How to configure Google Cloud Logging for the Anjuna Confidential Container

The recommended way to manage logs is with the Google Cloud Logging service, which is automatically supported by the Anjuna Confidential Container. Cloud Logging requires the VM to have the Logs Writer IAM role (roles/logging.logWriter) within the project scope. It also requires anyone viewing the logs to have the Logs Viewer IAM role (roles/logging.viewer). See GCP’s Logging roles for more information.

In order to use Cloud Logging, create a service account in your project and grant it the Logs Writer role. Later, you will use this service account when creating the Anjuna Confidential Container instance. The Anjuna Confidential Container will automatically detect the service account and forward the application logs to Cloud Logging.

If a service account with write access to Cloud Logging is not available, the Anjuna Confidential Container falls back to printing all logs to the serial console.

The serial console can be viewed by anyone with access to the project, which may expose confidential information in the application logs. The serial console is also extremely slow and may cause a significant performance impact. Using Cloud Logging by attaching a service account with appropriate permissions is recommended instead.

Example

The following commands use the gcloud CLI to create a service account with only the Logs Writer role.

export SERVICE_ACCOUNT_NAME=anjuna-nginx-service-account
export GCP_PROJECT=$(gcloud config get project)
export SERVICE_ACCOUNT_EMAIL="${SERVICE_ACCOUNT_NAME}@${GCP_PROJECT}.iam.gserviceaccount.com"
gcloud iam service-accounts create ${SERVICE_ACCOUNT_NAME} \
    --description="Service Account for Anjuna Nginx Quickstart" \
    --display-name="Anjuna Nginx Quickstart"
gcloud projects add-iam-policy-binding ${GCP_PROJECT} \
    --member="serviceAccount:${SERVICE_ACCOUNT_EMAIL}" \
    --role="roles/logging.logWriter"

You can attach the resulting service account to a new Anjuna Confidential Container instance using anjuna-gcp-cli instance create --service-account=${SERVICE_ACCOUNT_EMAIL}.