docs/sources/datasources/google-cloud-monitoring/configure/index.md
This document provides instructions for configuring the Google Cloud Monitoring data source in Grafana.
Before you begin, ensure you have the following:
Organization administrator role to configure data sources.Grafana includes built-in support for Google Cloud Monitoring, so you don't need to install a plugin.
Before you can request data from Google Cloud Monitoring, you must configure authentication. All requests to Google APIs are performed on the server-side by the Grafana backend.
For authentication options and configuration details, refer to Google authentication.
When you configure Google authentication, note the following requirements specific to Google Cloud Monitoring.
When you create a Google Cloud Platform (GCP) Service Account and key file, the Service Account must have the Monitoring Viewer role (Role > Select a role > Monitoring > Monitoring Viewer):
{{< figure src="/static/img/docs/v71/cloudmonitoring_service_account_choose_role.png" max-width="600px" class="docs-image--no-shadow" caption="Choose role" >}}
If Grafana is running on a Google Compute Engine (GCE) virtual machine, when you configure a GCE Default Service Account, you must also grant that Service Account access to the "Cloud Monitoring API" scope.
Before you can request data from Google Cloud Monitoring, you must enable the necessary APIs in your GCP project.
Open the Monitoring and Cloud Resource Manager API pages:
On each page, click Enable.
{{< figure src="/static/img/docs/v71/cloudmonitoring_enable_api.png" max-width="450px" class="docs-image--no-shadow" caption="Enable GCP APIs" >}}
To add the Google Cloud Monitoring data source:
Google Cloud Monitoring in the search bar.You're taken to the Settings tab where you configure the data source.
The following are configuration options for the Google Cloud Monitoring data source.
| Setting | Description |
|---|---|
| Name | Sets the name you use to refer to the data source in panels and queries. |
| Default | Sets whether the data source is pre-selected for new panels. |
| Universe Domain | The universe domain to connect to. For more information, refer to the Google Cloud universe domains documentation. Defaults to googleapis.com. |
Configure how Grafana authenticates with Google Cloud.
| Setting | Description |
|---|---|
| Authentication type | Select the authentication method. Choose Google JWT File to use a service account key file, or GCE Default Service Account if Grafana is running on a GCE virtual machine. |
These settings appear when you select Google JWT File as the authentication type.
| Setting | Description |
|---|---|
| JWT token | Upload or paste your Google JWT token. You can drag and drop a .json key file, click Click to browse files to upload, or use Paste JWT Token or Fill In JWT Token manually. |
Use service account impersonation to have Grafana authenticate as a different service account than the one provided in the JWT token.
| Setting | Description |
|---|---|
| Enable | Toggle to enable service account impersonation. |
| Service account to impersonate | Enter the email address of the service account to impersonate when making requests to Google Cloud. |
Only available for Grafana Cloud.
Use private data source connect (PDC) to connect to and query data within a secure network without opening that network to inbound traffic from Grafana Cloud. For more information on how PDC works, refer to Private data source connect. For steps on setting up a PDC connection, refer to Configure Grafana private data source connect (PDC).
| Setting | Description |
|---|---|
| Private data source connect | Select a PDC connection from the drop-down menu or create a new connection. |
Click Save & test to test the connection. A successful connection displays the following message:
Successfully queried the Google Cloud Monitoring API.
You can define and configure the data source in YAML files as part of the Grafana provisioning system. For more information about provisioning, and for available configuration options, refer to Provisioning Grafana.
Using the JWT (Service Account key file) authentication type:
apiVersion: 1
datasources:
- name: Google Cloud Monitoring
type: stackdriver
access: proxy
jsonData:
tokenUri: https://oauth2.googleapis.com/token
clientEmail: [email protected]
authenticationType: jwt
defaultProject: my-project-name
universeDomain: googleapis.com
secureJsonData:
privateKey: |
-----BEGIN PRIVATE KEY-----
POSEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCb1u1Srw8ICYHS
...
yA+23427282348234=
-----END PRIVATE KEY-----
Using the JWT (Service Account private key path) authentication type:
apiVersion: 1
datasources:
- name: Google Cloud Monitoring
type: stackdriver
access: proxy
jsonData:
tokenUri: https://oauth2.googleapis.com/token
clientEmail: [email protected]
authenticationType: jwt
defaultProject: my-project-name
universeDomain: googleapis.com
privateKeyPath: /etc/secrets/gce.pem
Using GCE Default Service Account authentication:
apiVersion: 1
datasources:
- name: Google Cloud Monitoring
type: stackdriver
access: proxy
jsonData:
authenticationType: gce
universeDomain: googleapis.com
You can provision the Google Cloud Monitoring data source using Terraform with the Grafana Terraform provider.
For more information about provisioning resources with Terraform, refer to the Grafana as code using Terraform documentation.
Before you begin, ensure you have the following:
Configure the Grafana provider to connect to your Grafana instance:
terraform {
required_providers {
grafana = {
source = "grafana/grafana"
version = ">= 2.0.0"
}
}
}
# For Grafana Cloud
provider "grafana" {
url = "<YOUR_GRAFANA_CLOUD_STACK_URL>"
auth = "<YOUR_SERVICE_ACCOUNT_TOKEN>"
}
# For self-hosted Grafana
# provider "grafana" {
# url = "http://localhost:3000"
# auth = "<API_KEY_OR_SERVICE_ACCOUNT_TOKEN>"
# }
The following examples show how to configure the Google Cloud Monitoring data source for each authentication method.
Using the JWT (Service Account key file) authentication type:
resource "grafana_data_source" "google_cloud_monitoring" {
type = "stackdriver"
name = "Google Cloud Monitoring"
json_data_encoded = jsonencode({
tokenUri = "https://oauth2.googleapis.com/token"
clientEmail = "<SERVICE_ACCOUNT_EMAIL>"
authenticationType = "jwt"
defaultProject = "<GCP_PROJECT_ID>"
universeDomain = "googleapis.com"
})
secure_json_data_encoded = jsonencode({
privateKey = "<PRIVATE_KEY_CONTENT>"
})
}
Using the JWT (Service Account private key path) authentication type:
resource "grafana_data_source" "google_cloud_monitoring" {
type = "stackdriver"
name = "Google Cloud Monitoring"
json_data_encoded = jsonencode({
tokenUri = "https://oauth2.googleapis.com/token"
clientEmail = "<SERVICE_ACCOUNT_EMAIL>"
authenticationType = "jwt"
defaultProject = "<GCP_PROJECT_ID>"
universeDomain = "googleapis.com"
privateKeyPath = "/etc/secrets/gce.pem"
})
}
Using GCE Default Service Account authentication:
resource "grafana_data_source" "google_cloud_monitoring" {
type = "stackdriver"
name = "Google Cloud Monitoring"
json_data_encoded = jsonencode({
authenticationType = "gce"
universeDomain = "googleapis.com"
})
}
For all available configuration options, refer to the Grafana provider data source resource documentation.
After you configure the Google Cloud Monitoring data source, you can: