This document shows how to install Agent for Compute Workloads on Compute Engine instances, and configure the agent to connect with a Microsoft SQL Server workload running on those compute instances.
After you install and configure the agent, it collects metrics from your SQL Server workload and the underlying compute instances and sends them to Workload Manager. You can then use Workload Manager evaluation to scan your SQL Server workloads for deviations from best practices for infrastructure, operating system, and workload configurations.
Before you begin
Before you install and configure Agent for Compute Workloads, you need to make sure that the following prerequisites are met:
- You've deployed a SQL Server workload on one or more compute instances.
- You've granted the required IAM roles for the agent.
- You've enabled access to Cloud APIs.
- You've granted the required permissions on SQL Server.
Required IAM roles for the agent
Agent for Compute Workloads uses the service account attached to the compute instance for authentication and to access Google Cloud resources.
To improve security, we recommend that you use a single-purpose service account rather than using the Compute Engine default service account.
To ensure that the service account has the necessary permissions to let Agent for Compute Workloads authenticate with Google Cloud and access Google Cloud resources, ask your administrator to grant the service account the following IAM roles on your project:
-
Compute Viewer (
roles/compute.viewer): to collect metrics from the compute instance. -
Workload Manager Insights Writer (
roles/workloadmanager.insightWriter): to write data to Workload Manager data warehouse. -
(Recommended) Logs Writer (
roles/logging.logWriter): to send agent logs to Cloud Logging. -
(Optional) Secret Manager Secret Accessor (
roles/secretmanager.secretAccessor): if you are using Secret Manager to store the password to connect with the SQL Server instance.
For more information about granting roles, see Manage access to projects, folders, and organizations.
Your administrator might also be able to give the service account the required permissions through custom roles or other predefined roles.
Enable access to Cloud APIs
Compute Engine recommends configuring your instances to allow all access scopes to all Cloud APIs and using only the IAM permissions of the instance service account to control access to Google Cloud resources. For more information, see Create a VM that uses a user-managed service account.
If you limit access to the Cloud APIs, then the Agent for Compute Workloads requires at minimum the following Cloud APIs access scopes on the host compute instance:
https://www.googleapis.com/auth/cloud-platform
For more information, see Scopes best practice.
If you're running SQL Server applications on a compute instance that doesn't have an external IP address, then you need to enable Private Google Access on the instance's subnet so that Agent for Compute Workloads can access the Google APIs and services. For information about how to enable Private Google Access, see Configure Private Google Access.
Required permissions on SQL Server
Use the following script to assign required permissions to the user account configured in the agent.
USE [master]
GO
GRANT VIEW SERVER STATE TO [user_name]
GRANT VIEW ANY DEFINITION TO [user_name]
-- Adds db_datareader role to the user
EXEC sp_MSForEachDB
'
USE ?
IF NOT EXISTS(SELECT * FROM sys.database_principals WHERE name = ''user_name'')
BEGIN
CREATE USER [user_name] FOR LOGIN [user_name]
END
EXEC sp_addrolemember ''db_datareader'', ''user_name''
'
Install and configure the agent by using package manager
This section shows you how to install the Agent for Compute Workloads on your compute instance, and configure it to connect with a SQL Server instance, by using a package manager.
To install the Agent for Compute Workloads, complete the following steps:
Windows
On Windows, you install Agent for Compute Workloads by using the googet
package management command. This command completes the following tasks:
- Downloads the latest version of the agent.
- Creates a Windows service named
google-cloud-workload-agent. - Creates a scheduled task that runs every minute to check if the service is running and if necessary, restart the service.
To install and configure Agent for Compute Workloads on a Windows based compute instance, complete the following steps:
Establish a connection with your compute instance by using RDP.
For information about how to do this, see Connect to Windows VMs using RDP.
As an administrator, run the following commands from PowerShell:
googet addrepo google-cloud-workload-agent https://packages.cloud.google.com/yuck/repos/google-cloud-workload-agent-windows-x86_64 googet install google-cloud-workload-agentOpen the agent's configuration file:
%ProgramFiles%\Google\google-cloud-workload-agent\conf\configuration.jsonSpecify values for all mandatory parameters, as described in Configuration parameters.
Save the configuration file
Restart the agent for the changes to take effect.
RHEL
On Red Hat Enterprise Linux (RHEL), you install Agent for Compute Workloads
by using the yum package management command. This command completes the
following tasks:
- Downloads the latest version of the agent.
- Creates a
systemdservice for the agent, namedgoogle-cloud-workload-agent. - Enables and starts the
google-cloud-workload-agentservice.
To install and configure Agent for Compute Workloads on a RHEL based compute instance, complete the following steps:
Establish an SSH connection with your compute instance.
In your terminal, install the agent:
sudo tee /etc/yum.repos.d/google-cloud-workload-agent.repo << EOM [google-cloud-workload-agent] name=Google Cloud Agent for Compute Workloads baseurl=https://packages.cloud.google.com/yum/repos/google-cloud-workload-agent-$basearch enabled=1 gpgcheck=0 repo_gpgcheck=1 gpgkey=https://packages.cloud.google.com/yum/doc/yum-key.gpg https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg EOM sudo yum install google-cloud-workload-agentOpen the agent's configuration file:
/etc/google-cloud-workload-agent/configuration.jsonSpecify values for all mandatory parameters, as described in Configuration parameters.
Save the configuration file
Restart the agent for the changes to take effect.
SLES
On SUSE Linux Enterprise Server (SLES), you install Agent for Compute Workloads
by using the zypper package management command. This command completes the
following tasks:
- Downloads the latest version of the agent.
- Creates a
systemdservice for the agent, namedgoogle-cloud-workload-agent. - Enables and starts the
google-cloud-workload-agentservice.
To install and configure Agent for Compute Workloads on a SLES based compute instance, complete the following steps:
Establish an SSH connection with your compute instance.
In your terminal, install the agent:
sudo zypper addrepo --refresh https://packages.cloud.google.com/yum/repos/google-cloud-workload-agent-$basearch google-cloud-workload-agent sudo zypper install google-cloud-workload-agentOpen the agent's configuration file:
/etc/google-cloud-workload-agent/configuration.jsonSpecify values for all mandatory parameters, as described in Configuration parameters.
Save the configuration file
Restart the agent for the changes to take effect.
Debian
On Debian, you install Agent for Compute Workloads by using the apt
package management command. This command completes the following tasks:
- Downloads the latest version of the agent.
- Creates a
systemdservice for the agent, namedgoogle-cloud-workload-agent. - Enables and starts the
google-cloud-workload-agentservice.
To install and configure Agent for Compute Workloads on a Debian based compute instance, complete the following steps:
Establish an SSH connection with your compute instance.
In your terminal, install the agent:
echo 'deb https://packages.cloud.google.com/apt google-cloud-workload-agent-x86-64-apt main' | sudo tee -a /etc/apt/sources.list.d/google-cloud-workload-agent.list sudo apt-get update sudo apt-get install google-cloud-workload-agentOpen the agent's configuration file:
/etc/google-cloud-workload-agent/configuration.jsonSpecify values for all mandatory parameters, as described in Configuration parameters.
Save the configuration file
Restart the agent for the changes to take effect.
Install and manage the agent on a fleet of VMs by using VM Extension Manager
Set up VM Extension Manager
To set up VM Extension Manager, complete the following steps:
- In the VM Extension Manager documentation, review the Before you begin section.
Set up the IAM roles needed to create and manage VM Extension Manager policies. For more information, see the following:
Install the agent on a fleet of VMs
To install the latest version of Agent for Compute Workloads on your VM fleet within a specific zone by using a VM Extension Manager policy, complete the following steps:
Console
In the Google Cloud console, go to the VM extension policies page.
Click Create extension policy.
In the Name field, enter a name for the policy.
Optional: In the Description field, enter a description for the policy.
In the Priority field, specify a priority number to resolve conflicts between policies. Lower numbers indicate higher priority. The default value is
1000.Using the Region and Zone lists, select the zone where you want to apply this policy.
In the Extensions section, click Add extension and then do the following:
- From the Extension list, select Google Cloud's Extension for Compute Workloads.
Leave the Version field blank.
This directs the policy to install the latest version of Agent for Compute Workloads.
In the Configuration file content field, enter the configuration that you want to apply to the agent.
For information about the configuration parameters supported by the agent for your SQL Server workload, see Configuration parameters.
Click Done.
Optional: To limit the policy rollout to the required VMs, do the following:
- Click Add labels and include the labels that identify the required VMs.
- Click Done.
Click Create.
gcloud
gcloud beta compute zone-vm-extension-policies create POLICY_NAME \ --zone=ZONE \ --extensions=google-cloud-workload-extension \ --config-from-file=google-cloud-workload-extension=CONFIG_FILE_PATH \ [--description="DESCRIPTION" \] [--inclusion-labels=KEY_1=VALUE_1 \] [--inclusion-labels=KEY_2=VALUE_2,KEY_3=VALUE_3 \] [--priority=PRIORITY]
Replace the following:
POLICY_NAME: a name for the VM extension policy.The command fails if a policy with the specified name already exists in the zone.
ZONE: the zone where you want to apply this policy.CONFIG_FILE_PATH: the local path to the JSON file that contains the configuration for the Agent for Compute Workloads to connect with your SQL Server workload.- Alternatively, to provide configuration as an inline string, use the
--configflag instead of--config-from-file. For example,--config=google-cloud-workload-extension="CONFIG". Google Cloud recommends that you use--config-from-file. - You can use either
--config-from-fileor--config, but not both in the same command. - For information about the configuration parameters supported by the agent for your SQL Server workload, see Configuration parameters.
- Alternatively, to provide configuration as an inline string, use the
DESCRIPTION: an optional description for the policy.KEY_1=VALUE_1: a comma-separated list of key-value pairs that define the labels using which the policy targets VMs.- For a VM to be targeted by your policy, the VM must have all the specified labels.
- If you specify
--inclusion-labelsmultiple times, then the policy targets VMs that match any of the provided selectors (logicalOR). If you omit this flag, then the policy targets all VMs in the specified zone.
PRIORITY: an integer from0to65535that defines the policy's priority. Lower numbers indicate higher priority. The default value is1000.
Example:
The following command creates a policy named test-agent-policy in the
Google Cloud project named test-project, which installs the latest version of
Agent for Compute Workloads on all VMs deployed in the zone us-centrail-f.
The configuration specified in the agent-config.json is applied to the
agent.
gcloud beta compute zone-vm-extension-policies create test-agent-policy \ --project=test-project \ --zone=us-central1-f \ --extensions=google-cloud-workload-extension \ --config-file-path=google-cloud-workload-extension="/usr/agent-config.json"
Verify agent installation
To verify that the agent is running as expected, complete the following steps:
Windows
Establish a connection with your compute instance by using RDP.
For information about how to do this, see Connect to Windows VMs using RDP.
As an administrator, run the following command from PowerShell:
$(Get-Service -Name 'google-cloud-workload-agent' -ErrorAction Ignore).StatusIf the agent is running as expected, then you see the status as
Running.
RHEL
Establish an SSH connection with your compute instance.
Check the status of the agent package:
systemctl status google-cloud-workload-agentIf the agent package is running as expected, then the output contains
active (running). For example:google-cloud-workload-agent.service - Google Cloud Agent for Compute Workloads Loaded: loaded (/usr/lib/systemd/system/google-cloud-workload-agent.service; enabled; vendor preset: disabled) Active: active (running) since Sun 2025-07-30 18:59:12 UTC; 10s ago Main PID: 14412 (google_cloud_sq) Tasks: 7 Memory: 12.9M (max: 1.0G limit: 1.0G available: 1011.0M) CGroup: /system.slice/google-cloud-workload-agent.service └─ 14412 /usr/bin/google_cloud_sql_server_agent --action=run
SLES
Establish an SSH connection with your compute instance.
Check the status of the agent package:
systemctl status google-cloud-workload-agentIf the agent package is running as expected, then the output contains
active (running). For example:google-cloud-workload-agent.service - Google Cloud Agent for Compute Workloads Loaded: loaded (/usr/lib/systemd/system/google-cloud-workload-agent.service; enabled; vendor preset: disabled) Active: active (running) since Sun 2025-07-30 18:59:12 UTC; 10s ago Main PID: 14412 (google_cloud_sq) Tasks: 7 Memory: 12.9M (max: 1.0G limit: 1.0G available: 1011.0M) CGroup: /system.slice/google-cloud-workload-agent.service └─ 14412 /usr/bin/google_cloud_sql_server_agent --action=run
Debian
Establish an SSH connection with your compute instance.
Check the status of the agent package:
systemctl status google-cloud-workload-agentIf the agent package is running as expected, then the output contains
active (running). For example:google-cloud-workload-agent.service - Google Cloud Agent for Compute Workloads Loaded: loaded (/usr/lib/systemd/system/google-cloud-workload-agent.service; enabled; vendor preset: disabled) Active: active (running) since Sun 2025-07-30 18:59:12 UTC; 10s ago Main PID: 14412 (google_cloud_sq) Tasks: 7 Memory: 12.9M (max: 1.0G limit: 1.0G available: 1011.0M) CGroup: /system.slice/google-cloud-workload-agent.service └─ 14412 /usr/bin/google_cloud_sql_server_agent --action=run
Configuration parameters
The following table describes the parameters for the agent's configuration file.
| Parameters | |
|---|---|
log_level |
To set the logging level of the agent, set the required value. The available log levels are as follows:
The default log level is |
log_to_cloud |
To redirect the agent's logs to
Cloud Logging, specify
|
agent_properties.log_usage_metrics |
To enable logging of the agent's health metrics, set the value to
|
common_discovery.collection_frequency |
Specify the frequency, in seconds, at which the agent's workload discovery
service runs. The default value is Make sure that this parameter's value ends with a lowercase |
sqlserver_configuration.enabled |
To enable SQL Server metrics collections within the agent, set the value as |
sqlserver_configuration.collection_configuration.collect_guest_os_metrics |
To enable OS metrics collection, set the value as |
sqlserver_configuration.collection_configuration.collect_sql_metrics |
To enable SQL Server metrics collection, specify |
sqlserver_configuration.collection_configuration.collection_frequency |
Agent for Compute Workloads metrics collection frequency, in seconds.
Default is |
sqlserver_configuration.credential_configurations[].connection_parameters[].host |
The SQL Server hostname. |
sqlserver_configuration.credential_configurations[].connection_parameters[].username |
Specify the user account that is used to query the SQL Server instance. To configure account permissions, review the permissions required in the permission script and grant them according to your internal policies. Note: If you are using Windows Authentication, make sure to specify the username in
the following format:
|
sqlserver_configuration.credential_configurations[].connection_parameters[].secret.project_id |
The ID of the project where the secret is stored. Set it to an empty string ("") if the secret and the host VM instance exist in the same Google Cloud project. |
sqlserver_configuration.credential_configurations[].connection_parameters[].secret.secret_name |
To securely provide the password for the database user account that the agent uses to query SQL Server, specify the name of the secret in Secret Manager that contains the security credentials for the database user account. Note: The secret and the host VM instance must exist in the same Google Cloud project. |
sqlserver_configuration.credential_configurations[].connection_parameters[].port |
Specify the port on which your SQL Server instance accepts queries. |
sqlserver_configuration.credential_configurations[].remote_win.connection_parameters.host |
IP address or FQDN of the remote Windows VM |
sqlserver_configuration.credential_configurations[].remote_win.connection_parameters.username |
Specify the user account that is used to remotely connect to the Windows VM. |
sqlserver_configuration.credential_configurations[].remote_win.connection_parameters.secret.secret_name |
To securely provide the password for the Windows user account that the agent uses to remotely connect to the VM, specify the name of the secret in Secret Manager that contains the security credentials for the database user account. Note: The secret and the host VM instance must exist in the same Google Cloud project. |
sqlserver_configuration.credential_configurations[].local_collection |
Specify |
sqlserver_configuration.credential_configurations[].remote_linux.connection_parameters.host |
IP address or FQDN of the remote Linux VM. |
sqlserver_configuration.credential_configurations[].remote_linux.connection_parameters.username |
Specify the user account that is used to remotely connect to the Linux VM. |
sqlserver_configuration.credential_configurations[].remote_linux.connection_parameter.port |
Specify the SSH port number for the remote Linux VM. |
sqlserver_configuration.credential_configurations[].remote_linux.linux_ssh_private_key_path |
Specify the path to the SSH private key file. |
sqlserver_configuration.credential_configurations[].vm_properties.instance_name |
Specify the name of your Compute Engine VM instance. Note: Optional for local collection. |
sqlserver_configuration.credential_configurations[].vm_properties.instance_id |
Specify the ID of your Compute Engine VM instance. Note: Optional for local collection. |
sqlserver_configuration.collection_timeout |
The timeout for metrics collection, in seconds. Default is `10s`. |
sqlserver_configuration.max_retries |
The maximum number of retries when a failed collection occurs. The default value is `3`. |
sqlserver_configuration.retry_frequency |
Specify the frequency at which the agent should retry when a collection fails. The default value is `3600s`. |
sqlserver_configuration.remote_collection |
Specify |
Example configuration file
The following is an example configuration that lets Agent for Compute Workloads connect with a SQL Server instance:
Local collection
{ "log_level": "INFO", "common_discovery": { "collection_frequency": "10800s" }, "sqlserver_configuration": { "enabled": true, "collection_configuration": { "collect_guest_os_metrics": true, "collect_sql_metrics": true, "collection_frequency": "60s" }, "credential_configurations": [ { "connection_parameters": [ { "host": ".", "username": "db_user_name", "secret": { "project_id": "", "secret_name": "idb_pwd_secret_name" }, "port": 1433 } ], "local_collection": true } ], "collection_timeout": "60s", "max_retries": 5, "retry_frequency": "3600s" } }
Remote collection
{ "log_level": "INFO", "common_discovery": { "collection_frequency": "10800s" }, "sqlserver_configuration": { "enabled": true, "collection_configuration": { "collect_guest_os_metrics": true, "collect_sql_metrics": true, "collection_frequency": "60s" }, "credential_configurations": [ { "connection_parameters": [ { "host": "sql_server_instance", "username": "db_user_name", "secret": { "project_id": "", "secret_name": "db_pwd_secret_name" }, "port": 1433 } ], "remote_win": { "connection_parameters": { "host": "sql_server_instance", "username": "user_name", "secret": { "project_id": "", "secret_name": "pwd_secret_name" } } }, "vm_properties": { "instance_name": "db01", "instance_id": "9999999999999999999" } }, { "connection_parameters": [ { "host": "sql_server_instance", "username": "db_user_name", "secret": { "project_id": "", "secret_name": "db_pwd_secret_name" }, "port": 1433 } ], "remote_linux": { "connection_parameters": { "host": "sql_server_instance", "username": "user_name", "secret": { "project_id": "", "secret_name": "pwd_secret_name" }, "port": 22 }, "linux_ssh_private_key_path": "path of the private key" }, "vm_properties": { "instance_name": "db02", "instance_id": "9999999999999999999" } } ], "collection_timeout": "10s", "max_retries": 3, "retry_frequency": "3600s", "remote_collection": true } }
Check the version of the agent
To check the version of your agent, complete the following steps:
Windows
- Use RDP to connect to the host machine.
- As an administrator, run the following command from PowerShell:
googet installed google-cloud-workload-agent
RHEL
- Use SSH to connect to the host machine.
- Run the following command:
yum info google-cloud-workload-agent
SUSE
- Use SSH to connect to the host machine.
- Run the following command:
zypper info google-cloud-workload-agent
Debian
- Use SSH to connect to the host machine.
- Run the following command:
dpkg -s google-cloud-workload-agent | grep version
Restart the agent
If Agent for Compute Workloads stops working or you update its configuration, then restart the agent.
Select your operating system, and then follow the steps:
Windows
- Use RDP to connect to the host machine.
- As an administrator, run the following command from PowerShell:
Restart-Service -Name 'google-cloud-workload-agent' -Force
Linux
- Use SSH to connect to the host machine.
- Run the following command:
sudo systemctl restart google-cloud-workload-agent
Update the agent
To ensure that you have the latest version of the agent, you need to check for updates periodically and update the agent.
Check for updates
Select your operating system, and then follow the steps:
Windows
- Use RDP to connect to the host machine.
- As an administrator, run the following command from PowerShell:
googet latest google-cloud-workload-agent
RHEL
- Use SSH to connect to the host machine.
- Run the following command:
sudo yum check-update google-cloud-workload-agent
SLES
- Use SSH to connect to the host machine.
- Run the following command:
sudo zypper list-updates -r google-cloud-workload-agent
Debian
- Use SSH to connect to the host machine.
- Run the following command:
sudo apt list google-cloud-workload-agent
Install an update
Select your operating system, and then follow the steps:
Windows
- Use RDP to connect to the host machine.
- As an administrator, run the following command from PowerShell:
googet install google-cloud-workload-agent
RHEL
- Use SSH to connect to the host machine.
- Run the following command:
sudo yum --nogpgcheck update google-cloud-workload-agent
SLES
- Use SSH to connect to the host machine.
- Run the following command:
sudo zypper --no-gpg-checks update google-cloud-workload-agent
Debian
- Use SSH to connect to the host machine.
- Run the following command:
sudo apt-get install google-cloud-workload-agent
View the agent's logs in Cloud Logging
By default, the logs for Agent for Compute Workloads are redirected from your VM instances to Cloud Logging.
To view the agent's logs in Logging, follow these steps:
In the Google Cloud console, go to the Logs Explorer page.
Go the Query pane.
From the Resources drop-down menu, select Global, and then click Apply.
In the query editor, enter
google-cloud-workload-agent.Click Run query.
You should see the logs generated by the agent instances running on all your VM instances. To filter the logs from a specific machine, use the filters available in the interface.
Disable the agent's logs in Cloud Logging
To disable the default redirection of agent's logs to Cloud Logging, follow these steps:
Establish an RDP or SSH connection with your host VM instance.
Open the agent's configuration file:
Windows
%ProgramFiles%\Google\google-cloud-workload-agent\conf\configuration.json
Linux
/etc/google-cloud-workload-agent/configuration.json
For the property
log_to_cloud, update the value tofalse.Save the configuration file.
Restart the agent for this change to take effect.
Troubleshoot
The following sections provide information about common issues related to using Agent for Compute Workloads, their causes and resolution.
Insufficient authentication scopes
Issue: If you limit the access scopes on your host VM instance, then Agent for Compute Workloads logs might show insufficient IAM permissions error.
googleapi: Error 403: Request had insufficient authentication scopes.
Details:
[
{
"@type": "type.googleapis.com/google.rpc.ErrorInfo",
"domain": "googleapis.com",
"metadata": {
"method": "google.cloud.workloadmanager.datawarehouse.v1.DataCollectService.WriteInsight",
"service": "workloadmanager.googleapis.com"
},
"reason": "ACCESS_TOKEN_SCOPE_INSUFFICIENT"
}
]
More details:
Reason: insufficientPermissions, Message: Insufficient Permission
Cause: Agent for Compute Workloads requires minimum Cloud API access scopes on the host VM instance.
Resolution: To resolve this issue, enable the required access scopes
Failed to load configuration file
Issue: If the configuration file has invalid values, you see the following error.
"Failed to load configuration","pid":3524,"error":"proto: (line 19:42): unknown
field "{field_name}"
Resolution: To resolve this issue, update the configuration file using the details in Configuration parameters.
Failed to initialize data collection
Issue: After installing the agent if the configuration file is not updated, you see the following error:
"Failed to initialize guest collection","pid":2112,"error":"invalid value for "user_name" "secret_name"
Resolution: To resolve this issue, initialize the credential configuration using Configuration parameters.
What's next
- Learn more about workload evaluations.