Can't enable logs for Google Cloud Logging

Question

I'm using Google Container Engine and trying to add logs like in this guide http://kubernetes.io/docs/getting-started-guides/logging/

There are no logs in logging console, but many messages like this in fluentd pod log

-> kubectl logs -f --tail=5 fluentd-cloud-logging-gke-we-production-da3a3de4-node-s285 --namespace=kube-system 2016-06-14 17:51:21 +0000 [warn]: suppressed same stacktrace 2016-06-14 17:51:28 +0000 [warn]: temporarily failed to flush the buffer. next_retry=2016-06-14 17:51:58 +0000 error_class="Google::APIClient::ClientError" error="The caller does not have permission" plugin_id="object:f9a9ac"

What does permissions it want? Please help me, I really stuck on it

Answer 1

I had the similar issue now.

From Gcloud Command Console.

1. Check your IAM policy

$gcloud projects get-iam-policy [project-name] --format json

2. Add the following permissions to the user login.

gcloud projects add-iam-policy-binding [PROJECT-NAME] --member=user:[Login-email-ID] --role=roles/viewer

gcloud projects add-iam-policy-binding [PROJECT-NAME] --member=user:[Login-email-ID] --role=roles/logging.viewer

gcloud projects add-iam-policy-binding [PROJECT-NAME] --member=user:[Login-email-ID] --role=roles/logging.logWriter

gcloud projects add-iam-policy-binding [PROJECT-NAME] --member=user:[Login-email-ID] --role=roles/logging.configWriter

gcloud projects add-iam-policy-binding [PROJECT-NAME] --member=user:[Login-email-ID] --role=roles/logging.bucketWriter

gcloud projects add-iam-policy-binding [PROJECT-NAME] --member=user:[Login-email-ID] --role=roles/logging.viewAccessor

gcloud projects add-iam-policy-binding [PROJECT-NAME] --member=user:[Login-email-ID] --role=roles/logging.admin

Answer 2

It sounds like the fluentd pod is unable to write to the google cloud logging api endpoint. To write logs, the VM must have the https://www.googleapis.com/auth/logging.write scope on the VM's default service account.