This document provides information to help you troubleshoot Ops Agentauthorization and credentials problems on your Compute Engine VM instances.

If the Ops Agent is reporting access or authorization errors, or if theagent seems to be running normally but there is no data or your alertingpolicies aren't working as you expect, then check that your VM instance'scredentials are correct, including that they specify the correct project:

• If you are using a Compute Engine VM instance with standard (notprivate-key) credentials, then it is unlikely that data is going to thewrong project, but your credentials might still be deficient. Forinformation about credentials,seeAuthorize the Ops Agent.To verify your credentials, seeVerifying Compute Engine credentials.

• If you are using private-key credentials on your Compute Engine instance,then the credentials could be invalid or they could be from the wrongproject. For information about credentials, seeAuthorize the Ops Agent.To verify your credentials, seeVerifying private-key credentials.

Verifying Compute Engine credentials

Use the Compute EngineVM instances page of the Google Cloud console toverify that your Compute Engine VM instance has adequate credentialfor the Ops Agent. The credentials are typically added inthe default service account of all new Compute Engine VM instances, but it ispossible to overwrite those defaults when creating an instance.

In the Google Cloud console, go to theVM instances page:

Go toVM instances

If you use the search bar to find this page, then select the result whose subheading isCompute Engine.

1. If necessary, change the current Google Cloud project to be the one associatedwith your Compute Engine VM instance. For example, if you areprompted toEnable billing, then it means the current project doesn'thave any Compute Engine VM instances in it.
2. In theVM Instances page, click the name of your VM instance. The detailpage for your VM instance appears.
3. In theVM instance details page, look under theCloud API accessscopes heading:
   • If you see "Allow full access to all Cloud APIs," then you have adequatecredentials.
   • If you see, next toStackdriver Monitoring API, an older name forthe Cloud Monitoring API, that you haveWriteOnly orFull permission, then you have adequate credentials.
   • Otherwise, your instance's default service account doesn't have thecredentials needed by the agent. To use the agent on your instance, youmust add private-key service account credentials. For instructions, seeAdding credentials.

If you have the correct default credentials, skip ahead toInstalling on Linux and Windows.

Verifying private-key credentials

To verify that valid private-key credentials are installed on your VM instance,first verify that the credentials file exists in its expected location, and thenverify that the information in the credentials file is valid. Previously-validcredentials can be revoked using theIAM & Admin > Service accounts sectionof the Google Cloud console. If valid credentials aren't present, seeAdding credentialsto replace the existing credentials or to add new ones.

sudo cat $GOOGLE_APPLICATION_CREDENTIALSsudo cat /etc/google/auth/application_default_credentials.json

{"type":"service_account","project_id":"{your-project-id}","private_key_id":"{your-private-key-id}","private_key":"{your-private-key}","client_email":"{your-project-number}-{your-key}@developer.gserviceaccount.com","client_id":"{your-client-id}","auth_uri":"https://accounts.google.com/o/oauth2/auth","token_uri":"https://accounts.google.com/o/oauth2/token","auth_provider_x509_cert_url":"{x509-cert-url}","client_x509_cert_url":"{client-x509-cert-url}"}

If there are no credential files present, then seeAdding credentials.

Are the credentials valid?

In the credentials file, theproject_id field is your Google Cloud project,client_email identifies the service account in the project,andprivate_key_id identifiesthe private key in the service account. Match this information with what isshown in theIAM & Admin > Service accounts section of theGoogle Cloud console.

The credentials file isn't valid if any of the following are true:

• You are checking a Compute Engine VM instance, but theGoogle Cloud project in thecredentials file isn't the project that contains your instance.
• The listed service account doesn't exist. It might have been deleted.
• The listed service account doesn't have the right roles enabled. It shouldhave at leastroles/monitoring.metricWriter (Monitoring Metric Writer)for metric collection androles/logging.logWriter (Logs Writer) forwriting logs.
• The private key doesn't exist. It might have been revoked.

If the service account is all right but the private key has been revoked, thenyou can create a new private key and copy it to your instance. Otherwise, youmust create a new service account as described in the following section,Adding credentials.

Generating new credentials

If the credentials aren't valid, take the following steps:

1. For each connected project containing instances that need to be authorized with a private key — Compute Engine instances that were created without including the access scopehttps://www.googleapis.com/auth/monitoring.write — create a service account and generate a private key, if they don't already exist. Follow the steps below:

   1. In the Google Cloud console, go to thesettings Settings page:

      Go toSettings

      If you use the search bar to find this page, then select the result whose subheading isMonitoring.

   2. Select theNetric scope tab.
   3. Identify the project containing the Compute Engine resources in question and navigate to theGoogle Cloud console.
   4. Go to theIAM Service Accounts page of the Google Cloud console, select your Google Cloud project, create a new service account, and then generate a new private key for that service account.

      To perform these steps, do one of the following:

      • Go to theIAM Service Accounts page, select your Google Cloud project, and then follow the steps in Create a service account:

        Go to IAM Service Accounts

      • Click the following button and then select your Google Cloud project:

        Create service account and download key

        The previous button automates the process of creating and downloading a key to your local system for the agent-specific service account. If necessary, the process also creates the required service account and ensures that the service account has the correct permissions. Agent-specific service accounts have a name similar tostackdriver-1234@PROJECT_ID.iam.gserviceaccount.com. You are notified of the completion of these actions with a dialog similar to the following:

        

      Note: Service accounts can have a maximum of 10 keys. For more information, seeLimits.

2. Replace the private key on the instances that correspond to the service account in question.

   • On Linux, replace the private key located in/etc/google/auth/application_default_credentials.json.
   • On Windows, replace the private key located inC:\ProgramData\Google\Auth\application_default_credentials.json. For more information, see Copying the private key to your instance.

3. Restart the agent

   • On Linux, runsudo service stackdriver-agent restart
   • On Windows, go into the service management console and restart theCloud Monitoring service.

If you have multiple projects that need new private keys, repeat this procedurefor each of them.

To verify that the private key is correct, seeAre the credentials present?.Specifically:

• Read the private key JSON file on the instance, for example (on Linux):sudo cat /etc/google/auth/application_default_credentials.json
• Ensure that the value of theproject_id field matches that of themonitored project for which you just generated credentials.