Access control guide

Google Cloud offers Identity and Access Management, which lets you give more granular access to specific Google Cloud resources and prevents unwanted access to other resources. This page describes the Error Reporting IAM roles. For a detailed description of IAM, read the IAM documentation.

IAM lets you adopt the security principle of least privilege, so you only grant access to necessary resources.

IAM lets you control who (users) has what (roles) permission to which resources by setting IAM policies. IAM policies grant specific role(s) to a user, giving the user certain permissions.

Permissions and roles

This section summarizes the IAM permissions and roles that Error Reporting supports.

Required permissions

The following table lists the IAM permissions that the caller must have to call each method:

Method Required permission(s) Description
deleteEvents errorreporting.errorEvents.delete Delete error events.
events.list errorreporting.errorEvents.list List error events.
events.report errorreporting.errorEvents.create Create or update error events.
groupStats.list errorreporting.groups.list List ErrorGroupStats.
groups.get errorreporting.groupMetadata.get Retrieve error group information.
groups.update
  • errorreporting.groupMetadata.update
  • errorreporting.applications.list
  • Update and mute error group information.
    Change error resolution status.
  • List services and versions for a project.
  • Supported roles

    With IAM, every API method in Error Reporting requires that the account making the API request has the appropriate permissions to use the resource. Permissions are granted by setting policies that grant roles to a user, group, or service account. In addition to the basic roles, which are Owner, Editor, and Viewer, you can grant Error Reporting roles to the users of your project.

    The following table lists the Error Reporting IAM roles. You can grant multiple roles to a user, group, or service account.

    Role Permissions Description
    roles/errorreporting.viewer
    Error Reporting Viewer
    errorreporting.applications.list
    errorreporting.errorEvents.list
    errorreporting.groupMetadata.get
    errorreporting.groups.list
    Read-only access to Error Reporting data.
    roles/errorreporting.user
    Error Reporting User
    errorreporting.applications.list
    errorreporting.errorEvents.delete
    errorreporting.errorEvents.list
    errorreporting.groupMetadata.get
    errorreporting.groupMetadata.update
    errorreporting.groups.list
    Read-write access to Error Reporting data, except you can't create new error events.
    roles/errorreporting.writer
    Error Reporting Writer
    errorreporting.errorEvents.create Can send error events to Error Reporting. Intended for service accounts.
    roles/errorreporting.admin
    Error Reporting Admin
    errorreporting.applications.list
    errorreporting.errorEvents.create errorreporting.errorEvents.delete
    errorreporting.errorEvents.list
    errorreporting.groupMetadata.get
    errorreporting.groupMetadata.update
    errorreporting.groups.list
    Full access to Error Reporting data.

    Custom roles

    This following table shows which permissions to add to your custom IAM role to permit Error Reporting activities:

    Activities Required permissions
    Minimal read-only access to the Error Reporting console page. errorreporting.applications.list
    errorreporting.groupMetadata.get
    errorreporting.groups.list
    See group details in the console. Minimal permissions plus:
    errorreporting.errorEvents.list
    Change metadata in the console. Change error resolution status, including muting errors. Minimal permissions plus:
    errorreporting.groupMetadata.update
    Delete errors in the console. Minimal permissions plus:
    errorreporting.errorEvents.delete
    Create errors (no console permissions needed). errorreporting.errorEvents.create
    Subscribe to notifications. Minimal permissions plus:
    cloudnotifications.activities.list

    If you want to grant access to some methods in the Error Reporting API and not to the console, then you can add to your custom role just the permissions for the individual API methods. See Required permissions on this page.

    Role change latency

    Error Reporting caches IAM permissions for 5 minutes, so it will take up to 5 minutes for a role change to become effective.

    Managing IAM policies

    You can get and set IAM policies using the Cloud Console, the IAM API methods, or the gcloud command-line tool.

    What's next