is to send to BigQuery directly but it doesn't seem possible to restrict accounts to insert-only. Another is a separate project per application (GKE namespace) - but this seems overly complex and not a recommended way to do things.

Thanks!

728x90

1 Answers Restrict IAM service account to a particular Google Stackdriver Log

For each instance on GCE/GKE cluster you have the possibility of enabling or disabling the logging capabilities. For individual GCE instances you can choose to disable access to the API or to use a service account with the ‘logwriter’ role only when creating an instance [1].

For GKE, you can enable/disable access to the Stackdriver Logging API all together and trickle down to the node pool instances. The way that works is simply that the ‘fluentd’ pod will send logs to the stackdriver API using the node's service account.

As per sending the logs from Stackdriver to Bigquery, you are taking about a Sink [2]. A Sinkwill create a new service account, called a unique writer identity and your export destination (BigQuery) must permit this service account to write log entries as explained at [3]

[1]https://cloud.google.com/compute/docs/access/create-enable-service-accounts-for-instances?hl=en_US&_ga=2.210364631.-390700867.1538154355 [2]https://cloud.google.com/logging/docs/export/configure_export_v2 [3]https://cloud.google.com/logging/docs/export/configure_export_v2#dest-auth

6 months ago