Access Control

Google Cloud Platform offers Identity and Access Management (IAM), which lets you give granular access to specific Google Cloud Platform resources and prevents unwanted access to other resources. This page describes the Stackdriver Debugger IAM roles. For a detailed description of Cloud IAM, read the IAM documentation.

Granting roles

To learn how to grant IAM roles to a user or service account, read Granting, Changing, and Revoking Access to Project Members in the IAM documentation.

To be able to use Stackdriver Debugger, a user must have one of the following roles:

  • Owner
  • Editor
  • Debugger User

Required permissions

With Cloud IAM, every Google Cloud Platform method requires that the account making the API request has appropriate permissions to access the resource. Permissions allow users to perform specific actions on Cloud resources.

The following table lists the permissions that the caller must have to call a Debugger method:

Method Required permission(s) For resource type
REST: controller.debuggees.register
RPC: RegisterDebuggeeRequest
clouddebugger.debuggees.create Project
REST: controller.debuggees.breakpoints.list
RPC: ListBreakpointsRequest
clouddebugger.breakpoints.list Project
REST: controller.debuggees.breakpoints.update
RPC: UpdateActiveBreakpointRequest
clouddebugger.breakpoints.update Project
REST: debugger.debuggees.list
RPC: ListDebuggeesRequest
clouddebugger.debuggees.list Project
REST: debugger.debuggees.breakpoints.delete clouddebugger.breakpoints.delete Project
REST: debugger.debuggees.breakpoints.get
RPC: GetBreakpointsRequest
clouddebugger.breakpoints.get Project
REST: debugger.debuggees.breakpoints.list
RPC: ListBreakpointsRequest
clouddebugger.breakpoints.list Project
REST: debugger.debuggees.breakpoints.set
RPC: SetBreakpointRequest
clouddebugger.breakpoints.create Project


You don't directly give users permissions; instead, you grant them roles, which have one or more permissions bundled within them.

You can grant one or more roles on the same resource.

In addition to the primitive roles, owner, editor, and viewer, you can grant the following Stackdriver Debugger roles to the users of your project.

Role Purpose Includes Permissions
Debugger Agent
Can register the debug target, read active breakpoints, and report breakpoint results. This role is normally assigned to the service account running with the debugger agent.
  • clouddebugger.breakpoints.list: Returns the list of all breakpoints for the debuggee, including inactive breakpoints.
  • clouddebugger.breakpoints.listActive: Returns the list of all active breakpoints for the debuggee.
  • clouddebugger.breakpoints.update: Updates the breakpoint.
  • clouddebugger.debuggees.create: Registers the debuggee.
Debugger User

Can create, view, list, and delete breakpoints (snapshots & logpoints) as well as list debug targets (debuggees).

  • clouddebugger.breakpoints.create: Creates the breakpoint.
  • clouddebugger.breakpoints.delete: Deletes a breakpoint.
  • clouddebugger.breakpoints.get: Reads a breakpoint.
  • clouddebugger.breakpoints.list: Lists breakpoints.
  • clouddebugger.debuggees.list: List debug targets (debuggees) accessible to the user.

Send feedback about...

Stackdriver Debugger Documentation