Cloud Debugger is deprecated and will be shutdown May 31, 2023. See the deprecations page and release notes for more information.

Access control with IAM

Google Cloud offers Identity and Access Management (IAM), which lets you give granular access to specific Google Cloud resources and prevents unwanted access to other resources. This page describes the Cloud Debugger IAM roles. For a detailed description of IAM, read the IAM documentation.

Granting roles

To learn how to grant IAM roles to a principal (for example, a Google account or a service account), read Granting, Changing, and Revoking Access in the IAM documentation.

The following IAM roles apply to Debugger:

Required permissions

With IAM, every Google Cloud method requires that the account making the API request has appropriate permissions to access the resource. Permissions allow principals to perform specific actions on Cloud resources.

The following table lists the permissions that the caller must have to call a Debugger method:

Method Required permission(s) For resource type
REST: controller.debuggees.register
RPC: RegisterDebuggeeRequest
clouddebugger.debuggees.create Project
REST: controller.debuggees.breakpoints.list
RPC: ListBreakpointsRequest
clouddebugger.breakpoints.list Project
REST: controller.debuggees.breakpoints.update
RPC: UpdateActiveBreakpointRequest
clouddebugger.breakpoints.update Project
REST: debugger.debuggees.list
RPC: ListDebuggeesRequest
clouddebugger.debuggees.list Project
REST: debugger.debuggees.breakpoints.delete clouddebugger.breakpoints.delete Project
REST: debugger.debuggees.breakpoints.get
RPC: GetBreakpointRequest
clouddebugger.breakpoints.get Project
REST: debugger.debuggees.breakpoints.list
RPC: ListBreakpointsRequest
clouddebugger.breakpoints.list Project
REST: debugger.debuggees.breakpoints.set
RPC: SetBreakpointRequest
clouddebugger.breakpoints.create Project

Debugger IAM roles

You don't directly give principals permissions; instead, you grant them one or more roles on a Google Cloud resource, which have one or more permissions bundled within them.

In addition to the basic roles, Owner, Editor, and Viewer, you can grant the following Cloud Debugger IAM roles:

Role Purpose Includes Permissions
Cloud Debugger Agent
Can register the debug target, read active breakpoints, and report breakpoint results. This role is normally assigned to the service account running with the Debugger agent.
  • clouddebugger.breakpoints.list: Returns the list of all breakpoints for the debuggee, including inactive breakpoints.
  • clouddebugger.breakpoints.listActive: Returns the list of all active breakpoints for the debuggee.
  • clouddebugger.breakpoints.update: Updates the breakpoint.
  • clouddebugger.debuggees.create: Registers the debuggee.
Cloud Debugger User

Can create, view, list, and delete breakpoints (snapshots & logpoints) as well as list debug targets (debuggees).

  • clouddebugger.breakpoints.create: Creates the breakpoint.
  • clouddebugger.breakpoints.delete: Deletes a breakpoint.
  • clouddebugger.breakpoints.get: Reads a breakpoint.
  • clouddebugger.breakpoints.list: Lists breakpoints.
  • clouddebugger.debuggees.list: List debug targets (debuggees) accessible to the user.