Configuring Google IAM service account impersonation to avoid storing keys on Fastly logging
Last updated 2022-11-30
When adding Google Cloud Storage, BigQuery, or Pub/Sub logging endpoints, we recommend configuring Google IAM role-based service account impersonation to avoid storing secrets by using temporary credentials instead.
To configure role-based service account impersonation through the Google Cloud Console, follow the steps below:
Log in to the Google Cloud Console.
Navigate to the IAM & Admin page.
Review the project name to the left of the search field on the main toolbar and make sure this is the project configured for the Fastly Google endpoint. If not, use this project selection menu to select the correct project as necessary.
From the left navigation, click Service Accounts.
Click the email address of the service account you intend to use for the Logging endpoint.
Click Grant Access.
In the New principals field, enter:email@example.com
Click the Role menu to expose the Filter field.
In the Filter field, enter
Service Account Token Creatorand then select it from the list of roles that appears.