Access control guide

Google Cloud Platform offers Identity and Access Management (IAM), which lets you give more granular access to specific Google Cloud Platform resources and prevents unwanted access to other resources. This page describes the Stackdriver Error Reporting IAM roles. For a detailed description of Cloud IAM, read the IAM documentation.

IAM lets you adopt the security principle of least privilege, so you only grant access to necessary resources.

IAM lets you control who (users) has what (roles) permission to which resources by setting IAM policies. IAM policies grant specific role(s) to a user, giving the user certain permissions.

Permissions and roles

This section summarizes the permissions and roles Error Reporting supports.

Required permissions

The following table lists the permissions that the caller must have to call each method:

Method Required Permission(s)
deleteEvents errorreporting.errorEvents.delete
events.list errorreporting.errorEvents.list errorreporting.errorEvents.create
groupStats.list errorreporting.groups.list
groups.get errorreporting.groupMetadata.get
groups.update errorreporting.groupMetadata.update


With IAM, every API method in Error Reporting requires that the account making the API request has the appropriate permissions to use the resource. Permissions are granted by setting policies that grant roles to a user, group, or service account. In addition to the primitive roles, which are Owner, Editor, and Viewer, you can grant Error Reporting roles to the users of your project.

The following table lists the Error Reporting IAM roles. You can grant multiple roles to a user, group, or service account.

Role Permissions Description
Error Reporting Viewer
Read-only access to Error Reporting data.
Error Reporting User
Read-write access to Error Reporting data, except you can't create new error events.
Error Reporting Writer
errorreporting.errorEvents.create Can send error events to Error Reporting. Intended for service accounts.
Error Reporting Admin
errorreporting.errorEvents.create errorreporting.errorEvents.delete
Full access to Error Reporting data.

Custom roles

This following table shows which permissions to add to your custom IAM role to permit Error Reporting activities:

Activities Required permissions
Minimal read-only access to the Error Reporting console page. errorreporting.applications.list
See group details in the console. Minimal permissions plus:
Change metadata in the console. Change error resolution status, including muting errors. Minimal permissions plus:
Delete errors in the console. Minimal permissions plus:
Create errors (no console permissions needed). errorreporting.errorEvents.create
Subscribe to notifications. Minimal permissions plus:

If you want to grant access to some methods in the Error Reporting API and not to the console, then you can add to your custom role just the permissions for the individual API methods. See Required permissions on this page.


The following table lists the permissions that Error Reporting supports.

Permission name Description
errorreporting.applications.list List services and versions for a project.
errorreporting.errorEvents.create Create or update error events.
errorreporting.errorEvents.delete Delete error events.
errorreporting.errorEvents.list List error events.
errorreporting.groups.list List ErrorGroupStats.
errorreporting.groupMetadata.get Retrieve error group information.
errorreporting.groupMetadata.update Update error group information. Change error resolution status; mute errors.

Role change latency

Error Reporting caches IAM permissions for 5 minutes, so it will take up to 5 minutes for a role change to become effective.

Managing IAM policies

You can get and set IAM policies using the Google Cloud Platform Console, the IAM API methods, or the gcloud command-line tool.

What's next

Was this page helpful? Let us know how we did:

Send feedback about...

Stackdriver Error Reporting Documentation