Access Control

Google Cloud Platform offers Identity and Access Management (IAM), which lets you give granular access to specific Google Cloud Platform resources and prevents unwanted access to other resources. This page describes the Stackdriver Debugger IAM roles. For a detailed description of Cloud IAM, read the IAM documentation.

Granting roles

To learn how to grant IAM roles to a user or service account, read Granting, Changing, and Revoking Access to Project Members in the IAM documentation.

To be able to use Stackdriver Debugger, a user must have one of the following roles:

  • Owner
  • Editor
  • Debugger User

Required permissions

With Cloud IAM, every Google Cloud Platform method requires that the account making the API request has appropriate permissions to access the resource. Permissions allow users to perform specific actions on Cloud resources.

The following table lists the permissions that the caller must have to call a Debugger method:

Method (REST / RPC) Required permission(s) For resource type
controller.debuggees.register / RegisterDebuggeeRequest clouddebugger.debuggees.create Project
controller.debuggees.breakpoints.list / ListBreakpointsRequest clouddebugger.breakpoints.list Project
controller.debuggees.breakpoints.update / UpdateActiveBreakpointRequest clouddebugger.breakpoints.update Project
debugger.debuggees.list / ListDebuggeesRequest clouddebugger.debuggees.list Project
debugger.debuggees.breakpoints.delete clouddebugger.breakpoints.delete Project
debugger.debuggees.breakpoints.get / GetBreakpointsRequest clouddebugger.breakpoints.get Project
debugger.debuggees.breakpoints.list / ListBreakpointsRequest clouddebugger.breakpoints.list Project
debugger.debuggees.breakpoints.set / SetBreakpointRequest clouddebugger.breakpoints.create Project


You don't directly give users permissions; instead, you grant them roles, which have one or more permissions bundled within them.

You can grant one or more roles on the same resource.

In addition to the primitive roles, owner, editor, and viewer, you can grant the following Stackdriver Debugger roles to the users of your project.

Role Purpose Includes Permissions
Debugger Agent
Can register the debug target, read active breakpoints, and report breakpoint results. This role is normally assigned to the service account running with the debugger agent.
  • clouddebugger.breakpoints.list: Returns the list of all breakpoints for the debuggee, including inactive breakpoints.
  • clouddebugger.breakpoints.listActive: Returns the list of all active breakpoints for the debuggee.
  • clouddebugger.breakpoints.update: Updates the breakpoint.
  • clouddebugger.debuggees.create: Registers the debuggee.
Debugger User

Can create, view, list, and delete breakpoints (snapshots & logpoints) as well as list debug targets (debuggees).

  • clouddebugger.breakpoints.create: Creates the breakpoint.
  • clouddebugger.breakpoints.delete: Deletes a breakpoint.
  • clouddebugger.breakpoints.get: Reads a breakpoint.
  • clouddebugger.breakpoints.list: Lists breakpoints.
  • clouddebugger.debuggees.list: List debug targets (debuggees) accessible to the user.

Monitor your resources on the go

Get the Google Cloud Console app to help you manage your projects.

Send feedback about...

Stackdriver Debugger Documentation