Observability scopes overview

This document describes how you can configure one Google Cloud project to monitor or display telemetry data from multiple Google Cloud projects. If you only want to monitor or view data that is stored in one Google Cloud project, then you don't need to perform any configuration, as the visualization and analysis tools are configured to use the data stored in the Google Cloud project selected by the project picker. However, if the telemetry data that you want to view or analyze is from multiple projects, then to have an aggregated view of that data, you must perform some configuration activities.

About observability scopes

The Google Cloud Observability analysis and visualization tools rely on data-type specific scopes to determine what data to display or analyze. A scope defines the resources that are searched for a particular type of data. With the exception of metric data, your Identity and Access Management (IAM) roles on the searched projects and log views determine what data is displayed.

You can configure the following scopes:

Observability scope

This scope controls how explorer and dashboard pages search for the data to display. Each Google Cloud project contains a single observability scope. You don't directly configure a project's observability scope. Instead, for your project, you indirectly configure this scope by configuring its components, which are the default log scope, the metrics scope, and the default trace scope.

We recommend configuring the components of the observability scope in the following scenarios:

  • You register applications with App Hub. These might be applications you register yourself, or those you deployed by using the Application Design Center.
  • When you want a unified view of the telemetry data that is stored in different Google Cloud projects.

If you don't configure the components of the observability scope for a project, then the Logs Explorer page displays log data that originates in the project. The Metrics Explorer and Trace Explorer pages can only display data stored in the project. Also, alerting policies can only monitor data stored in the project.

Log scopes

Configure the default log scope scope of a project so that when you open the Logs Explorer page, the data that you usually want to view is displayed. A log scope can list projects, folders, organizations, and log views. For example, you might set the default log scope to list a log view, which when queried, returns the log data for an App Hub application.

You can create multiple log scopes. When you use the Logs Explorer page, you can select a different log scope, which causes the page to search the resources listed in the selected scope, and then refresh the display.

We recommend configuring the default log scope in the following scenarios:

  • You route log data to a centralized log bucket.
  • You route log data to other projects or to log buckets stored by another project.
  • You use log views.

For more information, see Create and manage log scopes.

Metrics scope

Configure the metrics scope to list all the projects which store metric data, so that your charts and alerting policies can display or monitor an aggregated view of your metric data.

Each Google Cloud project contains a single metrics scope, and this scope defaults to list only the project.

We recommend configuring the metrics scope when any of the following is true:

  • You want to chart data stored in different projects.
  • You want an alerting policy to monitor data stored in different projects.

For more information, see Metrics scopes overview.

Trace scopes

Configure the default trace scope to list all projects that store trace data, so that when you open the Trace Explorer page, you have an aggregated view of your trace data.

You can create multiple trace scopes. When you use the Trace Explorer page, you can select a different trace scope, which causes the page to search the projects listed in the selected scope, and then refresh the display.

We recommend configuring the trace scopes when you want a unified view of the trace data that is stored in different projects.

For more information, see Create and manage trace scopes.

Before you begin

To get the permissions that you need to create and view scopes, ask your administrator to grant you the following IAM roles:

  • To create and view log scopes and to get the default log scope: Logs Configuration Writer (roles/logging.configWriter) on your project
  • To modify a metrics scopes: Monitoring Admin (roles/monitoring.admin) on your project and on each project you want to add to the metrics scopes
  • To create and view trace scopes and to get the default trace scope: Cloud Trace User (roles/cloudtrace.user) on your project
  • To get and set default scopes: Observability Editor (roles/observability.editor) on your project

For more information about granting roles, see Manage access to projects, folders, and organizations.

These predefined roles contain the permissions required to create and view scopes. To see the exact permissions that are required, expand the Required permissions section:

Required permissions

The following permissions are required to create and view scopes:

  • To configure log scopes: logging.logScopes.{create, delete, get, list, update}
  • To configure a metrics scope: monitoring.metricsscopes.{link, get, list}
  • To configure trace scopes: cloudtrace.traceScopes.{create, delete, get, list, update}
  • To get and set default scopes: observability.scopes.{get, update}

You might also be able to get these permissions with custom roles or other predefined roles.

Configure the observability scope

This section doesn't apply to folders or organizations.

If you don't configure the components of the observability scope for a project, then the Logs Explorer page displays log data that originates in the project. The Metrics Explorer and Trace Explorer pages can only display data stored in the project. Also, alerting policies can only monitor data stored in your project.

For log and trace data, your Identity and Access Management (IAM) roles on the the project you are viewing, and any searched projects and log views, determine what data is displayed. Your IAM role on the project you are viewing determines whether you can view metric data.

Console

To configure the observability scope, you configure its components, which are the default log scope, the metrics scope, and the default trace scope:

  1. Enable the Observability API.

    Enable the API

    Before you enable the API, ensure that the correct project is selected. For App Hub configurations, select the App Hub host project.

  2. In the Google Cloud console, go to the  Settings page:

    Go to Settings

    If you use the search bar to find this page, then select the result whose subheading is Monitoring.

  3. In the toolbar of the Google Cloud console, select your Google Cloud project. For App Hub configurations, select the App Hub host project.

  4. Configure the default log scope:

    1. Select the Log Scopes tab.

      Existing log scopes are listed. The entry with the "Default" icon, , is the default log scope. If you want to create a log scope, click Create log scope and then complete the dialog. For more information, see Create and manage log scopes.

    2. Find the entry that you want to designate as the default, click  More, and then select Set as default.

  5. Configure the metrics scope:

    1. Select the metrics scope tab.
    2. In the Google Cloud Projects pane, click Add Projects, and then complete the dialog. For more information, see Configure metrics scopes.

  6. Configure the default trace scope:

    1. Select the Trace Scopes tab and then do the following:

      Existing trace scopes are listed. The entry with the "Default" icon, , is the default trace scope. If you want to create a trace scope, click Create log scope and then complete the dialog. For more information, see Create and manage trace scopes.

    2. Find the entry that you want to designate as the default, click  More, and then select Set as default.

REST

Not supported for setting the default trace scope.

To use the Observability API to get or set the default log scope, do the following:

  1. Ensure that the Observability API is enabled:

    1. After installing the Google Cloud CLI, initialize it by running the following command: 

      gcloud init

      If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.

    2. Set the default project for Google Cloud CLI:

      gcloud config set project PROJECT_ID

      Before you run the previous command, replace the following:

      • PROJECT_ID: The identifier of the project. For App Hub configurations, select the App Hub host project.

    3. Enable the Observability API: 

      gcloud services enable observability.googleapis.com

  2. Do one of the following:

    • To get the default log scope for a project, send a request to the projects.locations.scopes.get endpoint. You must specify a path parameter. The response is a Scope object, which lists the default log scope.

    • To update the default log scope for a project, send a request to the projects.locations.scopes.patch endpoint. You must specify a path parameter, query parameters, and provide a Scope object. The query parameters identify which fields are changed. The response is a Scope object.

      The path parameter for both endpoints has the following form:

      projects/PROJECT_ID/locations/LOCATION/scopes/OBSERVABILITY_SCOPE_ID

      The fields in the previous expression have the following meaning:

      • PROJECT_ID: The identifier of the project. For App Hub configurations, select the App Hub host project.
      • LOCATION: The location field must be set to global.
      • OBSERVABILITY_SCOPE_ID: The name of a Scope object. This field must be set to _Default. The Scope object with the name _Default stores information about the default log scope and is automatically created.