Stackdriver API: 403 Forbidden

[bryan831]

I followed the tutorial steps in the README, and enabled the audit to Stackdriver (vault audit enable file file_path=stdout).
I also read the issue (#17) and checked that the Vault service account has access to write logs.

In Stackdriver logging, under Kubernetes Container logs, I see many lines that read
"message: "Failed to publish resource metadata: Unexpected response code from Stackdriver API: 403 Forbidden"

How can I resolve this?

[u2g-tg]

Hey, I'm just a newbie to TF and this project, but did you check Stackdriver API is enabled for your project?

You might need to add "stackdriver.googleapis.com" to the services list of the tf project resource.

Edit: there's a 'project_services' list var in terraform/variables.tf

[bryan831]

in variables.tf there is already logging.googleapis.com in project_services list variable.
After i added stackdriver.googleapis.com, and did terraform apply again, I still see those error logs in Stackdriver logs

[davidebelloni]

Hi,
I've the same problem here with a GKE 1.12.7-gke.10 with a custom svc account (not compute engine default but with monitoring.metricWriter and monitoring.viewer roles assigned) and Stackdriver API enabled

All the request to google.cloud.stackdriver.v1beta3.ResourceService.PublishResourceMetadata return 403

Is there a solution?

[sethvargo]

Seems like a duplicate of Stackdriver/kubernetes-configs#25, which is a core platform issue. Sorry this is happening, but there’s nothing we can do in this repo to fix it. Please follow the link above and subscribe to that issue for updates. Thanks!