Identity and Access Management

Google Cloud Platform offers Identity and Access Management (IAM), which lets you give more granular access to specific Google Cloud Platform resources and prevents unwanted access to other resources. This page describes the Stackdriver Error Reporting IAM roles. For a detailed description of Cloud IAM, read the IAM documentation.

IAM lets you adopt the security principle of least privilege, so you only grant access to necessary resources.

IAM lets you control who (users) has what (roles) permission to which resources by setting IAM policies. IAM policies grant specific role(s) to a user, giving the user certain permissions.

Permissions and Roles

This section summarizes the permissions and roles Error Reporting supports.

Required Permissions

The following table lists the permissions that the caller must have to call each method:

Method Required Permission(s)
deleteEvents errorreporting.errorEvents.delete
events.list errorreporting.applications.list
events.report errorreporting.errorEvents.create
groupStats.list errorreporting.groups.list
groups.get errorreporting.groupMetadata.get
groups.update errorreporting.groupMetadata.update

Roles

With IAM, every API method in Error Reporting requires that the account making the API request has the appropriate permissions to use the resource. Permissions are granted by setting policies that grant roles to a user, group, or service account. In addition to the primitive roles, owner, editor, and viewer, you can grant Error Reporting roles to the users of your project.

The following table lists the Error Reporting IAM roles. You can grant multiple roles to a user, group, or service account.

Role Permissions Description
roles/errorreporting.viewer
Error Reporting Viewer
errorreporting.applications.list
errorreporting.errorEvents.list
errorreporting.groupMetadata.get
errorreporting.groups.list
Read-only access to Error Reporting data.
roles/errorreporting.user
Error Reporting User
errorreporting.applications.list
errorreporting.errorEvents.delete
errorreporting.errorEvents.list
errorreporting.groupMetadata.get
errorreporting.groupMetadata.update
errorreporting.groups.list
Read-write access to Error Reporting data, except you can't create new error everts.
roles/errorreporting.writer
Error Reporting Writer
errorreporting.errorEvents.create Can send error events to Error Reporting. Intended for service accounts.
roles/errorreporting.admin
Error Reporting Admin
errorreporting.applications.list
errorreporting.errorEvents.create errorreporting.errorEvents.delete
errorreporting.errorEvents.list
errorreporting.groupMetadata.get
errorreporting.groupMetadata.update
errorreporting.groups.list
Full access to Error Reporting data.

Custom roles

This following table shows which Error Reporting permissions you should add to your custom IAM role to permit Error Reporting activities.

Activity Required permissions
Minimal read-only access to the Error Reporting console page. errorreporting.applications.list
errorreporting.groupMetadata.get
errorreporting.groups.list
Add ability to see group details in the console. Minimal permissions plus:
errorreporting.errorEvents.list
Add ability to change metadata in the console. Minimal permissions plus:
errorreporting.groupMetadata.update
Add ability to delete errors in the console. Minimal permissions plus:
errorreporting.errorEvents.delete
Create errors (no console permissions needed). errorreporting.errorEvents.create

If you want to grant access to some methods in the Error Reporting API and not to the console, then you can add to your custom role just the permissions for the individual API methods. See Required permissions on this page.

Permissions

The following table lists the permissions that Error Reporting supports.

Permission name Description
errorreporting.applications.list List services and versions for a project.
errorreporting.errorEvents.create Create or update error events.
errorreporting.errorEvents.delete Delete error events.
errorreporting.errorEvents.list List error events.
errorreporting.groups.list List ErrorGroupStats.
errorreporting.groupMetadata.get Retrieve error group information.
errorreporting.groupMetadata.update Update error group information.

Role change latency

Error Reporting caches IAM permissions for 5 minutes, so it will take up to 5 minutes for a role change to become effective.

Managing IAM policies

You can get and set IAM policies using the Google Cloud Platform Console, the IAM API methods, or the gcloud command-line tool.

What's next

Send feedback about...

Stackdriver Error Reporting Documentation