Access control guide

Google Cloud Platform offers Cloud Identity and Access Management, which lets you give more granular access to specific GCP resources and prevents unwanted access to other resources. This page describes the Stackdriver Error Reporting Cloud IAM roles. For a detailed description of Cloud IAM, read the Cloud IAM documentation.

Cloud IAM lets you adopt the security principle of least privilege, so you only grant access to necessary resources.

Cloud IAM lets you control who (users) has what (roles) permission to which resources by setting Cloud IAM policies. Cloud IAM policies grant specific role(s) to a user, giving the user certain permissions.

Permissions and roles

This section summarizes the Cloud IAM permissions and roles that Error Reporting supports.

Required permissions

The following table lists the Cloud IAM permissions that the caller must have to call each method:

Method Required permission(s) Description
deleteEvents errorreporting.errorEvents.delete Delete error events.
events.list errorreporting.errorEvents.list List error events.
events.report errorreporting.errorEvents.create Create or update error events.
groupStats.list errorreporting.groups.list List ErrorGroupStats.
groups.get errorreporting.groupMetadata.get Retrieve error group information.
groups.update
  • errorreporting.groupMetadata.update
  • errorreporting.applications.list
  • Update and mute error group information.
    Change error resolution status.
  • List services and versions for a project.
  • Supported roles

    With Cloud IAM, every API method in Error Reporting requires that the account making the API request has the appropriate permissions to use the resource. Permissions are granted by setting policies that grant roles to a user, group, or service account. In addition to the primitive roles, which are Owner, Editor, and Viewer, you can grant Error Reporting roles to the users of your project.

    The following table lists the Error Reporting Cloud IAM roles. You can grant multiple roles to a user, group, or service account.

    Role Permissions Description
    roles/errorreporting.viewer
    Error Reporting Viewer
    errorreporting.applications.list
    errorreporting.errorEvents.list
    errorreporting.groupMetadata.get
    errorreporting.groups.list
    Read-only access to Error Reporting data.
    roles/errorreporting.user
    Error Reporting User
    errorreporting.applications.list
    errorreporting.errorEvents.delete
    errorreporting.errorEvents.list
    errorreporting.groupMetadata.get
    errorreporting.groupMetadata.update
    errorreporting.groups.list
    Read-write access to Error Reporting data, except you can't create new error events.
    roles/errorreporting.writer
    Error Reporting Writer
    errorreporting.errorEvents.create Can send error events to Error Reporting. Intended for service accounts.
    roles/errorreporting.admin
    Error Reporting Admin
    errorreporting.applications.list
    errorreporting.errorEvents.create errorreporting.errorEvents.delete
    errorreporting.errorEvents.list
    errorreporting.groupMetadata.get
    errorreporting.groupMetadata.update
    errorreporting.groups.list
    Full access to Error Reporting data.

    Custom roles

    This following table shows which permissions to add to your custom Cloud IAM role to permit Error Reporting activities:

    Activities Required permissions
    Minimal read-only access to the Error Reporting console page. errorreporting.applications.list
    errorreporting.groupMetadata.get
    errorreporting.groups.list
    See group details in the console. Minimal permissions plus:
    errorreporting.errorEvents.list
    Change metadata in the console. Change error resolution status, including muting errors. Minimal permissions plus:
    errorreporting.groupMetadata.update
    Delete errors in the console. Minimal permissions plus:
    errorreporting.errorEvents.delete
    Create errors (no console permissions needed). errorreporting.errorEvents.create
    Subscribe to notifications. Minimal permissions plus:
    cloudnotifications.activities.list

    If you want to grant access to some methods in the Error Reporting API and not to the console, then you can add to your custom role just the permissions for the individual API methods. See Required permissions on this page.

    Role change latency

    Error Reporting caches Cloud IAM permissions for 5 minutes, so it will take up to 5 minutes for a role change to become effective.

    Managing Cloud IAM policies

    You can get and set Cloud IAM policies using the GCP Console, the Cloud IAM API methods, or the gcloud command-line tool.

    What's next

    ¿Te ha resultado útil esta página? Enviar comentarios:

    Enviar comentarios sobre...

    Stackdriver Error Reporting
    Si necesitas ayuda, visita nuestra página de asistencia.