Skip to main content
GCP Cloud Monitoring monitors ingest Monitoring incident notifications through Pub/Sub push delivery. Each monitor is scoped to one monitored GCP project. Guided setup attaches Clarion only to the alert policies you select.

What Clarion ingests

Clarion creates one alert per Cloud Monitoring incident_id and updates that alert as Google sends lifecycle events.
  • open creates or reopens a Clarion alert.
  • Re-notifications update alert data without resetting the user’s workflow status.
  • closed closes the existing Clarion alert and sets the resolution time from the incident when available.
Some Google alert policy types may not send close notifications. In those cases, close the Clarion alert manually after investigation. Clarion currently accepts Google Cloud Monitoring notification schema version 1.2; test newer Google schema versions before broadening ingestion. When Google publishes a new notification schema version, compare it against Google’s schema documentation, add parser tests for open and closed incidents, then update Clarion’s accepted versions before enabling production ingestion.

Severity mapping

Cloud Monitoring severity maps to Clarion severity as follows:
  • CRITICAL → Critical
  • ERROR → High
  • WARNING → Low
  • Missing or unknown severity → the monitor’s fallback severity
Use allowed severities on the monitor to filter which incidents create or reopen alerts. Once an alert is open, later Google updates refresh the stored severity even if that severity is outside the allowlist. Close notifications can still resolve an existing alert. Because Google WARNING maps to Clarion Low, keep Low selected if you want those incidents to create alerts. Cloud Monitoring re-notifications do not start another Clarion triage run; they refresh the existing alert data to avoid duplicate investigations.

Guided setup

  1. Go to Integrations > Google Cloud.
  2. Choose Guided Setup.
  3. Select Cloud Monitoring monitor.
  4. Select the monitored project.
  5. Select at least one alert policy.
  6. Run setup.
Clarion creates or reuses:
  • Pub/Sub topic for Monitoring incidents
  • Pub/Sub push service account
  • Pub/Sub push subscription with OIDC authentication
  • Cloud Monitoring Pub/Sub notification channel
  • Runtime service account identity for read-only triage
Guided setup also grants the Cloud Monitoring notification service agent roles/pubsub.publisher on the topic and patches the selected alert policies so they include the Clarion notification channel. Multiple Cloud Monitoring monitors in the same delivery project can share the same Pub/Sub topic. Each monitor has its own push subscription, so non-matching monitors may reject fan-out deliveries with 403 while the matching monitor accepts the incident. When Clarion runs on Vercel, guided setup provisions the runtime identity with keyless Workload Identity Federation. JSON service account keys remain available as a fallback for local development or environments where WIF cannot be used.

Manual setup

Use manual setup when your Google Cloud resources are managed outside Clarion.
  1. Create or open a GCP Cloud Monitoring monitor in Clarion.
  2. Copy the monitor webhook URL.
  3. In Google Cloud, create a Pub/Sub topic.
  4. Create a Pub/Sub push subscription that targets the Clarion webhook URL.
  5. Enable OIDC authentication on the push subscription.
  6. Create a Cloud Monitoring Pub/Sub notification channel for the topic.
  7. Attach that notification channel to the alert policies you want Clarion to receive.
  8. Save these values on the monitor:
    • monitored project ID
    • optional delivery project ID
    • Pub/Sub subscription resource name
    • OIDC service account email
    • OIDC client ID, if configured
    • Cloud Monitoring notification channel resource name
    • fallback severity and allowed severities
The OIDC token audience must match the webhook URL shown by Clarion.

Permissions

The Google account used for guided setup needs permission to:
  • list and patch Cloud Monitoring alert policies in the monitored project
  • create Monitoring notification channels
  • create Pub/Sub topics and push subscriptions in the delivery project
  • create service accounts and, on Vercel, workload identity pools/providers for Clarion runtime credentials
  • grant Pub/Sub publisher access to the Monitoring notification service agent
For agent triage, Clarion’s runtime service account needs roles/monitoring.viewer, roles/logging.viewer, and roles/iam.securityReviewer on the monitored project. Guided setup grants these roles. The Cloud Monitoring tools are read-only and scoped to the alert’s configured monitor project.