Prepare IAM permissions

Google Distributed Cloud (GDC) air-gapped appliance offers Identity and Access Management (IAM) for granular access to specific GDC air-gapped appliance resources and prevents unwanted access to other resources. IAM operates on the security principle of least privilege and controls who can access given resources using IAM roles and permissions.

A role is a collection of specific permissions mapped to certain actions on resources and assigned to individual subjects, such as users, groups of users, or service accounts. Therefore, you must have the proper IAM roles and permissions to use monitoring and logging services on GDC air-gapped appliance.

IAM permissions for Infrastructure Operator

IAM on GDC air-gapped appliance offers predefined role types that you can obtain on the following levels of access:

  • Management API server: Grant a subject with permissions to manage custom resources at the project level in the project namespace of the Management API server where they want to use logging and monitoring services.
  • Root admin cluster: Grant a subject with permissions to manage infrastructure resources in the root admin cluster.

If you can't access or use a monitoring or logging service, contact your administrator to grant you the necessary roles. Request the appropriate permissions from your Security Admin.

This page describes all the roles and their respective permissions for using monitoring and logging services.

Predefined roles at the project level

Request the appropriate permissions from your Security Admin to set up logging and monitoring in the project namespace of the Management API server where you want to manage the lifecycle of observability services.

All roles must bind to the project namespace of the Management API server where you are using the service. To grant team members resource access, assign roles by creating role bindings on the Management API server using its kubeconfig file. To grant permissions or receive role access, see Grant and revoke access.

For more information, see Predefined role descriptions.

Monitoring resources

The following table provides details about the permissions assigned to each predefined role for monitoring resources:

Role name Kubernetes resource name Permission description Type
ConfigMap Creator configmap-creator Create ConfigMap objects in the project namespace. Role
Dashboard IO Creator dashboard-io-creator Create Dashboard custom resources in the project namespace. ClusterRole
Dashboard IO Editor dashboard-io-editor Edit or modify Dashboard custom resources in the project namespace. ClusterRole
Dashboard IO Viewer dashboard-io-viewer View Dashboard custom resources in the project namespace. ClusterRole
MonitoringRule IO Creator monitoringrule-io-creator Create MonitoringRule custom resources in the project namespace. ClusterRole
MonitoringRule IO Editor monitoringrule-io-editor Edit or modify MonitoringRule custom resources in the project namespace. ClusterRole
MonitoringRule IO Viewer monitoringrule-io-viewer View MonitoringRule custom resources in the project namespace. ClusterRole
MonitoringTarget IO Creator monitoringtarget-io-creator Create MonitoringTarget custom resources in the project namespace. ClusterRole
MonitoringTarget IO Editor monitoringtarget-io-editor Edit or modify MonitoringTarget custom resources in the project namespace. ClusterRole
MonitoringTarget IO Viewer monitoringtarget-io-viewer View MonitoringTarget custom resources in the project namespace. ClusterRole
ObservabilityPipeline IO Creator observabilitypipeline-io-creator Create ObservabilityPipeline custom resources in the project namespace. ClusterRole
ObservabilityPipeline IO Editor observabilitypipeline-io-editor Edit or modify ObservabilityPipeline custom resources in the project namespace. ClusterRole
ObservabilityPipeline IO Viewer observabilitypipeline-io-viewer View ObservabilityPipeline custom resources in the project namespace. ClusterRole
Project Cortex Alertmanager Editor project-cortex-alertmanager-editor Edit the Cortex Alertmanager instance in the project namespace. Role
Project Cortex Alertmanager Viewer project-cortex-alertmanager-viewer Access the Cortex Alertmanager instance in the project namespace. Role
Project Cortex Prometheus Viewer project-cortex-prometheus-viewer Access the Cortex Prometheus instance in the project namespace. Role
Project Grafana Viewer project-grafana-viewer Visualize project-related observability data on dashboards of the Grafana monitoring instance. Role
ServiceLevelObjective Viewer servicelevelobjective-viewer Visualize ServiceLevelObjective custom resources in the Management API server. ClusterRole

Logging resources

The following table provides details about the permissions assigned to each predefined role for logging resources:

Role name Kubernetes resource name Permission description Type
AuditLoggingTarget IO Creator auditloggingtarget-io-creator Create AuditLoggingTarget custom resources in the project namespace. ClusterRole
AuditLoggingTarget IO Editor auditloggingtarget-io-editor Edit or modify AuditLoggingTarget custom resources in the project namespace. ClusterRole
AuditLoggingTarget IO Viewer auditloggingtarget-io-viewer View AuditLoggingTarget custom resources in the project namespace. ClusterRole
Audit Logs Backup Restore Creator audit-logs-backup-restore-creator Create a backup transfer job configuration and restore audit logs. Role
Audit Logs Backup Restore Editor audit-logs-backup-restore-editor Edit the backup transfer job configuration and restore audit logs. Role
Audit Logs Infra Bucket Viewer audit-logs-infra-bucket-viewer View backup buckets of infrastructure audit logs. Role
FluentBit IO Creator fluentbit-io-creator Create FluentBit custom resources in the project namespace. ClusterRole
FluentBit IO Editor fluentbit-io-editor Edit or modify FluentBit custom resources in the project namespace. ClusterRole
FluentBit IO Viewer fluentbit-io-viewer View FluentBit custom resources in the project namespace. ClusterRole
LogCollector IO Creator logcollector-io-creator Create LogCollector custom resources in the project namespace. ClusterRole
LogCollector IO Editor logcollector-io-editor Edit or modify LogCollector custom resources in the project namespace. ClusterRole
LogCollector IO Viewer logcollector-io-viewer View LogCollector custom resources in the project namespace. ClusterRole
LoggingRule IO Creator loggingrule-io-creator Create LoggingRule custom resources in the project namespace. ClusterRole
LoggingRule IO Editor loggingrule-io-editor Edit or modify LoggingRule custom resources in the project namespace. ClusterRole
LoggingRule IO Viewer loggingrule-io-viewer View LoggingRule custom resources in the project namespace. ClusterRole
LoggingTarget IO Creator loggingtarget-io-creator Create LoggingTarget custom resources in the project namespace. ClusterRole
LoggingTarget IO Editor loggingtarget-io-editor Edit or modify LoggingTarget custom resources in the project namespace. ClusterRole
LoggingTarget IO Viewer loggingtarget-io-viewer View LoggingTarget custom resources in the project namespace. ClusterRole

Predefined roles in the root admin cluster

Request the appropriate permissions from your Security Admin to use logging and monitoring services in the root admin cluster.

To grant team members resource access, assign roles by creating role bindings on the root admin cluster using its kubeconfig file. To grant permissions or receive role access, see Grant and revoke access.

For more information, see Predefined role descriptions.

Monitoring resources

The following table provides details about the permissions assigned to each predefined role for monitoring resources:

Role name Kubernetes resource name Permission description Type
Dashboard Creator dashboard-creator Create Dashboard custom resources in the root admin cluster. ClusterRole
Dashboard Editor dashboard-editor Edit or modify Dashboard custom resources in the root admin cluster. ClusterRole
Dashboard Viewer dashboard-viewer View Dashboard custom resources in the root admin cluster. ClusterRole
Grafana Viewer grafana-viewer Visualize observability data on dashboards of the Grafana monitoring instance in the root admin cluster. ClusterRole
MonitoringRule Creator monitoringrule-creator Create MonitoringRule custom resources in the root admin cluster. ClusterRole
MonitoringRule Editor monitoringrule-editor Edit or modify MonitoringRule custom resources in the root admin cluster. ClusterRole
MonitoringRule Viewer monitoringrule-viewer View MonitoringRule custom resources in the root admin cluster. ClusterRole
MonitoringTarget Creator monitoringtarget-creator Create MonitoringTarget custom resources in the root admin cluster. ClusterRole
MonitoringTarget Editor monitoringtarget-editor Edit or modify MonitoringTarget custom resources in the root admin cluster. ClusterRole
MonitoringTarget Viewer monitoringtarget-viewer View MonitoringTarget custom resources in the root admin cluster. ClusterRole
ObservabilityPipeline Creator observabilitypipeline-creator Create ObservabilityPipeline custom resources in the root admin cluster. ClusterRole
ObservabilityPipeline Editor observabilitypipeline-editor Edit or modify ObservabilityPipeline custom resources in the root admin cluster. ClusterRole
ObservabilityPipeline Viewer observabilitypipeline-viewer View ObservabilityPipeline custom resources in the root admin cluster. ClusterRole
Root Cortex Alertmanager Editor root-cortex-alertmanager-editor Edit the Cortex Alertmanager instance in the root admin cluster. Role
Root Cortex Alertmanager Viewer root-cortex-alertmanager-viewer Access the Cortex Alertmanager instance in the root admin cluster. Role
Root Cortex Prometheus Viewer root-cortex-prometheus-viewer Access the Cortex Prometheus instance in the root admin cluster. Role
ServiceLevelObjective Viewer servicelevelobjective-viewer Visualize ServiceLevelObjective custom resources in the root admin cluster. ClusterRole

Logging resources

The following table provides details about the permissions assigned to each predefined role for logging resources:

Role name Kubernetes resource name Permission description Type
AuditLoggingTarget Creator auditloggingtarget-creator Create AuditLoggingTarget custom resources in the root admin cluster. ClusterRole
AuditLoggingTarget Editor auditloggingtarget-editor Edit or modify AuditLoggingTarget custom resources in the root admin cluster. ClusterRole
AuditLoggingTarget Viewer auditloggingtarget-viewer View AuditLoggingTarget custom resources in the root admin cluster. ClusterRole
Audit Logs Backup Restore Creator audit-logs-backup-restore-creator Create a backup transfer job configuration and restore audit logs. Role
Audit Logs Backup Restore Editor audit-logs-backup-restore-editor Edit the backup transfer job configuration and restore audit logs. Role
Audit Logs Infra Bucket Viewer audit-logs-infra-bucket-viewer View backup buckets of infrastructure audit logs. Role
FluentBit Creator fluentbit-creator Create FluentBit custom resources in the root admin cluster. ClusterRole
FluentBit Editor fluentbit-editor Edit or modify FluentBit custom resources in the root admin cluster. ClusterRole
FluentBit Viewer fluentbit-viewer View FluentBit custom resources in the root admin cluster. ClusterRole
LogCollector Creator logcollector-creator Create LogCollector custom resources in the root admin cluster. ClusterRole
LogCollector Editor logcollector-editor Edit or modify LogCollector custom resources in the root admin cluster. ClusterRole
LogCollector Viewer logcollector-viewer View LogCollector custom resources in the root admin cluster. ClusterRole
LoggingRule Creator loggingrule-creator Create LoggingRule custom resources in the root admin cluster. ClusterRole
LoggingRule Editor loggingrule-editor Edit or modify LoggingRule custom resources in the root admin cluster. ClusterRole
LoggingRule Viewer loggingrule-viewer View LoggingRule custom resources in the root admin cluster. ClusterRole

IAM permissions for Platform Administrator (PA) and Application Operator

IAM on GDC air-gapped appliance offers the following two predefined PA/AO role types, depending on the level of access you need:

  • ClusterRole: Grant a subject with permissions at the organization level. Organization-level roles let you deploy custom resources across all project namespaces of the Management API server and enable services in all projects of your entire organization.
  • Role: Grant a subject with permissions at the project level by propagating roles to Kubernetes namespaces. Project-level roles let you deploy custom resources into the project namespace of the Management API server and enable services only in your project namespace.

If you can't access or use a monitoring or logging service, contact your administrator to grant you the necessary roles. Request the appropriate permissions from your Project IAM Admin for a given project. If you require permissions at the organization level, ask your Organization IAM Admin instead.

This page describes all the roles and their respective permissions for using monitoring and logging services.

Predefined roles at the project level

Request the appropriate permissions from your Project IAM Admin to use logging and monitoring services in a project. All roles must bind to the project namespace where you are using the service.

To grant permissions or receive role access to resources at the project level, see Grant access to project resources.

Monitoring resources

The following table provides details about the permissions assigned to each predefined role for monitoring resources:

Role name Kubernetes resource name Permission description Type
ConfigMap Creator configmap-creator Create ConfigMap objects in the project namespace. Role
Dashboard Editor dashboard-editor Edit or modify Dashboard custom resources in the project namespace. Role
Dashboard Viewer dashboard-viewer View Dashboard custom resources in the project namespace. Role
MonitoringRule Editor monitoringrule-editor Edit or modify MonitoringRule custom resources in the project namespace. Role
MonitoringRule Viewer monitoringrule-viewer View MonitoringRule custom resources in the project namespace. Role
MonitoringTarget Editor monitoringtarget-editor Edit or modify MonitoringTarget custom resources in the project namespace. Role
MonitoringTarget Viewer monitoringtarget-viewer View MonitoringTarget custom resources in the project namespace. Role
ObservabilityPipeline Editor observabilitypipeline-editor Edit or modify ObservabilityPipeline custom resources in the project namespace. Role
ObservabilityPipeline Viewer observabilitypipeline-viewer View ObservabilityPipeline custom resources in the project namespace. Role
Project Cortex Alertmanager Editor project-cortex-alertmanager-editor Edit the Cortex Alertmanager instance in the project namespace. Role
Project Cortex Alertmanager Viewer project-cortex-alertmanager-viewer Access the Cortex Alertmanager instance in the project namespace. Role
Project Cortex Prometheus Viewer project-cortex-prometheus-viewer Access the Cortex Prometheus instance in the project namespace. Role
Project Grafana Viewer project-grafana-viewer Visualize project-related observability data on dashboards of the Grafana monitoring instance. Role

Logging resources

The following table provides details about the permissions assigned to each predefined role for logging resources:

Role name Kubernetes resource name Permission description Type
Audit Logs Platform Restore Bucket Creator audit-logs-platform-restore-bucket-creator Create backup buckets to restore the platform audit logs. Role
Audit Logs Platform Bucket Viewer audit-logs-platform-bucket-viewer View backup buckets of platform audit logs. Role
LoggingRule Creator loggingrule-creator Create LoggingRule custom resources in the project namespace. Role
LoggingRule Editor loggingrule-editor Edit or modify LoggingRule custom resources in the project namespace. Role
LoggingRule Viewer loggingrule-viewer View LoggingRule custom resources in the project namespace. Role
LoggingTarget Creator loggingtarget-creator Create LoggingTarget custom resources in the project namespace. Role
LoggingTarget Editor loggingtarget-editor Edit or modify LoggingTarget custom resources in the project namespace. Role
LoggingTarget Viewer loggingtarget-viewer View LoggingTarget custom resources in the project namespace. Role