Configuring Google IAM service account impersonation to avoid storing keys on Fastly logging

When adding Google Cloud Storage, BigQuery, or Pub/Sub logging endpoints, we recommend configuring Google IAM role-based service account impersonation to avoid storing secrets by using temporary credentials instead.

To configure role-based service account impersonation through the Google Cloud Console, follow the steps below:

  1. Log in to the Google Cloud Console.
  2. Navigate to the IAM & Admin page.
  3. Review the project name to the left of the search field on the main toolbar and make sure this is the project configured for the Fastly Google endpoint. If not, use this project selection menu to select the correct project as necessary.
  4. From the left navigation, click Service Accounts. The service accounts for your project appear.
  5. Click on the email address of the service account you intend to use for the Logging endpoint. The Details page for that service account appears.
  6. Click the Permissions tab.
  7. Click the Grant Access button. The Add principals and roles panel appears on the right.
  8. In the New principals field, enter:

    1
    
    fastly-logging@datalog-bulleit-9e86.iam.gserviceaccount.com
    
  9. Click the Role menu to expose the Filter field.
  10. In the Filter field, enter Service Account Token Creator and then select it from the list of roles that appears.
  11. Click Save.
Back to Top