Control access with IAM

This page describes how you use Identity and Access Management (IAM) roles and permissions to control access to Error Reporting data in Google Cloud resources.

Overview

IAM permissions and roles determine your ability to access data through the Error Reporting API and the Google Cloud console.

To use Error Reporting within a Google Cloud resource, such as a Google Cloud project, folder, or organization, you must be granted an IAM role on that resource. This role must contain the appropriate permissions.

A role is a collection of permissions. You can't grant a principal permissions directly; instead, you grant them a role. When you grant a role to a principal, you grant them all the permissions that the role contains. You can grant multiple roles to the same principal.

Predefined roles

IAM provides predefined roles to give granular access to specific Google Cloud resources. Google Cloud creates and maintains these roles and automatically updates their permissions as necessary, such as when Error Reporting adds new features.

The following table lists the Error Reporting roles, the roles' titles, their descriptions, contained permissions, and the lowest-level resource type where the roles can be set. A particular role can be granted on this resource type or, in most cases, any type above it in the Google Cloud hierarchy.

To get a list of each individual permission contained in a role, see Getting the role metadata.

API permissions

Error Reporting API methods require specific IAM permissions. The following table lists and describes the permissions needed by the API methods.

Method	Required permission(s)	Description
deleteEvents	errorreporting.errorEvents.delete	Delete error events.
events.list	errorreporting.errorEvents.list	List error events.
events.report	errorreporting.errorEvents.create	Create or update error events.
groupStats.list	errorreporting.groups.list	List ErrorGroupStats.
groups.get	errorreporting.groupMetadata.get	Retrieve error group information.
groups.update	errorreporting.groupMetadata.update errorreporting.applications.list	Update and mute error group information. Change error resolution status. List services and versions for a project.

Further considerations

When deciding which permissions and roles apply to a principal's use cases, consider the following summary of Error Reporting activities and required permissions:

Activities	Required permissions
Have read-only access to the Error Reporting Google Cloud console page.	errorreporting.applications.list errorreporting.groupMetadata.get errorreporting.groups.list
See group details in the Google Cloud console.	Permissions for read-only access plus: errorreporting.errorEvents.list
Change metadata in the Google Cloud console. Change error resolution status, including muting errors.	Permissions for read-only access plus: errorreporting.groupMetadata.update
Delete errors in the Google Cloud console.	Permissions for read-only access plus: errorreporting.errorEvents.delete
Create errors (no Google Cloud console permissions needed).	errorreporting.errorEvents.create
Subscribe to notifications.	Permissions for read-only access plus: cloudnotifications.activities.list

Grant and manage roles

You can grant and manage IAM roles using the Google Cloud console, the IAM API methods, or the Google Cloud CLI. For instructions on granting and managing roles, see Granting, changing, and revoking access.

You can grant multiple roles to the same user. To get a list of the permissions contained in a role, see Getting the role metadata.

If you're trying to access a Google Cloud resource and lack the necessary permissions, contact the user who is listed as the Owner for the resource.

Custom roles

To create a custom role with Error Reporting permissions, choose permissions from API permissions, then follow the instructions to create a custom role.

Role change latency

Error Reporting caches IAM permissions for 5 minutes, so it will take up to 5 minutes for a role change to become effective.