Configuring Google IAM service account impersonation to avoid storing keys on Fastly logging

When adding Google Cloud Storage, BigQuery, or Pub/Sub logging endpoints, we recommend configuring Google IAM role-based service account impersonation to avoid storing secrets by using temporary credentials instead.

To configure role-based service account impersonation through the Google Cloud Console, follow the steps below:

  1. Log in to the Google Cloud Console.

  2. Navigate to the IAM & Admin page.

  3. Review the project name to the left of the search field on the main toolbar and make sure this is the project configured for the Fastly Google endpoint. If not, use this project selection menu to select the correct project as necessary.

  4. From the left navigation, click Service Accounts.

  5. Click the email address of the service account you intend to use for the Logging endpoint.

  6. Click Permissions.

  7. Click Grant Access.

  8. In the New principals field, enter:

    fastly-logging@datalog-bulleit-9e86.iam.gserviceaccount.com
  9. Click the Role menu to expose the Filter field.

  10. In the Filter field, enter Service Account Token Creator and then select it from the list of roles that appears.

  11. Click Save.

TIP

Check out Google's docs for details on how to configure role-based service account impersonation through the command line interface.

Was this guide helpful?

Do not use this form to send sensitive information. If you need assistance, contact support. This form is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.