We are excited to announce an important addition to the way our monitoring tool authenticates with Google Cloud Platform (GCP)!

We are adding a new, more secure, and simpler way to monitor. This new method improves on the current system that uses service account JSON key files. It's all about making things safer and easier for you.

Going forward, we will be adopting the modern approach of service account impersonation.

Why the change?

We introduced this onboarding method mainly because of:

• Reduced credential exposure: JSON key files are static and can be inadvertently leaked or misused. Impersonation eliminates the need to store long-lived secrets.
• Centralized IAM control: Permissions are managed via identity and access management (IAM), making it easier to audit and manage who can assume which service account.
• Improved audit trail: Every impersonation call is logged in Cloud Audit Logs, giving you full traceability into who accessed what and when.
• Short-lived credentials: The credentials obtained through impersonation are temporary and automatically refreshed, which significantly reduces the surface for abuse.
• Compliance-friendly: This method aligns more closely with enterprise security standards and regulatory requirements.

What you need to do

There is nothing you need to change immediately. However, we recommend that you review any internal policies or workflows that rely on the older JSON key method. Here is our detailed help document.

If you have questions or need help making the switch, let us know in the comments, we are here to support you every step of the way.

Thank you for helping us raise the bar for cloud monitoring!

The Google Cloud monitor team