Managing and Configuring Google Cloud Agents
The section introduces you to the Foglight Hybrid Cloud Manager for Google Cloud environment and provides you with essential information.
This section covers the following key areas:
Generating Google Cloud Service Account File
To create and generate a Google Cloud Service Account file through the Google Cloud console:
- Go to the Google Cloud Platform console: https://console.cloud.google.com/.
- Navigate to menu Home > IAM & Admin > Service Accounts.
- Locate the Service account and click in the Actions column. Click Create key.
- Click Create on the popup page and save the private key in a JSON file.
Getting the BigQuery Table ID
To get the BigQuery Table ID from Google Cloud Platform console:
- Go to the Google Cloud Platform console: https://console.cloud.google.com/.
- Click Billing on the navigation bar, and then select Billing export.
- Click the target Dataset name and drill down to the dataset on the BigQuery page. Click on the Details sub tab and get the Table ID.
Service Account Permissions
Foglight uses service account to monitor Google Cloud. Each RESTful API provided by Google cloud requires that the service account has corresponding permissions.
- For Compute Engine monitoring:
The viewer roles are required.
- For Cost monitoring, the following roles are required:
- Billing Account Viewer
- Bigquery user
- Bigquery dataViewer
- For Automatically install stackdriver, the following roles are required:
- compute.osAdminLogin
- iam.serviceAccountUser
- compute.instanceAdmin.v1
- compute.osLogin
- compute.securityAdmin
To granting permissions to the service account, do either of the following:
- Grant permissions manually.
Manually grant roles to service account for each project and billing account.
- Grant permissions by script.
-
Use the gcloud CLI, which is a part of the Google Cloud SDK, to grant permissions automatically.
a. Install the gcloud CLI from https://cloud.google.com/sdk/docs/downloads-interactive and run the following to initialize it:
json '*gcloud beta auth application-default login*'
b. Get the script at directory:
json *{foglight_home}\fglam\agents\GoogleCloudAgent\{google_cloud_version }\script*
c. Execute the grantProjectRoleToServiceAccount script to grant a specified project role or all projects role to the service account. The script includes two parameters:
- param 1 is mandatory. -s defined as String type and represents the service account.
- param 2 is optional. -p defined as String Array type and represents the projects you want to monitor. The script will grant all projects role to the service account if this param is not specified.
Refer to the below two examples for different operating systems:
- For Windows (PowerShell):
Example 1: json .\grantProjectRoleToServiceAccount.ps1 -s XXXX@foglight.iam.gserviceaccount.com -p @('foglight','db','windows')
Example 2: json .\grantProjectRoleToServiceAccount.ps1 -s XXXX@foglight.iam.gserviceaccount.com
- For Linux (Bash):
Example 1: json bash grantProjectRoleToServiceAccount.sh -s XXXX@foglight.iam.gserviceaccount.com -p "foglight,db"
Example 2: json bash grantProjectRoleToServiceAccount.sh -s XXXX@foglight.iam.gserviceaccount.com
.
d. Execute the grantBillingAccountRoleToServiceAccount script to grant the specified billing account role or all billing account roles to the service account. The script includes two parameters:
- param 1 is mandatory. -s defined as String type and represents your service account.
- param 2 is optional. -b defined as String Array type and represents the billing account you want to monitor. The script will grant all billing accounts role to the service account if this param is not specified.
Refer to the below two examples for different operating systems:
- For Windows (PowerShell):
Example 1:
json .\grantBillingAccountRoleToServiceAccount .ps1 -s XXXX@foglight.iam.gserviceaccount.com -b @('015A1D-A50154- 232131','015A1D-A50154-232133')
Example 2: json .\grantBillingAccountRoleToServiceAccount.ps1 -s XXXX@foglight.iam.gserviceaccount.com
- For Linux (Bash):
Example 1: json bash grantBillingAccountRoleToServiceAccount.sh -s XXXX@foglight.iam.gserviceaccount.com -b "015A1D-A50154- 232131,0196A2-C4659B-3461DA"
Example 2: bash grantBillingAccountRoleToServiceAccount.sh -s XXXX@foglight.iam.gserviceaccount.com
- If you don’t want to install the Google Cloud SDK, execute the Bash script at Google Cloud Shell:
a. Open the Google Cloud shell through the follow link: https://cloud.google.com/shell.
b. Get the script at directory:
{foglight_home}\fglam\agents\GoogleCloudAgent{google_cloud_version}\script
c. Upload the grantProjectRoleToServiceAccount.sh file to the console.
d. Execute the Bash script.
Creating a Google Cloud Agent
To create a Google Cloud agent:
- Log in to the Foglight browser interface.
- On the Welcome page, click Monitor Cloud or click Cloud Manager in the left navigation panel.
The Cloud Manager dashboard opens.
- On the Cloud Manager dashboard, click Google Cloud > Administration, and then click Create Google Cloud Agent.
A Google Cloud Setup Wizard dialog box opens.
- In the Select Agent Manager view, select the agent manager on which the new agent is to be deployed, and then click Next.
- In the Agent Info view, specify the following values, and then click Next.
- Agent Name: Specify a name for the agent.
- Configure Proxy (Optional):
Configure the proxy setting when the Agent Host requires a proxy connection to the Internet.
- Configure BigQuery Dataset Table ID to Monitor:
Enter the BigQuery Table ID according to the Google Cloud Platform console. To get the BigQuery Table ID from Google Cloud Platform console, refer to Getting the BigQuery Table ID.
- Automatically Install Stackdriver to VM Instances
This option is selected by default. Install stackdriver agent to collect memory metrics.
- In the Credential Verification view, do either of the following:
- Select Create a new Google Cloud Credential and click Next. A Create New Credential dialog box appears.
a. In the Credential Name field, enter the crendential name.
b. Click Load from file to upload the JSON file generated from Google Cloud Platform console. For more information refer to Generating Google Cloud Service Account File.
c. Select the lockbox to contain the credential.
- Select Use an existing Google Cloud credential and click Next. Select an existing credential and click Next.
- A Summary view appears and click Finish.
- A popup message indicates that the new Google Cloud agent is created successfully. The agent list table refreshes to display the newly-created agent.