Access Control

Google Cloud Platform (GCP) offers Identity and Access Management (IAM), which lets you give granular access to specific GCP resources and prevents unwanted access to other resources. This page describes the Stackdriver Debugger IAM roles. For a detailed description of Cloud IAM, read the IAM documentation.

Granting roles

To learn how to grant IAM roles to a member (for example, a Google account or a service account), read Granting, Changing, and Revoking Access to Project Members in the IAM documentation.

The following IAM roles apply to Debugger:

Required permissions

With Cloud IAM, every GCP method requires that the account making the API request has appropriate permissions to access the resource. Permissions allow members to perform specific actions on Cloud resources.

The following table lists the permissions that the caller must have to call a Debugger method:

Method Required permission(s) For resource type
REST: controller.debuggees.register
RPC: RegisterDebuggeeRequest
clouddebugger.debuggees.create Project
REST: controller.debuggees.breakpoints.list
RPC: ListBreakpointsRequest
clouddebugger.breakpoints.list Project
REST: controller.debuggees.breakpoints.update
RPC: UpdateActiveBreakpointRequest
clouddebugger.breakpoints.update Project
REST: debugger.debuggees.list
RPC: ListDebuggeesRequest
clouddebugger.debuggees.list Project
REST: debugger.debuggees.breakpoints.delete clouddebugger.breakpoints.delete Project
REST: debugger.debuggees.breakpoints.get
RPC: GetBreakpointRequest
clouddebugger.breakpoints.get Project
REST: debugger.debuggees.breakpoints.list
RPC: ListBreakpointsRequest
clouddebugger.breakpoints.list Project
REST: debugger.debuggees.breakpoints.set
RPC: SetBreakpointRequest
clouddebugger.breakpoints.create Project

Debugger IAM roles

You don't directly give members permissions; instead, you grant them one or more roles on a GCP resource, which have one or more permissions bundled within them.

In addition to the primitive roles, owner, editor, and viewer, you can grant the following Stackdriver Debugger IAM roles:

Role Purpose Includes Permissions
Debugger Agent
roles/clouddebugger.agent
Can register the debug target, read active breakpoints, and report breakpoint results. This role is normally assigned to the service account running with the Debugger agent.
  • clouddebugger.breakpoints.list: Returns the list of all breakpoints for the debuggee, including inactive breakpoints.
  • clouddebugger.breakpoints.listActive: Returns the list of all active breakpoints for the debuggee.
  • clouddebugger.breakpoints.update: Updates the breakpoint.
  • clouddebugger.debuggees.create: Registers the debuggee.
Debugger User
roles/clouddebugger.user

Can create, view, list, and delete breakpoints (snapshots & logpoints) as well as list debug targets (debuggees).

  • clouddebugger.breakpoints.create: Creates the breakpoint.
  • clouddebugger.breakpoints.delete: Deletes a breakpoint.
  • clouddebugger.breakpoints.get: Reads a breakpoint.
  • clouddebugger.breakpoints.list: Lists breakpoints.
  • clouddebugger.debuggees.list: List debug targets (debuggees) accessible to the user.
Was this page helpful? Let us know how we did:

Send feedback about...

Stackdriver Debugger Documentation