---
title: >-
  Configuring Google IAM service account impersonation to avoid storing keys on
  Fastly logging
summary: null
url: >-
  https://www.fastly.com/documentation/guides/integrations/streaming-logs/configuring-google-iam-service-account-impersonation-for-fastly-logging
---


When adding Google [Cloud Storage](/guides/integrations/logging-endpoints/object-and-cloud-storage/log-streaming-google-cloud-storage), [BigQuery](/guides/integrations/logging-endpoints/data-warehouses-and-analytics/log-streaming-google-bigquery), or [Pub/Sub](/guides/integrations/logging-endpoints/data-streaming-and-message-queues/log-streaming-google-cloud-pubsub) logging endpoints, we recommend configuring Google IAM role-based [service account impersonation](https://cloud.google.com/iam/docs/impersonating-service-accounts) to avoid storing secrets by using temporary credentials instead.

To configure role-based service account impersonation through the Google Cloud Console, follow the steps below:

1. Log in to the Google Cloud Console.
1. Navigate to the [IAM & Admin page](https://console.cloud.google.com/iam-admin/iam).
1. Review the project name to the left of the search field on the main toolbar and make sure this is the project configured for the Fastly Google endpoint. If not, use this project selection menu to select the correct project as necessary.
1. From the left navigation, click **Service Accounts**.
1. Click the email address of the service account you intend to use for the Logging endpoint.
1. Click **Permissions**.
1. Click **Grant Access**.
1. In the **New principals** field, enter:

   ```plain
   fastly-logging@datalog-bulleit-9e86.iam.gserviceaccount.com
   ```

1. Click the **Role** menu to expose the Filter field.
1. In the **Filter** field, enter `Service Account Token Creator` and then select it from the list of roles that appears.
1. Click **Save**.

Once you've configured your Google IAM settings for role-based service account impersonation, make a note of the service account's name and its associated project ID. You'll need this information when adding GCS as your logging endpoint. The service account ID comes before the `@` in the service account email and the project ID immediately after. For example, if your service account email is `my-name@projectid.iam.gserviceaccount.com`, the service account ID is `my-name` and the project ID is `projectid`.

> **HINT:** Check out [Google's docs](https://cloud.google.com/iam/docs/create-short-lived-credentials-direct#permissions-sa) for details on how to configure role-based service account impersonation through the command line interface.

## Related content

* [Log streaming to Google Cloud Storage](/guides/integrations/logging-endpoints/object-and-cloud-storage/log-streaming-google-cloud-storage)
* [Log streaming to Google BigQuery](/guides/integrations/logging-endpoints/data-warehouses-and-analytics/log-streaming-google-bigquery)
* [Log streaming to Pub/Sub](/guides/integrations/logging-endpoints/data-streaming-and-message-queues/log-streaming-google-cloud-pubsub)