This document describes how you can configure one Google Cloud project to monitor or display telemetry data from multiple Google Cloud projects. If you only want to monitor or view data that is stored in one Google Cloud project, then you don't need to perform any configuration, as the visualization and analysis tools are configured to use the data stored in the Google Cloud project selected by the project picker. However, if the telemetry data that you want to view or analyze is from multiple projects, then to have an aggregated view of that data, you must perform some configuration activities.
About observability scopes
The Google Cloud Observability analysis and visualization tools rely on data-type specific scopes to determine what data to display or analyze. There are two scopes that you can configure: log scopes and metrics scopes.
- Log scopes
Lists the projects, folders, organizations, and log views whose log data can be read by the Logs Explorer page. When you create a project, folder, or organization, a log scope named
_Default
is also created and it only contains the project, folder, or organization that was created. You can't delete this scope or modify the list of resources that it contains.You can create log scopes by using the Google Cloud console and the Cloud Logging API. You can add projects and log views to these scopes.
We recommend that you configure log scopes when you route logs to other projects, to log buckets in another project, or when you use log views to control access to the data in a log bucket.
For more information, see Create and manage log scopes.
- Metrics scope
Lists the Google Cloud projects whose metric data can be read by the current Google Cloud project. Charts, dashboards, and alerting policies query for metric data stored in all projects listed in the metrics scope. By default, the metrics scope for a project only lists the project. However, you can add other projects.
Each Google Cloud project contains a single metrics scope. You can configure this scope by using the Google Cloud console, the Google Cloud CLI, or the Cloud Monitoring API.
If you want a combined view of the metric data stored in multiple projects, or if you want a single alerting policy to monitor data stored in multiple projects, then select a project and configure its metrics scope to include all projects whose data you want to view or monitor.
For more information, see Metrics scopes overview.
- Trace scopes
Lists the projects whose trace data can be read by the Trace Explorer page. When you create a project, a trace scope named
_Default
is also created and it only contains the project that was created. You can't delete this scope or modify the list of projects that it contains.You can create trace scopes by using the Google Cloud console, and you can add projects to these scopes.
We recommend that you configure trace scopes when your applications generate trace data in multiple projects, as might occur when you have a microservices architecture.
For more information, see Create and manage trace scopes.
A scope defines the resources that are searched for a particular type of data. Your Identity and Access Management (IAM) roles on those resources determine what data is returned. For example, a log scope, which defines the resources that are searched for log data, doesn't affect the data shown on charts or the data shown by the Trace Explorer page. Further, if a log scope lists a log view for which you don't have access, then you won't see any log entries from that log view.
Default scope
The default log scope is the log scope that the Logs Explorer page uses to determine which resources to search for log entries. If the Logs Explorer page can't identify the default log scope, then it searches the current project for log data.
Similarly, the default trace scope is the trace scope that the Trace Explorer page uses to determine which resources to search for traces.
When a project is created, scopes named _Default
are set as the default
scope for their data type. Therefore, if you don't make any configuration
changes to your Google Cloud project, then when you navigate to the explorer pages
for those data types, your current project is searched for data.
You can set which of your log scopes is the default log scope. Similarly, you can set which of your trace scopes is the default trace scope. For more information, see Create and manage log scopes and Create and manage trace scopes.
As there is only one metrics scope per Google Cloud project, that scope is automatically used for charting and monitoring purposes.
To identify the default log scope, use the Google Cloud console:
-
In the Google Cloud console, go to the settings Settings page:
If you use the search bar to find this page, then select the result whose subheading is Monitoring.
- Select the Log Scopes tab and then find the log scope that has the "Default" icon, .
- Select the Trace Scopes tab and then find the trace scope that has the "Default" icon, .
Roles and permissions
To get the permissions that you need to create and view scopes, ask your administrator to grant you the following IAM roles:
-
To create and view log scopes and to get the default log scope:
Logs Configuration Writer (
roles/logging.configWriter
) on your project -
To modify a metrics scopes:
Monitoring Admin (
roles/monitoring.admin
) on your project and on each project you want to add to the metrics scopes -
To create and view trace scopes and to get the default trace scope:
Cloud Trace User (
roles/cloudtrace.user
) on your project -
To get and set default scopes:
Observability Editor (
roles/observability.editor
) on your project
For more information about granting roles, see Manage access to projects, folders, and organizations.
These predefined roles contain the permissions required to create and view scopes. To see the exact permissions that are required, expand the Required permissions section:
Required permissions
The following permissions are required to create and view scopes:
-
To configure log scopes:
logging.logScopes.{create, delete, get, list, update}
-
To configure a metrics scope:
monitoring.metricsscopes.{link, get, list}
-
To configure trace scopes:
cloudtrace.traceScopes.{create, delete, get, list, update}
-
To get and set default scopes:
observability.scopes.{get, update}
You might also be able to get these permissions with custom roles or other predefined roles.