Need clarification about permissions for PBM Metrics

[pawellrus]

Hello.
Permissions that shown in documentation are not enough to fetch pbm mertrics.
I had to give to exporter's account permissions like pbm's account

          - resource:
              anyResource: true
            actions:
              - anyAction

Is it only way to get pbm metrics, or there is possibility to decrease permissions scope?

[idoqo]

One option will be to grant the user find access on the admin db (in addition to the other permissions in the doc):

db.createRole({
    role: "adminReader",
    privileges: [
        { resource: { db: "admin", collection: "" }, actions: [ "find" ] },
    ],
    roles: [
        {
            "role":"clusterMonitor",
            "db":"admin"
         },
         {
            "role":"read",
            "db":"local"
         }
    ]
});

For more refined permissions, you'd need to give the find permission for each PBM collection (see https://docs.percona.com/percona-backup-mongodb/details/control-collections.html):

db.createRole({
    role: "pbmReadRole",
    privileges: [
        { resource: { db: "admin", collection: "pbmBackups" }, actions: [ "find" ] },
        { resource: { db: "admin", collection: "pbmAgents" }, actions: [ "find" ] },
        { resource: { db: "admin", collection: "pbmConfig" }, actions: [ "find" ] },
        ...
    ],
    roles: [
        {
            "role":"clusterMonitor",
            "db":"admin"
         },
         {
            "role":"read",
            "db":"local"
         }
    ]
});

This can be tricky though, since the collections are internal and can be changed at any time.

Can you try any of those and share how it goes?