Skip to main content
Google Cloud is a provider: connect it once with a service account, and investigations can reach the projects behind it. From there they query your logs, metrics, and traces, and inspect the Kubernetes clusters running on GKE, all through a single set of credentials.

What it provides

Connecting Google Cloud lets investigations discover and query the data sources behind your projects:
Data sourceCapability
Google Cloud LoggingLogs
Google Cloud MonitoringMetrics
Google Cloud TraceTraces
KubernetesCluster state
Each has its own page covering what it supports and how it’s enabled.

Setup

What you’ll need:
  • A Google Cloud service account key in JSON.
  • The IAM permissions below, granted to that service account.
We recommend a read-only service account: investigations only ever read from Google Cloud, never write. Grant the permissions through read-only roles rather than broad editor or owner roles.

Permissions

Grant the service account this permission on each project you want investigations to reach:
  • logging.logEntries.list — read Cloud Logging entries.
To let the service account discover your projects automatically, also grant:
  • cloudresourcemanager.projects.list — list the projects the account can reach.
These permissions help investigations find and identify the workloads in a project, so they know what’s worth querying:
  • container.clusters.list — discover GKE clusters.
  • logging.buckets.list — read each log bucket’s retention window.
Without project discovery, you can still connect a single project by supplying its ID directly (see below).

Connect Google Cloud

  1. From the Investigations settings, add a telemetry data source and choose Google Cloud.
  2. Paste your service account JSON key. If the account can’t list projects across your organization, enter a single project ID instead and we’ll connect just that project.
  3. Test the connection. We check the key is valid and confirm the account holds the permissions it needs.

Enabling projects

Once connected, investigations discover every project the service account can reach. Each project arrives disabled by default, so you opt in deliberately rather than exposing every project at once. Review the list and enable the ones your team runs production workloads in. Enabling a project turns on its Cloud Logging access and surfaces the GKE clusters running inside it, which you then enable individually.

Google Cloud Logging

Querying your project logs during an incident.

How telemetry works

Routing, query planning, guidance, and memory.