Skip to content

Commit

Permalink
Update google-cloud-operations/README.md
Browse files Browse the repository at this point in the history
  • Loading branch information
NimJay authored Jan 24, 2023
1 parent 02146b8 commit 498300b
Showing 1 changed file with 3 additions and 3 deletions.
6 changes: 3 additions & 3 deletions kustomize/components/google-cloud-operations/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -86,13 +86,13 @@ Currently, this component adds a single collector service which collects traces
If you wish to experiment with different backends, you can modify the appropriate lines in [otel-collector.yaml](otel-collector.yaml) to export traces or metrics to a different backend. See the [OpenTelemetry docs](https://opentelemetry.io/docs/collector/configuration/) for more details.

## Workload Identity
If you are running this sample on GKE, it may be configured to use [Workload Identity](https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity) to manage access to Google Cloud APIs (like Cloud Trace). If this is the case, you may not see traces properly exported, or may see an error message like `failed to export to Google Cloud Trace: rpc error: code = PermissionDenied desc = The caller does not have permission`. In order to export traces with such a setup, you need to associate the Kubernetes service account (`default/default`) with your default compute service account on Google Cloud (or custom service account you created for this purpose).
If you are running this sample on GKE, your GKE cluster may be configured to use [Workload Identity](https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity) to manage access to Google Cloud APIs (like Cloud Trace). If this is the case, you may not see traces properly exported, or may see an error message like `failed to export to Google Cloud Trace: rpc error: code = PermissionDenied desc = The caller does not have permission` logged by your `opentelemetrycollector` Pod(s). In order to export traces with such a setup, you need to associate the Kubernetes [ServiceAccount](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/) (`default/default`) with your [default compute service account](https://cloud.google.com/compute/docs/access/service-accounts#default_service_account) on Google Cloud (or a custom Google Cloud service account you may create for this purpose).

* To get the email address associated with your Google service account, check in the IAM section of the Cloud Console. Or run the following command in your terminal:
```
gcloud iam service-accounts list
```
* Then, allow the Kubernetes service account to act as your Google service account with the foloowing command (using your own `PROJECT_ID` and the `GSA_EMAIL` you found in the previous step):
* Then, allow the Kubernetes service account to act as your Google service account with the following command (using your own `PROJECT_ID` and the `GSA_EMAIL` you found in the previous step):
```
gcloud iam service-accounts add-iam-policy-binding ${GSA_EMAIL} \
--role roles/iam.workloadIdentityUser \
Expand All @@ -107,4 +107,4 @@ kubectl annotate serviceaccount default \
```
kubectl rollout restart deployment opentelemetrycollector
```
When the new pod rolls out, you should start to see traces appear in the cloud console.
When the new Pod rolls out, you should start to see traces appear in the cloud console.

0 comments on commit 498300b

Please sign in to comment.